All Products
Search

This Product

    API Gateway:AI Gateway custom permission policy reference

    Document Center

    API Gateway:AI Gateway custom permission policy reference

    Last Updated:Nov 10, 2025

    If system policies do not meet your requirements, you can create custom policies to achieve least privilege. Custom policies allow you to implement fine-grained permission control and improve the security of your resources. This topic provides examples of custom permission policies for AI Gateway.

    What is a custom policy?

    Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

    • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

    • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

    • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

    References

    Examples of common custom authorization policies for AI Gateway

    • Example 1: Grant a RAM user read and write permissions for the AI Gateway instance gw-cpnx*******.

      Replace regionId and accountId with the ID of the region and the ID of the Alibaba Cloud account where the gateway is located.

      {
  "Statement": [
    {
      "Action": "apig:*",
      "Resource": [
        "acs:apig:*:*:gateway/gw-cpnx*******",
        "acs:apig:regionId:accountId:service/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "apig:Check*",
        "apig:ListGateway"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

    • Example 2: Grant a RAM user read and write permissions for the AI Gateway API api-cpo22t5lhtgxxxxxx.

      {
  "Statement": [
    {
      "Action": [
        "apig:*"
      ],
      "Resource": "acs:apig:*:*:httpapi/api-cpo22t5lhtgxxxxxx",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

    • Example 3: Grant a RAM user read-only permissions for all AI Gateway resources.

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "apig:Check*",
        "apig:List*",
        "apig:Get*",
        "apig:Export*",
        "apig:Query*",
        "apig:Debug*"
      ],
      "Resource": "acs:apig:*:*:*",
      "Effect": "Allow"
    }
  ]
}