Updated on 2022-02-21 GMT+08:00

Creating an Access Control Policy

Scenario

Access control policies are a type of security measures provided by API Gateway. You can use them to allow or deny API access from specific IP addresses or accounts.

Access control policies take effect for an API only if they have been bound to the API.

  • You can create a maximum of 100 access control policies.
  • Each API can be bound with only one access control policy for a given environment, but each access control policy can be bound to multiple APIs.

Creating an Access Control Policy

  1. Log in to the management console.
  2. Click in the upper left corner and choose API Gateway.
  3. In the navigation pane, choose API Publishing > Access Control.
  4. Click Create Access Control Policy.
  5. In the Create Access Control Policy dialog box, set the parameters listed in Table 1.

    Table 1 Parameters for creating an access control policy

    Parameter

    Description

    Name

    Access control policy name.

    Restriction Type

    Type of the source from which API calls are to be controlled.

    • IP address: Specify IP addresses and IP address ranges that are allowed or not allowed to access an API.
    • Account name: Specify names of the accounts that are allowed or not allowed to access an API.

    Effect

    Options: Allow and Deny.

    Use this parameter along with Restriction Type to control the access of certain IP addresses or accounts to an API.

    IP Address

    IP addresses and IP address ranges that are allowed or not allowed to access an API

    You need to set this parameter only if you have set Restriction Type to IP address.

    NOTE:

    You can set a maximum of 100 IP addresses respectively to allow or deny access.

    Account Names

    Names of the accounts that are allowed or not allowed to access an API. This parameter only applies to APIs that are accessed through IAM authentication.

    You need to set this parameter only if you have set Restriction Type to Account name. You can enter multiple account names and separate them with commas, for example, aaa,bbb.

    NOTE:

    API Gateway performs access control on accounts, not IAM users created using accounts.

  6. Click OK. You can bind the policy to APIs to control API access.

Binding an Access Control Policy to an API

  1. Go to the page for binding an access control policy to an API. You can use one of the following methods:

    • In the Operation column of the access control policy to be bound, click Bind to API, and then click Select API.
    • Click the name of the target access control policy, and click Select API.

  2. Specify an API group, environment, and API name keyword to search for the desired API.
  3. Select the API and click OK.

    If an access control policy is no longer needed for an API, you can unbind it from that API. To unbind an access control policy from multiple APIs, select the APIs, and click Unbind. You can unbind a request throttling policy from a maximum of 1000 APIs at a time.