Help Center/ API Gateway/ User Guide/ Configuring API Policies/ Configuring Traditional API Policies/ Configuring API Access Control
Updated on 2024-11-27 GMT+08:00
View PDF
Share

Configuring API Access Control

Access control policies are a type of security measures provided by APIG. You can use them to allow or deny API access from specific IP addresses, account names, or account IDs. For details about access control policies to gateways, see Table 1.

Access control policies take effect for an API only if they have been bound to the API.

Usage Guidelines

  • An API can be bound only with one access control policy of the same restriction type in an environment, but each access control policy can be bound to multiple APIs.
  • Gateways created after December 31, 2022 support API access control by account ID. If you need to use this function on dedicated gateways created earlier, contact customer service.
  • An API can be bound with only one policy of the same type.
  • Policies are independent of APIs. A policy takes effect for an API only after they are bound to each other. When binding a policy to an API, you must specify an environment where the API has been published. The policy takes effect for the API only in the specified environment.
  • After you bind a policy to an API, unbind the policy from the API, or update the policy, you do not need to publish the API again.
  • Taking an API offline does not affect the policies bound to it. The policies are still bound to the API if the API is published again.
  • Policies that have been bound to APIs cannot be deleted.

Creating an Access Control Policy

  1. Go to the APIG console.
  2. Select a dedicated gateway at the top of the navigation pane.
  1. In the navigation pane, choose API Management > API Policies.
  2. On the Policies tab, click Create Policy.
  3. On the Select Policy Type page, select Access Control in the Traditional Policy area.
  4. Set the policy information.

    Table 1 Parameters for configuring access control

    Parameter

    Description

    Name

    Access control policy name.

    Type

    Type of the source from which API calls are to be controlled.

    • IP address: Control API access by IP address.
    • Account name: Control IAM authentication–based API access by account name, not IAM user name.

      Configure a single or multiple names separated by commas (,). Account name requirements: 1–64 characters, no commas (,) or all digits. The total length cannot exceed 1024 characters.

    • Account ID: Control IAM authentication–based API access by account ID, not IAM user ID.

      Configure a single or multiple account IDs separated by commas (,). Each account ID contains 32 characters (letters and digits), separated by commas (,). Max. 1,024 characters.

    NOTE:
    • An API can be bound to two types of access control policies: account name and account ID. If both a blacklist and whitelist exist, API requests are verified only against the whitelist. If only a blacklist or whitelist exists, the account name and account ID verification results follow the AND logic.
    • An API can be bound to three types of access control policies: IP address, account name, and account ID. IP addresses and accounts are in the AND relationship. Failure in verifying either of them will result in an API access failure. The same judgment logic applies to an API whether it is bound with a policy that controls access from specific IP address and account names or from specific IP addresses and account IDs.

    Effect

    Options: Allow and Deny.

    Use this parameter along with Type to control access from certain IP addresses, account names, or account IDs to an API.

    IP Addresses

    Required only when Type is set to IP address.

    IP addresses and IP address ranges that are allowed or not allowed to access an API.

    NOTE:

    You can set a maximum of 100 IP addresses respectively to allow or deny access.

    Account Names

    Required only when Type is set to Account name.

    Enter the account names that are allowed or forbidden to access an API. Use commas (,) to separate multiple account names.

    Click the username in the upper right corner of the console and choose My Credentials to obtain the account name.

    Account ID

    Required only when Type is set to Account ID.

    Enter the account IDs that are allowed or forbidden to access an API. Use commas (,) to separate multiple account IDs.

    Click the username in the upper right corner of the console and choose My Credentials to obtain the account ID.

  5. Click OK.

    • To clone this policy, click Clone in the Operation column.

      The name of a cloned policy cannot be the same as that of any existing policy.

    • After the policy is created, perform the operations described in Binding the Policy to APIs for the policy to take effect for the API.

Binding the Policy to APIs

  1. Click a policy name to go to the policy details page.
  2. Select an environment and click Select APIs.
  3. Select the API group, environment, and required APIs.

    APIs can be filtered by API name or tag. The tag is defined during API creation.

  4. Click OK.

    • If an API no longer needs this policy, click Unbind in the row that contains the API.
    • If there are multiple APIs that no longer need this policy, select these APIs, and click Unbind above the API list. You can unbind a policy from a maximum of 1000 APIs at a time.