Help Center/ API Gateway/ API Reference (ME-Abu Dhabi Region)/ Permissions Policies and Supported Actions
Updated on 2024-10-09 GMT+08:00

Permissions Policies and Supported Actions

This chapter describes fine-grained permissions management for your APIG.

  • If your account does not require individual IAM users, skip this section.
  • Only dedicated gateways support fine-grained permissions management.

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles (in JSON format) to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

An account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only IAM users who have been granted permissions allowing the actions can call the API successfully. For example, if an IAM user wants to create APIs using an API, the user must have been granted permissions that allow the apig:apis:create action.

Supported Actions

Operations supported by policies are specific to APIs. The following are common concepts related to policies:

  • Permission: A statement in a policy that allows or denies certain operations.
  • Action: Specific operations that are allowed or denied.
  • API: REST APIs that can be called by a user who has been granted specific permissions.
  • Authorization scope: Type of projects in which policies can be used to grant permissions. A policy can be applied to IAM projects, enterprise projects, or both. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM.

APIG supports actions that can be defined in custom policies. Permissions must be obtained before calling APIs provided by APIG.

Table 1 Supported actions

Permission

API

Action

Dependencies

IAM Project

Enterprise Project

Creating a dedicated gateway

POST /v2/{project_id}/apigw/instances

apig:instances:create

-

Deleting a dedicated gateway

DELETE /v2/{project_id}/apigw/instances/{instance_id}

apig:instances:delete

-

Updating a dedicated gateway

PUT

/v2/{project_id}/apigw/instances/{instance_id}

apig:instances:update

-

Querying details of a dedicated gateway

GET

/v2/{project_id}/apigw/instances/{instance_id}

apig:instances:get

-

Querying dedicated gateways

GET /v2/{project_id}/apigw/instances

apig:instances:list

-

Querying gateways by tag

POST

/V2/{project_id}/apigw/resource-instances/filter

apig:instance:listByTags

-

x

Querying the number of gateways by tag

POST

/V2/{project_id}/apigw/resource-instances/count

apig:instance:getNumByTags

-

x

Querying tags of a gateway

GET /v2/{project_id}/apigw/instance-tags

apig:instanceTags:list

-

x

Deleting tags of a gateway

POST /v2/{project_id}/apigw/instances/{instance_id}/instance-tags/action

apig:instanceTags:delete

apig:instances:get

Creating a gateway tag

POST

/V2/{project_id}/apigw/instances/{instance_id}/instance-tags/action

apig:instanceTags:create

apig:instances:get

Creating an API group

POST /v2/{project_id}/apigw/instances/{instance_id}/api-groups

apig:groups:create

apig:instances:get

Deleting an API group

DELETE /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}

apig:groups:delete

apig:instances:get

Querying details of an API group

GET

/v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}

apig:groups:get

apig:instances:get

Querying API groups

GET

/v2/{project_id}/apigw/instances/{instance_id}/api-groups

apig:groups:list

apig:instances:get

Updating an API group

PUT

/V2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}

apig:groups:update

apig:instances:get

Binding a domain name to an API group

POST

/v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains

apig:domains:create

apig:instances:get

apig:groups:get

Unbinding a domain name from an API group

DELETE

/v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}

apig:domains:delete

apig:instances:get

apig:groups:get

Adding a certificate to a domain name

POST

/v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate

apig:domains:bindCertificate

apig:instances:get

apig:groups:get

apig:domains:get

Deleting a certificate of a domain name

DELETE

/v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate/{certificate_id}

apig:domains:unbindCertificate

apig:instances:get

apig:groups:get

apig:domains:get

Querying details of a certificate bound to a domain name

GET

/v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/domains/{domain_id}/certificate/{certificate_id}

apig:domains:getCertificate

apig:instances:get

apig:groups:get

apig:domains:get

Setting accessibility of a debugging domain name

PUT /v2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/sl-domain-access-settings

