Permissions Policies and Supported Actions
This chapter describes fine-grained permissions management for your APIG.
If your account does not require individual IAM users, skip this section.
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles (in JSON format) to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
An account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only IAM users who have been granted permissions allowing the actions can call the API successfully. For example, if an IAM user wants to create APIs using an API, the user must have been granted permissions that allow the apig:apis:create action.
Supported Actions
Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permission: A statement in a policy that allows or denies certain operations.
- Action: Specific operations that are allowed or denied.
- API: REST APIs that can be called by a user who has been granted specific permissions.
- Authorization scope: Type of projects in which policies can be used to grant permissions. A policy can be applied to IAM projects, enterprise projects, or both. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM.
APIG supports actions that can be defined in custom policies. Permissions must be obtained before calling APIs provided by APIG.
Description |
Action |
API |
IAM Project |
Enterprise Project |
---|---|---|---|---|
Creating a dedicated gateway |
apig:instances:create |
POST /v2/{project_id}/apigw/instances |
√ |
√ |
Deleting a dedicated gateway |
apig:instances:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id} |
√ |
√ |
Updating a dedicated gateway |
apig:instances:update |
PUT /v2/{project_id}/apigw/instances/{instance_id} |
√ |
√ |
Querying details of a dedicated gateway |
apig:instances:get |
GET /v2/{project_id}/apigw/instances/{instance_id} |
√ |
√ |
Querying a dedicated gateway list |
apig:instances:list |
GET /v2/{project_id}/apigw/instances |
√ |
√ |
Creating an API group |
apig:groups:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/api-groups |
√ |
√ |
Deleting an API group |
apig:groups:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id} |
√ |
√ |
Querying details of an API group |
apig:groups:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id} |
√ |
√ |
Querying an API group list |
apig:groups:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/api-groups |
√ |
√ |
Binding a domain name to an API group |
apig:domains:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains |
√ |
√ |
Deleting a domain name bound to an API group |
apig:domains:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id} |
√ |
√ |
Adding a certificate to a domain name |
apig:domains:bindCertificate |
POST /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate |
√ |
√ |
Deleting a certificate bound to a domain name |
apig:domains:unbindCertificate |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate/{certificate_id} |
√ |
√ |
Querying details of a certificate bound to a domain name |
apig:domains:getCertificate |
GET /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate/{certificate_id} |
√ |
√ |
Creating an environment variable |
apig:variables:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/env-variables |
√ |
√ |
Deleting an environment variable |
apig:variables:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/env-variables/{env_variable_id} |
√ |
√ |
Querying details of an environment variable |
apig:variables:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/env-variables/{env_variable_id} |
√ |
√ |
Querying an environment variable list |
apig:variables:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/env-variables |
√ |
√ |
Creating an API |
apig:apis:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/apis |
√ |
√ |
Deleting an API |
apig:apis:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/apis/{api_id} |
√ |
√ |
Publishing an API |
apig:apis:publish |
POST /v2/{project_id}/apigw/instances/{instance_id}/apis/action |
√ |
√ |
Taking an API offline |
apig:apis:offline |
POST /v2/{project_id}/apigw/instances/{instance_id}/apis/action |
√ |
√ |
Debugging an API |
apig:apis:debug |
POST /v2/{project_id}/apigw/instances/{instance_id}/apis/debug/{api_id} |
√ |
√ |
Importing an API |
apig:apis:import |
POST /v2/{project_id}/apigw/instances/{instance_id}/openapi/import |
√ |
√ |
Exporting an API |
apig:apis:export |
POST /v2/{project_id}/apigw/instances/{instance_id}/openapi/export |
√ |
√ |
Authorizing an app to access an API |
apig:apis:grantAppAccess |
POST /v2/{project_id}/apigw/instances/{instance_id}/app-auths |
√ |
√ |
Canceling the authorization of an app for accessing an API |
apig:apis:relieveAppAccess |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/app-auths/{app_auth_id} |
√ |
√ |
Binding a signature key to an API |
apig:apis:bindSigns |
POST /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings |
√ |
√ |
Unbinding a signature key from an API |
apig:apis:unbindSigns |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/{sign_bindings_id} |
√ |
√ |
Binding an access control policy to an API |
apig:apis:bindAcls |
POST /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings |
√ |
√ |
Unbinding an access control policy from an API |
apig:apis:unbindAcls |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/{acl_bindings_id} |
√ |
√ |
Binding a request throttling policy to an API |
apig:apis:bindThrottles |
POST /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings |
√ |
√ |
Unbinding a request throttling policy from an API |
apig:apis:unbindThrottles |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/{throttle_binding_id} |
√ |
√ |
Querying details of an API |
apig:apis:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/apis/{api_id} |
√ |
√ |
Querying an API list |
apig:apis:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/apis |
√ |
√ |
Querying the list of apps bound to an API |
apig:apis:listBindedApps |
GET /v2/{project_id}/apigw/instances/{instance_id}/app-auths/binded-apps |
√ |
√ |
Querying the list of signature keys bound to an API |
