edit-icon download-icon

ApiGateway_RAM

Last Updated: Dec 01, 2017

The API gateway and Alibaba Cloud Resource Access Management (RAM) are integrated to enable multiple employees in an enterprise to perform permission-based API management. The API provider can create sub-accounts for employees and allow different employees to manage different APIs.

  • By using the RAM, employees can use the sub-accounts to view, create, manage, and delete API groups, APIs, authorizations, and throttling policies. However, the sub-accounts are not the owner of resources, whose operation permissions may be revoked by the primary account at any time.
  • Before reading this document, make sure that you have carefully read RAM help manual and API gateway API manual.
  • Skip this section if you do not have such service scenarios.

You can use the RAM console or API to add operations.

Part 1: Policy management

The authorization policy (Policy) describes authorization content. This content contains several basic elements, including Effect, Resource, Action, and Condition.

System authorization policy

Two system permissions, AliyunApiGatewayFullAccess, and AliyunApiGatewayReadOnlyAccess, have been preset at the API gateway. You can see RAM console-policy management to check the permissions.!system preset

  • AliyunApiGatewayFullAccess: It is an administrator privilege which can be used to manage all resources under the primary account, including API groups, APIs, throttling policies, and applications.
  • AliyunApiGatewayReadOnlyAccess: It is used to view all resources under the primary account, including API groups, APIs, throttling policies, and applications, but cannot operate on them.

Custom authorization policy

You can customize management permissions precisely to an operation or resource as needed. For example, you can customize the edition permission for API GetUsers. You can check the defined custom authorization in RAM console-policy management-custom authorization policy.For more information about how to view, create, modify, and delete a custom authorization, see Authorization policy management.
For more information about how to enter the authorization policy content, see Policy basic elements, Policy syntax structure, and authorization policy described as follows.

Part 2: Authorization policy

An authorization policy is a set of permissions described in the policy language. After an authorization policy is attached to a user or a group, the user or all users in the group can acquire the access permissions specified in the policy.
For more information about how to enter the authorization policy content, see Policy basic elements and Policy syntax structure.
Example:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "apigateway:Describe*",
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. }
  9. ]
  10. }

This example indicates that all the view operations are allowed.

Action (operation name list) format:

  1. "Action":"<service-name>:<action-name>"

Among them:

  • service-name indicates the Alibaba Cloud product name. Set this parameter to apigateway.
  • action-name indicates the API name. See the following table. You can also enter the wildcards *.
  1. "Action": "apigateway:Describe*" indicates all the view operations.
  2. " Action": "apigateway:*" indicates all operations of the API gateway.

Part 3: Resource (operation object list)

A resource usually indicates an operation object, which can be API groups, throttling policies, and applications in the API gateway. The format is as follows:

  1. acs:<service-name>:<region>:<account-id>:<relative-id>

Among them:

  • acs is the abbreviation of Alibaba Cloud Service, indicating the Alibaba Cloud public cloud platform.
  • service-name indicates the Alibaba Cloud product name. Set this parameter to apigateway.
  • region indicates the region. You can also enter the wildcards * which indicate all regions.
  • account-id indicates the account ID, such as 1234567890123456. You can also enter the wildcards *.
  • relative-id indicates the resource description related to the API gateway. The format is similar to a tree-like structure of a file path.

Example:

  1. acs:apigateway:$regionid:$accountid:apigroup/$groupId

Writing:

  1. acs:apigateway:*:$accountid:apigroup/

Check the following table by referring to API manual of the API gateway.

Action-Name Resource
AbolishApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
AddTrafficSpecialControl acs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolid
CreateApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
CreateApiGroup acs:apigateway:$regionid:$accountid:apigroup/*
CreateTrafficControl acs:apigateway:$regionid:$accountid:trafficcontrol/*
DeleteAllTrafficSpecialControl acs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolid
DeleteApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
DeleteApiGroup acs:apigateway:$regionid:$accountid:apigroup/$groupId
DeleteDomain acs:apigateway:$regionid:$accountid:apigroup/$groupId
DeleteDomainCertificate acs:apigateway:$regionid:$accountid:apigroup/$groupId
DeleteTrafficControl acs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolId
DeleteTrafficSpecialControl acs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolId
DeployApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApiError acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApiGroupDetail acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApiGroups acs:apigateway:$regionid:$accountid:apigroup/*
DescribeApiLatency acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApiQps acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApiRules acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApis acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeApisByRule acs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolId oracs:apigateway:$regionid:$accountid:secretkey/$secretKeyId
DescribeApiTraffic acs:apigateway:$regionid:$accountid:apigroup/$groupid
DescribeAppsByApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
AddBlackList acs:apigateway:$regionid:$accountid:blacklist/*
DescribeBlackLists acs:apigateway:$regionid:$accountid:blacklist/*
DescribeDeployedApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeDeployedApis acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeDomain acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeDomainResolution acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeHistoryApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
DescribeHistoryApis acs:apigateway:$regionid:$accountid:apigroup/*
DescribeRulesByApi acs:apigateway:$regionid:$accountid:group/$groupId
DescribeSecretKeys acs:apigateway:$regionid:$accountid:secretkey/*
DescribeTrafficControls acs:apigateway:$regionid:$accountid:trafficcontrol/*
ModifyApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
ModifyApiGroup acs:apigateway:$regionid:$accountid:apigroup/$groupId
ModifySecretKey acs:apigateway:$regionid:$accountid:secretkey/$secretKeyId
RecoverApiFromHistorical acs:apigateway:$regionid:$accountid:apigroup/$groupId
RefreshDomain acs:apigateway:$regionid:$accountid:apigroup/$groupId
RemoveAccessPermissionByApis acs:apigateway:$regionid:$accountid:apigroup/$groupId
RemoveAccessPermissionByApps acs:apigateway:$regionid:$accountid:apigroup/$groupId
RemoveAllBlackList acs:apigateway:$regionid:$accountid:blacklist/*
RemoveApiRule acs:apigateway:$regionid:$accountid:apigroup/$groupId(acs:apigateway:$regionid:$accountid:secretkey/$secretKeyId oracs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolId)
RemoveAppsFromApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
RemoveBlackList acs:apigateway:$regionid:$accountid:blacklist/$blacklistid
SetAccessPermissionByApis acs:apigateway:$regionid:$accountid:apigroup/$groupId
SetAccessPermissions acs:apigateway:$regionid:$accountid:apigroup/$groupId
SetApiRule acs:apigateway:$regionid:$accountid:apigroup/$groupId(acs:apigateway:$regionid:$accountid:secretkey/$secretKeyId oracs:apigateway:$regionid:$accountid:trafficcontrol/$trafficcontrolId)
SetDomain acs:apigateway:$regionid:$accountid:apigroup/$groupId
SetDomainCertificate acs:apigateway:$regionid:$accountid:apigroup/$groupId
SwitchApi acs:apigateway:$regionid:$accountid:apigroup/$groupId
CreateSecretKey acs:apigateway:$regionid:$accountid:secretkey/*
DeleteSecretKey acs:apigateway:$regionid:$accountid:secretkey/$secretKeyId
Thank you! We've received your feedback.