Using IAM Identity Policies to Grant Access to APIG

Identity policies provided by Identity and Access Management (IAM) let you control access to APIG. With IAM, you can:

Create IAM users or user groups in your Huawei Cloud account for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing APIG resources.
Grant only the permissions required for users to perform a specific task.
Entrust a Huawei Cloud account or cloud service to perform efficient O&M on your APIG resources.

If your Huawei Cloud account meets your permission requirements, you can skip this section.

Figure 1 shows the process flow of ABAC.

Prerequisites

Before granting permissions, learn about For details about the system policies supported by APIG, see identity policy-based permissions management. To grant permissions for other services, learn about all system-defined permissions.

Process Flow

Figure 1 Process for granting APIG permissions

Refer to the operations described in Creating a User or Creating a User Group.
Create a user or user group on the IAM console.
Attach a system-defined identity policy to the user or user group.
Authorize the APIGReadOnlyPolicy system-defined policy to the user or user group.
Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose API Gateway in Service List. Then click Buy Dedicated Gateway in the upper right corner of the APIG console. If you cannot purchase gateways, the APIGReadOnlyPolicy policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the APIGReadOnlyPolicy policy is in effect.

Example Custom Policies

Custom policies can be created as a supplement to the system-defined policies of APIG. For the actions supported for custom policies, see section "Permissions Policies and Supported Actions" in the API Gateway API Reference

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy and Attaching It to a Principal.

The following lists examples of common APIG custom policies.

Example 1: Granting permission to create and publish an API

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apig:api:create",
                "apig:api:delete"
            ]
        }
    ]
}

Example 2: Defining permissions for multiple services in a policy

A custom policy can contain the actions of one or multiple services. For example, the following permissions are required for creating a dedicated gateway:

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apig:instance:create"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:securityGroups:get",
                "vpc:ports:create",
                "vpc:ports:update",
                "vpc:vpcs:get",
                "vpc:subnets:get",
                "vpc:ports:get",
                "vpc:ports:delete",
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "eip:publicIps:get",
                "eip:publicIps:associateInstance",
                "eip:publicIps:disassociateInstance"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "eps:enterpriseProjects:list"
            ]
        }
    ]
}

Parent topic: Using IAM to Grant Access to APIG

Previous topic: Using IAM Roles or Policies to Grant Access to APIG

Next topic: Creating a Gateway