apig:apis:listBindedSigns |
GET /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/binded-signs |
√ |
√ |
Querying the list of access control policies bound to an API |
apig:apis:listBindedAcls |
GET /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/binded-acls |
√ |
√ |
Querying the list of request throttling policies bound to an API |
apig:apis:listBindedTrottles |
GET /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/binded-throttles |
√ |
√ |
Creating an environment |
apig:envs:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/envs |
√ |
√ |
Deleting an environment |
apig:envs:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/envs/{env_id} |
√ |
√ |
Querying an environment list |
apig:envs:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/envs |
√ |
√ |
Creating an app |
apig:apps:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/apps |
√ |
√ |
Deleting an app |
apig:apps:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id} |
√ |
√ |
Querying details of an app |
apig:apps:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id} |
√ |
√ |
Querying an app list |
apig:apps:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/apps |
√ |
√ |
Querying the list of APIs bound to an app |
apig:apps:listBindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/app-auths/binded-apis |
√ |
√ |
Querying the list of APIs not bound to an app |
apig:apps:listUnbindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/app-auths/unbinded-apis |
√ |
√ |
Creating a signature key |
apig:signs:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/signs |
√ |
√ |
Deleting a signature key |
apig:signs:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/signs/{sign_id} |
√ |
√ |
Querying a signature key list |
apig:signs:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/signs |
√ |
√ |
Querying the list of APIs bound to a signature key |
apig:signs:listBindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/binded-apis |
√ |
√ |
Querying the list of APIs not bound to a signature key |
apig:signs:listUnbindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/unbinded-apis |
√ |
√ |
Creating an access control policy |
apig:acls:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/acls |
√ |
√ |
Deleting an access control policy |
apig:acls:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/acls/{acl_id} |
√ |
√ |
Querying details of an access control policy |
apig:acls:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/acls/{acl_id} |
√ |
√ |
Querying an access control policy list |
apig:acls:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/acls |
√ |
√ |
Querying the list of APIs bound to an access control policy |
apig:acls:listBindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/binded-apis |
√ |
√ |
Querying the list of APIs not bound to an access control policy |
apig:acls:listUnbindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/unbinded-apis |
√ |
√ |
Creating a request throttling policy |
apig:throttles:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/throttles |
√ |
√ |
Deleting a request throttling policy |
apig:throttles:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id} |
√ |
√ |
Querying details of a request throttling policy |
apig:throttles:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id} |
√ |
√ |
Querying a request control policy list |
apig:throttles:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/throttles |
√ |
√ |
Querying the list of APIs bound to a request control policy |
apig:throttles:listBindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/binded-apis |
√ |
√ |
Querying the list of APIs not bound to a request control policy |
apig:throttles:listUnbindedApis |
GET /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/unbinded-apis |
√ |
√ |
Creating an excluded request throttling configuration |
apig:specialThrottles:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials |
√ |
√ |
Deleting an excluded request throttling configuration |
apig:specialThrottles:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials/{strategy_id} |
√ |
√ |
Querying excluded request throttling configurations |
apig:specialThrottles:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials |
√ |
√ |
Creating a VPC channel |
apig:vpcChannels:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels |
√ |
√ |
Deleting a VPC channel |
apig:vpcChannels:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id} |
√ |
√ |
Updating a VPC channel |
apig:vpcChannels:update |
PUT /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id} |
√ |
√ |
Creating a backend instance |
apig:vpcChannels:addInstance |
POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/members |
√ |
√ |
Deleting a backend instance |
apig:vpcChannels:deleteInstance |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/members/{member_id} |
√ |
√ |
Querying details of a VPC channel |
apig:vpcs:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id} |
√ |
√ |
Querying a VPC channel list |
apig:vpcs:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels |
√ |
√ |
Creating a custom authorizer |
apig:authorizers:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/authorizers |
√ |
√ |
Deleting a custom authorizer |
apig:authorizers:delete |
DELETE /v2/{project_id}/apigw/instances/{instance_id}/authorizers/{authorizer_id} |
√ |
√ |
Querying details of a custom authorizer |
apig:authorizers:get |
GET /v2/{project_id}/apigw/instances/{instance_id}/authorizers/{authorizer_id} |
√ |
√ |
Query a custom authorizer list |
apig:authorizers:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/authorizers |
√ |
√ |
Querying a tag list |
apig:tags:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/tags |
√ |
√ |
Querying an instance feature list |
apig:features:list |
GET /v2/{project_id}/apigw/instances/{instance_id}/features |
√ |
√ |
Creating an instance feature |
apig:features:create |
POST /v2/{project_id}/apigw/instances/{instance_id}/features |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.