Using IAM Roles or Policies to Grant Access to APIG

Prerequisites

Before assigning permissions to user groups, learn about system-defined permissions in role/policy-based authorization for APIG. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting APIG permissions

1. Create a user group and assign permissions.

   Create a user group on the IAM console, and assign the APIG ReadOnlyAccess policy to the group.

2. Create an IAM user and add it to the created user group.

   Create a user on the IAM console and add the user to the group created in 1.

3. Log in and verify permissions.

   Log in to the APIG console by using the user created in the previous step, switch to the authorized region, and verify that the user only has read permissions for APIG.

   • Choose API Gateway in Service List. Then click Buy Dedicated Gateway in the upper right corner of the APIG console. If you cannot purchase gateways, the APIG ReadOnlyAccess policy is in effect.
   • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the APIG ReadOnlyAccess policy is in effect.

Example Custom Policies

Custom policies can be created to supplement the system-defined policies of APIG. For the actions supported for custom policies, see section "Permissions Policies and Supported Actions" in the API Gateway API Reference

To create a custom policy, choose either visual editor or JSON.

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Edit JSON policies from scratch or based on an existing policy.

For details about how to create custom policies, see Creating a Custom Policy. The following lists examples of common APIG custom policies.

• Example 1: Granting permission to create and publish an API

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "apig:apis:create",
                  "apig:apis:publish"
              ]
          }
      ]
  }

• Example 2: Denying dedicated gateway deletion

  A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  The following method can be used if you need to assign permissions of the APIG Admin policy to a user but you want to prevent the user from deleting dedicated gateways. Create a custom policy for denying dedicated gateway deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on APIG except deleting dedicated gateways. The following is an example of a deny policy:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "apig:instances:delete"
              ]
          }
      ]
  }

• Example 3: Defining permissions for multiple services in a policy

  A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "apig:instances:create",
                  "vpc:*:get*",
                  "vpc:ports:create",
                  "vpc:ports:update",
                  "vpc:publicIps:update"
              ]
          }
      ]
  }