Diese Seite ist in Ihrer lokalen Sprache noch nicht verfügbar. Wir arbeiten daran, weitere Sprachversionen hinzuzufügen. Vielen Dank für Ihre Unterstützung.
- What's New
- Function Overview
- Product Bulletin
- Service Overview
- Getting Started
-
User Guide
- Overview
- Gateway Management
- API Group Management
- API Management
- Request Throttling
- Access Control
- Environment Management
- Signature Key Management
- VPC Channel Management
- Custom Authorizers
- Plug-ins
- Monitoring
- App Management
- Log Analysis
- SDKs
- Calling Published APIs
- Permissions Management
- Key Operations Recorded by CTS
-
Developer Guide
- Overview
- Authentication Mode Selection
- Calling APIs Through App Authentication
- Calling APIs Through IAM Authentication
- Creating a Function for Frontend Custom Authentication
- Creating a Function for Backend Custom Authentication
- Creating Signatures for Backend Requests
-
Importing and Exporting APIs
- Restrictions and Compatibility
- Extended Definition
- API Import Precautions
- Examples of Importing APIs
- API Export Precautions
-
API Reference
- Before You Start
- Calling APIs
-
Dedicated Gateway APIs (V2)
- API Group Management
- Environment Management
- Environment Variable Management
- Request Throttling Policy Management
-
API Management
- Registering an API
- Modifying an API
- Deleting an API
- Publishing an API or Taking an API Offline
- Querying API Details
- Querying APIs
- Debugging an API
- Publishing APIs or Taking APIs Offline
- Querying Historical Versions of an API
- Switching the Version of an API
- Querying the Runtime Definition of an API
- Querying API Version Details
- Taking an API Version Offline
- Signature Key Management
- Binding/Unbinding Signature Keys
- Binding/Unbinding Request Throttling Policies
- Excluded Request Throttling Configuration
- App Authorization Management
- Resource Query
- App Management
- Domain Name Management
- Access Control Policy Management
- Binding/Unbinding Access Control Policies
- Custom Authorizer Management
- API Import and Export
- VPC Channel Management
- Monitoring Information Query
- Group Response Management
- Tag Management
- Gateway Feature Management
- Configuration Management
-
Gateway Management
- Creating a Dedicated Gateway
- Querying Dedicated Gateway Details
- Updating a Dedicated Gateway
- Querying the Creation Progress of a Dedicated Gateway
- Updating or Binding an EIP to a Dedicated Gateway
- Unbinding the EIP of a Dedicated Gateway
- Enabling Public Access for a Dedicated Gateway
- Updating the Outbound Access Bandwidth of a Dedicated Gateway
- Disabling Public Access for a Dedicated Gateway
- Querying AZs
- Querying Dedicated Gateways
- Deleting a Dedicated Gateway
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- Common FAQs
-
API Creation
- Why Can't I Create APIs?
- How Do I Define Response Codes for an API?
- How Do I Specify the Host Port for a VPC Channel (or Load Balance Channel)?
- How Do I Set the Backend Address If I Will Not Use a VPC Channel (or Load Balance Channel)?
- How Can I Configure the Backend Service Address?
- Can I Specify a Private Network Load Balancer Address for the Backend Service?
- Can I Specify the Backend Address as a Subnet IP Address?
- Does APIG Support Multiple Backend Endpoints?
- What Should I Do After Applying for an Independent Domain Name?
- Can I Bind Private Domain Names for API Access?
- Why Does an API Failed to Be Called Across Domains?
-
API Calling
- What Are the Possible Causes for an API Calling Failure?
- What Should I Do If an Error Code Is Returned During API Calling?
- Why Am I Seeing the Error Message "414 Request-URI Too Large" When I Call an API?
- What Should I Do If "The API does not exist or has not been published in the environment." Is Displayed?
- Why Am I Seeing the Message "No backend available"?
