This topic describes the system permission policies that are provided by Cloud-native API Gateway and the permissions that are provided by these policies. You can refer to this topic when you grant permissions to Resource Access Management (RAM) identities.
What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. RAM provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, Cloud-native API Gateway adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud services in the Alibaba Cloud Management Console. New users who are attached system policies of Cloud-native API Gateway can access Cloud-native API Gateway and its dependent services with only a few clicks. System policies can also be used in other access methods such as API operations and the command-line interface (CLI). However, we recommend that you use custom policies in scenarios that involve these access methods. Custom policies help you implement finer-grained control on accessing users and accessed resources.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services may not provide all three types of policies. For more information, see the policy types that are described in the following section.
Service-linked role policy
AliyunServiceRolePolicyForNativeApiGw
Cloud-native API Gateway uses service-linked role AliyunServiceRoleForNativeApiGw to access your resources in other cloud services. To AliyunServiceRoleForNativeApiGw, AliyunServiceRolePolicyForNativeApiGw is attached. AliyunServiceRolePolicyForNativeApiGw is used solely for AliyunServiceRoleForNativeApiGw. You cannot modify, delete, or attach AliyunServiceRolePolicyForNativeApiGw to any other RAM identity.
RAM identity authorization
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only required permissions to the RAM identities based on the principle of least privilege. For more information about how to grant the required permissions, see the following topics: