Access Control

Access control policies are a type of security measures provided by APIG. You can use them to allow or deny API access from specific IP addresses, account names, or account IDs. For details about access control policies to gateways, see Table 1.

Access control policies take effect for an API only if they have been bound to the API.

Usage Guidelines

You have understood the guidelines for policy creation and API binding.
An API can be bound only with one access control policy of the same restriction type in an environment, but each access control policy can be bound to multiple APIs.
Gateways created after December 31, 2022 support API access control by account ID. If you need to use this function on dedicated gateways created earlier, contact customer service.

Configuration Parameters

**Table 1** Configuration parameters
Parameter	Description
Name	Access control policy name.
Type	Type of the source from which API calls are to be controlled. IP address: Control API access by IP address. Account name: Control IAM authentication–based API access by account name, not IAM user name. Configure a single or multiple names separated by commas (,). Account name requirements: 1–64 characters, no commas (,) or all digits. The total length cannot exceed 1024 characters. Account ID: Control IAM authentication–based API access by account ID, not IAM user ID. Configure a single or multiple account IDs separated by commas (,). Each account ID contains 32 characters (letters and digits), separated by commas (,). Max. 1,024 characters. NOTE: An API can be bound to two types of access control policies: account name and account ID. If both a blacklist and whitelist exist, API requests are verified only against the whitelist. If only a blacklist or whitelist exists, the account name and account ID verification results follow the AND logic. An API can be bound to three types of access control policies: IP address, account name, and account ID. IP addresses and accounts are in the AND relationship. Failure in verifying either of them will result in an API access failure. The same judgment logic applies to an API whether it is bound with a policy that controls access from specific IP address and account names or from specific IP addresses and account IDs.
Effect	Options: Allow and Deny. Use this parameter along with Type to control access from certain IP addresses, account names, or account IDs to an API.
IP Addresses	Required only when Type is set to IP address. IP addresses and IP address ranges that are allowed or not allowed to access an API. NOTE: You can set a maximum of 100 IP addresses respectively to allow or deny access.
Account Names	Required only when Type is set to Account name. Enter the account names that are allowed or forbidden to access an API. Use commas (,) to separate multiple account names. Click the username in the upper right corner of the console and choose My Credentials to obtain the account name.
Account ID	Required only when Type is set to Account ID. Enter the account IDs that are allowed or forbidden to access an API. Use commas (,) to separate multiple account IDs. Click the username in the upper right corner of the console and choose My Credentials to obtain the account ID.