apig:domains:updateSLDomainSetting

apig:instances:get

apig:groups:get

Creating an environment variable

POST

/v2/{project_id}/apigw/instances/{instance_id}/env-variables

apig:variables:create

apig:instances:get

apig:groups:get

apig:envs:list

Deleting an environment variable

DELETE

/v2/{project_id}/apigw/instances/{instance_id}/env-variables/{env_variable_id}

apig:variables:delete

apig:instances:get

apig:groups:get

apig:envs:list

Querying details of an environment variable

GET

/v2/{project_id}/apigw/instances/{instance_id}/env-variables/{env_variable_id}

apig:variables:get

apig:instances:get

apig:groups:get

apig:envs:list

Querying environment variables

GET

/v2/{project_id}/apigw/instances/{instance_id}/env-variables

apig:variables:list

apig:instances:get

apig:groups:get

apig:envs:list

Creating an API

POST

/v2/{project_id}/apigw/instances/{instance_id}/apis

apig:apis:create

apig:instances:get

apig:groups:get

Deleting an API

DELETE /v2/{project_id}/apigw/instances/{instance_id}/apis/{api_id}

apig:apis:delete

apig:instances:get

apig:groups:get

Publishing an API

POST /v2/{project_id}/apigw/instances/{instance_id}/apis/action

apig:apis:publish

apig:instances:get

apig:groups:get

apig:envs:list

Taking an API offline

POST /v2/{project_id}/apigw/instances/{instance_id}/apis/action

apig:apis:offline

apig:instances:get

apig:groups:get

apig:envs:list

Debugging an API

POST /v2/{project_id}/apigw/instances/{instance_id}/apis/debug/{api_id}

apig:apis:debug

apig:instances:get

apig:groups:get

Importing an API

POST /v2/{project_id}/apigw/instances/{instance_id}/openapi/import

apig:apis:import

apig:instances:get

apig:apis:create

apig:apis:bindAcls

apig:apis:bindThrottles

apig:groups:get

apig:acls:create

apig:throttles:create

Exporting an API

POST /v2/{project_id}/apigw/instances/{instance_id}/openapi/export

apig:apis:export

apig:instances:get

apig:apis:list

apig:apis:get

apig:apis:listBindedTrottles

apig:apis:listBindedAcls

apig:groups:get

apig:acls:get

apig:throttles:get

Updating an API

PUT

/V2/{project_id}/apigw/instances/{instance_id}/apis/{api_id}

apig:apis:update

apig:instances:get

apig:groups:get

Authorizing access to an API

POST /v2/{project_id}/apigw/instances/{instance_id}/app-auths

apig:apis:grantAppAccess

apig:instances:get

apig:apps:get

apig:apis:get

Canceling access authorization for an API

DELETE /v2/{project_id}/apigw/instances/{instance_id}/app-auths/{app_auth_id}

apig:apis:relieveAppAccess

apig:instances:get

apig:apps:get

apig:apis:get

Binding a signature key to an API

POST /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings

apig:apis:bindSigns

apig:instances:get

apig:apis:get

apig:signs:list

Unbinding a signature key from an API

DELETE /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/{sign_bindings_id}

apig:apis:unbindSigns

apig:instances:get

apig:apis:get

apig:signs:list

Binding an access control policy to an API

POST /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings

apig:apis:bindAcls

apig:instances:get

apig:apis:get

apig:acls:get

Unbinding an access control policy from an API

DELETE /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/{acl_bindings_id}

apig:apis:unbindAcls

apig:instances:get

apig:apis:get

apig:acls:get

Binding a request throttling policy to an API

POST /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings

apig:apis:bindThrottles

apig:instances:get

apig:apis:get

apig:throttles:get

Unbinding a request throttling policy from an API

DELETE /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/{throttle_binding_id}

