Help Center> API Gateway> Service Overview> Permissions Management
Updated on 2024-03-05 GMT+08:00

Permissions Management

If you need to assign different permissions to personnel in your enterprise to access your APIG resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely access your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the employees to control their access to specific resources.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this chapter.

IAM is free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.

APIG Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach policies or roles to these groups. The user then inherits permissions from the groups to which the user belongs, and can perform specified operations on cloud services based on the permissions.

APIG is a project-level service deployed and accessed in specific physical regions. To assign APIG permissions to a user group, you need to specify region-specific projects (for example, ap-southeast-1 for Hong Kong) for which the permissions will take effect. If you select All projects, the permissions will be granted for both the global service project and all region-specific projects. When accessing APIG, the users need to switch to a region where they have been authorized to use this service.

You can grant permissions by using roles and policies.
  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other dependent roles for permissions to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets requirements for secure access control. For example, you can grant APIG users only the permissions for performing specific operations. Most policies define permissions based on APIs. For the API actions supported by APIG, see Permissions Policies and Supported Actions

Table 1 lists all the system-defined roles and policies supported by APIG.

Table 1 System-defined roles and policies supported by APIG

Role/Policy Name

Description

Type

Dependency

APIG Administrator

Administrator permissions for APIG. Users with this permission can use all functions of the dedicated gateways, and shared gateway on the old console.

System-defined role

If a user needs to create, delete, or change resources of other services, the user must also be granted administrator permissions of the corresponding services in the same project.

APIG FullAccess

Full permissions for APIG. Users granted these permissions can use all functions of dedicated gateways.

System-defined policy

None

APIG ReadOnlyAccess

Read-only permissions for APIG. Users granted these permissions can only view dedicated gateways.

System-defined policy

None

You can view the content of the preceding roles and policies on the IAM console. For example, the content of the APIG FullAccess policy is as follows:

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "apig:*:*",
                "vpc:*:get*",
                "vpc:*:list*",
                "vpc:ports:create",
                "vpc:ports:update",
                "vpc:ports:delete",
                "vpc:publicIps:update",
                "FunctionGraph:function:listVersion",
                "FunctionGraph:function:list",
                "FunctionGraph:function:getConfig",
                "ecs:servers:list",
                "lts:groups:list",
                "lts:logs:list",
                "lts:topics:list"
            ],
            "Effect": "Allow"
        }
    ]
}