- What Are the Possible Causes If the Message "Backend unavailable" or "Backend timeout" Is Displayed?
- Why Am I Seeing the Message "Backend domain name resolution failed" When a Backend Service Is Called?
- Why Doesn't Modification of the backend_timeout Parameter Take Effect?
- How Do I Switch the Environment for API Calling?
- What Is the Maximum Size of an API Request Package?
- How Do I Perform App Authentication in iOS System?
- Why Can't I Create a Header Parameter Named x-auth-token for an API Called Through IAM Authentication?
- App FAQs
- Can Mobile Apps Call APIs?
- Can Applications Deployed in a VPC Call APIs?
- How Do I Implement WebSocket Data Transmission?
- Does APIG Support Persistent Connections?
- How Will the Requests for an API with Multiple Backend Policies Be Matched and Executed?
- Is There a Limit on the Size of the Response to an API Request?
- How Can I Access Backend Services over Public Networks Through APIG?
-
API Authentication
- Does APIG Support HTTPS Two-Way Authentication?
- How Do I Call an API That Does Not Require Authentication?
- Which TLS Versions Does APIG Support?
- Does APIG Support Custom Authentication?
- Will the Request Body Be Signed for Security Authentication?
- Common Errors Related to IAM Authentication Information
- API Control Policies
- API Publishing
- API Import and Export
- API Security
-
Other FAQs
- What Are the Relationships Between an API, Environment, and App?
- How Can I Use APIG?
- What SDK Languages Does APIG Support?
- Can I Upload Files Using the POST Method?
- What Are the Error Messages Returned by APIG Like?
- How Do I Use APIG to Open Up Services Deployed on Huawei Cloud?
- Can APIG Be Deployed in a Local Data Center?
- Videos
Show all
Permissions Management
If you need to assign different permissions to employees in your enterprise to access your APIG resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.
With IAM, you can use your account to create IAM users for your employees, and assign permissions to the employees to control their access to specific resources.
If your account does not require individual IAM users for permissions management, skip this chapter.
APIG Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach policies or roles to these groups. The user then inherits permissions from the groups to which the user belongs, and can perform specified operations on cloud services based on the permissions.
APIG is a project-level service deployed and accessed in specific physical regions. To assign APIG permissions to a user group, you need to specify region-specific projects for which the permissions will take effect. If you select All projects, the permissions will be granted for both the global service project and all region-specific projects. When accessing APIG, the users need to switch to a region where they have been authorized to use this service.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other dependent roles for permissions to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets requirements for secure access control. For example, you can grant APIG users only the permissions for performing specific operations. Most policies define permissions based on APIs. For the API actions supported by APIG, see Permissions Policies and Supported Actions.
Table 1 lists all the system-defined roles and policies supported by APIG.
Role/Policy Name |
Description |
Type |
Dependency |
---|---|---|---|
APIG Administrator |
Administrator permissions for APIG. Users granted these permissions can use all functions of API gateways. |
System-defined role |
None |
APIG FullAccess |
Full permissions for APIG. Users granted these permissions can use all functions of dedicated gateways. |
System-defined policy |
None |
APIG ReadOnlyAccess |
Read-only permissions for APIG. Users granted these permissions can only view dedicated gateways. |
System-defined policy |
None |
You can view the content of the preceding roles and policies on the IAM console. For example, the content of the APIG FullAccess policy is as follows:
{ "Version": "1.1", "Statement": [ { "Action": [ "apig:*:*", "vpc:*:get*", "vpc:*:list*", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete", "vpc:publicIps:update", "FunctionGraph:function:listVersion", "FunctionGraph:function:list", "FunctionGraph:function:getConfig", "ecs:servers:list", "lts:groups:list", "lts:logs:list", "lts:topics:list" ], "Effect": "Allow" } ] }
Related Documents
- Section "Service Overview" in the Identity and Access Management User Guide
- Section "Creating a User and Granting Permissions" in the API Gateway User Guide
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.