apig:apis:unbindThrottles

apig:instances:get

apig:apis:get

apig:throttles:get

Querying details of an API

GET /v2/{project_id}/apigw/instances/{instance_id}/apis/{api_id}

apig:apis:get

apig:instances:get

apig:groups:get

Querying APIs

GET /v2/{project_id}/apigw/instances/{instance_id}/apis

apig:apis:list

apig:instances:get

apig:groups:get

Querying apps bound to an API

GET /v2/{project_id}/apigw/instances/{instance_id}/app-auths/binded-apps

apig:apis:listBindedApps

apig:instances:get

apig:apis:get

Querying signature keys bound to an API

GET /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/binded-signs

apig:apis:listBindedSigns

apig:instances:get

apig:apis:get

Querying access control policies bound to an API

GET /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/binded-acls

apig:apis:listBindedAcls

apig:instances:get

apig:apis:get

Querying request throttling policies bound to an API

GET /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/binded-throttles

apig:apis:listBindedThrottles

apig:instances:get

apig:apis:get

Querying plug-ins bound with an API

GET /v2/{project_id}/apigw/instances/{instance_id}/apis/{api_id}/attached-plugins

apig:apis:listBindedPlugins

apig:instances:get

apig:apis:get

Binding a plug-in to an API

POST /v2/{project_id}/apigw/instances/{instance_id}/apis/{api_id}/plugins/attach

apig:apis:bindPlugins

apig:instances:get

apig:plugins:get

apig:apis:get

Unbinding an API's plug-ins

PUT /v2/{project_id}/apigw/instances/{instance_id}/plugins/{plugin_id}/detach

apig:apis:unbindPlugins

apig:instances:get

apig:plugins:get

apig:apis:get

Creating an environment

POST /v2/{project_id}/apigw/instances/{instance_id}/envs

apig:envs:create

apig:instances:get

Deleting an environment

DELETE /v2/{project_id}/apigw/instances/{instance_id}/envs/{env_id}

apig:envs:delete

apig:instances:get

Querying environments

GET /v2/{project_id}/apigw/instances/{instance_id}/envs

apig:envs:list

apig:instances:get

Updating an environment

PUT

/V2/{project_id}/apigw/instances/{instance_id}/envs/{env_id}

apig:envs:update

apig:instances:get

Creating an app

POST /v2/{project_id}/apigw/instances/{instance_id}/apps

apig:apps:create

apig:instances:get

Deleting an app

DELETE /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}

apig:apps:delete

apig:instances:get

Querying details of an app

GET /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}

apig:apps:get

apig:instances:get

Querying apps

GET /v2/{project_id}/apigw/instances/{instance_id}/apps

apig:apps:list

apig:instances:get

Querying APIs bound with an app

GET /v2/{project_id}/apigw/instances/{instance_id}/app-auths/binded-apis

apig:apps:listBindedApis

apig:instances:get

apig:apps:get

Querying APIs not bound with an app

GET /v2/{project_id}/apigw/instances/{instance_id}/app-auths/unbinded-apis

apig:apps:listUnbindedApis

apig:instances:get

apig:apps:get

Updating an application

PUT

/V2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}

apig:apps:update

apig:instances:get

Creating a signature key

POST /v2/{project_id}/apigw/instances/{instance_id}/signs

apig:signs:create

apig:instances:get

Deleting a signature key

DELETE /v2/{project_id}/apigw/instances/{instance_id}/signs/{sign_id}

apig:signs:delete

apig:instances:get

Querying signature keys

GET /v2/{project_id}/apigw/instances/{instance_id}/signs

apig:signs:list

apig:instances:get

Querying APIs bound with a signature key

GET /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/binded-apis

apig:signs:listBindedApis

apig:instances:get

apig:signs:list

Querying APIs not bound with a signature key

GET /v2/{project_id}/apigw/instances/{instance_id}/sign-bindings/unbinded-apis

apig:signs:listUnbindedApis

apig:instances:get

apig:signs:list

Updating a signature key

PUT

/V2/{project_id}/apigw/instances/{instance_id}/signs/{sign_id}

apig:signs:update

apig:instances:get

Creating an access control policy

POST /v2/{project_id}/apigw/instances/{instance_id}/acls

apig:acls:create

apig:instances:get

Deleting an access control policy

DELETE /v2/{project_id}/apigw/instances/{instance_id}/acls/{acl_id}

apig:acls:delete

apig:instances:get

Querying details of an access control policy

GET /v2/{project_id}/apigw/instances/{instance_id}/acls/{acl_id}

apig:acls:get

apig:instances:get

Querying access control policies

GET /v2/{project_id}/apigw/instances/{instance_id}/acls

apig:acls:list

apig:instances:get

Querying APIs bound with an access control policy

GET /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/binded-apis

apig:acl:listBoundApi

apig:instances:get

apig:acls:get

Querying APIs not bound with an access control policy

GET /v2/{project_id}/apigw/instances/{instance_id}/acl-bindings/unbinded-apis

apig:acls:listUnbindedApis

apig:instances:get

apig:acls:get

Updating an access control policy

PUT

/V2/{project_id}/apigw/instances/{instance_id}/acls/{acl_id}

apig:acls:update

apig:instances:get

Creating a request throttling policy

POST /v2/{project_id}/apigw/instances/{instance_id}/throttles

apig:throttles:create

apig:instances:get

Deleting a request throttling policy

DELETE /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}

apig:throttles:delete

apig:instances:get

Querying details of a request throttling policy

GET /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}

apig:specialThrottles:get

apig:instances:get

Querying request control policies

GET /v2/{project_id}/apigw/instances/{instance_id}/throttles

apig:throttles:list

apig:instances:get

Querying APIs bound with a request throttling policy

GET /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/binded-apis

apig:throttles:listBindedApis

apig:instances:get

apig:throttles:get

Querying APIs not bound with a request throttling policy

GET /v2/{project_id}/apigw/instances/{instance_id}/throttle-bindings/unbinded-apis

apig:throttles:listUnbindedApis

apig:instances:get

apig:throttles:get

Updating a request throttling policy

PUT

/V2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}

apig:throttles:update

apig:instances:get

Creating an excluded request throttling configuration

POST /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials

apig:specialThrottles:create

apig:instances:get

apig:throttles:get

Deleting an excluded request throttling configuration

DELETE /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials/{strategy_id}

apig:specialThrottles:delete

apig:instances:get

apig:throttles:get

Querying excluded request throttling configurations

GET /v2/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials

apig:specialThrottles:get

apig:instances:get

apig:throttles:get

Updating an excluded request throttling configuration

PUT

/{project_id}/apigw/instances/{instance_id}/throttles/{throttle_id}/throttle-specials/{strategy_id}

apig:specialThrottles:update

apig:instances:get

apig:throttles:get

Creating a load balance channel

POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels

apig:vpcChannels:create

apig:instances:get

Deleting a load balance channel

DELETE /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}

apig:vpcChannels:delete

apig:instances:get

Updating a load balance channel

PUT /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}

apig:vpcChannels:update

apig:instances:get

Adding a backend instance to a load balance channel

POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/members

apig:vpcChannels:addInstance

apig:instances:get

apig:vpcChannels:get

Deleting a backend instance

DELETE /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/members/{member_id}

apig:vpcChannels:deleteInstance

apig:instances:get

apig:vpcChannels:get

Querying load balance channel details

GET /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}

apig:vpcChannels:get

apig:instances:get

Querying load balance channels

GET /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels

apig:vpcChannels:list

apig:instances:get

Updating a backend server group of a VPC channel

PUT /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/member-groups/{member_group_id}

apig:vpcChannels:updateMemberGroup

apig:instances:get

apig:vpcChannels:get

Adding or updating a backend server group of a VPC channel

POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/member-groups

apig:vpcChannels:addOrUpdateMemberGroups

apig:instances:get

apig:vpcChannels:get

Disabling backend servers

POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/members/batch-disable

apig:vpcChannels:batchEnableInstance

apig:instances:get

apig:vpcChannels:get

Deleting a backend server group of a VPC channel

DELETE /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/member-groups/{member_group_id}

apig:vpcChannels:deleteMemberGroup

apig:instances:get

apig:vpcChannels:get

Enabling backend servers

POST /v2/{project_id}/apigw/instances/{instance_id}/vpc-channels/{vpc_channel_id}/members/batch-enable

apig:vpcChannels:batchDisableInstance

apig:instances:get

apig:vpcChannels:get

Creating a custom authorizer

POST /v2/{project_id}/apigw/instances/{instance_id}/authorizers

apig:authorizers:create

functiongraph:function:getConfig

apig:instances:get

Deleting a custom authorizer

DELETE /v2/{project_id}/apigw/instances/{instance_id}/authorizers/{authorizer_id}

apig:authorizers:delete

apig:instances:get

Querying details of a custom authorizer

GET /v2/{project_id}/apigw/instances/{instance_id}/authorizers/{authorizer_id}

apig:authorizers:get

apig:instances:get

Querying custom authorizers

GET /v2/{project_id}/apigw/instances/{instance_id}/authorizers

apig:authorizers:list

apig:instances:get

Updating a custom authorizer

PUT

/V2/{project_id}/apigw/instances/{instance_id}/authorizers/{authorizer_id}

apig:authorizers:update

apig:instances:get

Querying tags

GET /v2/{project_id}/apigw/instances/{instance_id}/tags

apig:tags:list

apig:instances:get

Querying gateway features

GET /v2/{project_id}/apigw/instances/{instance_id}/features

apig:features:list

apig:instances:get

Creating a gateway feature

POST /v2/{project_id}/apigw/instances/{instance_id}/features

apig:features:create

apig:instances:get

Viewing monitoring data

GET /v2/{project_id}/apigw/instances/{instance_id}/metric-data

apig:metricData:get

apig:instances:get

Creating a gateway response

POST

/V2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/gateway-responses

apig:gatewayResponses:create

apig:instances:get

apig:groups:get

Querying details of a gateway response

GET

/V2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id}

apig:gatewayResponses:get

apig:instances:get

apig:groups:get

Updating a gateway response

PUT

/V2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id}

apig:gatewayResponses:update

apig:instances:get

apig:groups:get

Deleting a gateway response

DELETE

/V2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/gateway-responses/{response_id}

apig:gatewayResponses:delete

apig:instances:get

apig:groups:get

Querying a gateway response list

GET

/V2/{project_id}/apigw/instances/{instance_id}/api-groups/{group_id}/gateway-responses

apig:gatewayResponses:list

apig:instances:get

apig:groups:get

Creating an AppCode

POST /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}/app-codes

apig:appCodes:create

apig:instances:get

apig:apps:get

Querying AppCodes of an app

GET /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}/app-codes

apig:appCodes:list

apig:instances:get

apig:apps:get

Querying AppCode details

GET /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}/app-codes/{app_code_id}

apig:appCodes:get

apig:instances:get

apig:apps:get

Updating AppCodes of an app

PUT

/V2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}/app-codes

apig:appCodes:update

apig:instances:get

apig:apps:get

Deleting an AppCode

DELETE /v2/{project_id}/apigw/instances/{instance_id}/apps/{app_id}/app-codes/{app_code_id}

apig:appCodes:delete

apig:instances:get

apig:apps:get

Creating a plug-in

POST /v2/{project_id}/apigw/instances/{instance_id}/plugins

apig:plugins:create

apig:instances:get

Updating a plugin

PUT

/V2/{project_id}/apigw/instances/{instance_id}/plugins/{plugin_id}

apig:plugins:update

apig:instances:get

Querying the plug-ins

GET /v2/{project_id}/apigw/instances/{instance_id}/plugins

apig:plugins:list

apig:instances:get

Querying APIs bound with a plug-in

GET /v2/{project_id}/apigw/instances/{instance_id}/plugins/{plugin_id}/attached-apis

apig:plugins:listBindedApis

apig:instances:get

apig:plugins:get

Querying plug-ins

GET /v2/{project_id}/apigw/instances/{instance_id}/plugins/{plugin_id}

apig:plugins:get

apig:instances:get

Querying APIs not bound with a plug-in

GET /v2/{project_id}/apigw/instances/{instance_id}/plugins/{plugin_id}/attachable-apis

apig:plugins:listUnbindedApis

apig:instances:get

apig:plugins:get

Deleting a plug-in

DELETE /v2/{project_id}/apigw/instances/{instance_id}/plugins/{plugin_id}

apig:plugins:delete

apig:instances:get