Reference for API Gateway custom policies
If system policies do not meet your requirements, you can create custom policies to implement least-privilege access. Custom policies enable fine-grained permission control and improve resource access security. This topic describes custom policies and provides policy examples for common API Gateway scenarios.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Custom policies
Section 1: Policy overview
A policy contains the following basic elements: Effect, Resource, Action, and Condition.
Create a custom policy to grant finer-grained permissions on specific actions or resources. For example, you can create a custom policy to grant the edit permissions on GetUsers. To view your custom policies, log on to the RAM console, choose Permissions > Policies, and select Custom Policy from the Policy Type drop-down list.
Section 2: Policy syntax
A policy uses a specific syntax to define permissions. Attach a policy to a user or group to grant permissions on specific resources.
{
"Version": "1",
"Statement": [
{
"Action": "apigateway:Describe*",
"Resource": "*",
"Effect": "Allow"
}
]
}
This policy allows a Resource Access Management (RAM) user to query all resources in API Gateway.
The Action element specifies one or more API operations in the following format:
"Action":"<service-name>:<action-name>"
In the preceding code:
-
service-name: the name of an Alibaba Cloud service. In this example, apigateway is specified.
-
action-name: the name of an API operation. You can use the wildcard character (*) for the name. For more information about API operations that are provided by API Gateway, see the table in "Section 3" of this topic.
If you set "Action" to "apigateway:Describe*", the authorized RAM user has the permissions to query all resources in API Gateway.
If you set "Action" to "apigateway:*", the authorized RAM user has the permissions to manage all resources in API Gateway.
Section 3: Resource
The Resource element specifies the objects that a statement covers. In API Gateway, you can specify API groups, throttling policies, and applications. Use the following format:
acs:<service-name>:<region>:<account-id>:<relative-id>
In the preceding code:
-
acs: the abbreviation of Alibaba Cloud Service, which indicates Alibaba Cloud public cloud.
-
service-name: the name of an Alibaba Cloud service. In this example, apigateway is specified.
-
region: the region where the policy applies. A wildcard character (*) indicates all regions.
-
account-id: the ID of the account, such as 123456789012****. This parameter supports wildcard characters (*).
-
relative-id: the resource on which you want to grant permissions. Specify this parameter in a file path-like format.
Format:
acs:apigateway:$regionid:$accountid:apigroup/$groupId
Example:
acs:apigateway:*:*:apigroup/cbd157704e624ab58a204fd3e0b5ad79
The following table lists the API operations that you can specify for the action-name parameter when you create policies for API Gateway. For more information, see "API Gateway API Reference".
|
action-name |
Description |
Resource |
|
CreateApiGroup |
Creates an API group. |
acs:apigateway:$regionid:$accountid:apigroup/* |
|
ModifyApiGroup |
Modifies an API group. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
DeleteApiGroup |
Deletes an API group. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
DescribeApiGroups |
Queries API groups. |
acs:apigateway:$regionid:$accountid:apigroup/* |
|
CreateApi |
Creates an API. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
DeployApi |
Publishes an API. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
AbolishApi |
Unpublishes an API. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
DeleteApi |
Deletes an API. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
DescribeApis |
Queries APIs. |
acs:apigateway:$regionid:$accountid:apigroup/* |
|
CreatePlugin |
Creates a plug-in. |
acs:apigateway:$regionid:$accountid:plugin/* |
|
ModifyPlugin |
Modifies a plug-in. |
acs:apigateway:$regionid:$accountid:plugin/$pluginId |
|
DeletePlugin |
Deletes a plug-in. |
acs:apigateway:$regionid:$accountid:plugin/$pluginId |
|
AttachPlugin |
Binds a plug-in to an API. |
acs:apigateway:$regionid:$accountid:plugin/$pluginId |
|
DetachPlugin |
Unbinds a plug-in from an API. |
acs:apigateway:$regionid:$accountid:plugin/$pluginId |
|
DescribePluginsByApi |
Queries plug-ins that are bound to an API. |
acs:apigateway:$regionid:$accountid:plugin/$pluginId |
|
CreateApp |
Create an application. |
acs:apigateway:$regionid:$accountid:app/* |
|
ModifyApp |
Modifies an application. |
acs:apigateway:$regionid:$accountid:app/$appId |
|
DeleteApp |
Deletes an application. |
acs:apigateway:$regionid:$accountid:app/$appId |
|
DescribeAppAttributes |
Queries applications. |
acs:apigateway:$regionid:$accountid:app/$appId |
|
SetApisAuthorities |
Authorizes an application to call APIs. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
DescribeAuthorizedApps |
Queries applications that are authorized to call an API. |
acs:apigateway:$regionid:$accountid:apigroup/$groupId |
|
SetVpcAccess |
Creates a virtual private cloud (VPC) access authorization. |
acs:apigateway:$regionid:$accountid:vpcaccess/* |
|
RemoveVpcAccess |
Deletes a VPC access authorization. |
acs:apigateway:$regionid:$accountid:vpcaccess/* |
|
DescribeVpcAccesses |
Queries VPC access authorizations. |
acs:apigateway:$regionid:$accountid:vpcaccess/* |
|
DescribeInstances |
Queries dedicated instances. |
acs:apigateway:$regionid:$accountid:instance/$instanceId |
Examples
Authorize a RAM user to query all APIs:
{
"Version": "1",
"Statement": [
{
"Action": "apigateway:Describe*",
"Resource":"acs:apigateway:$regionid:$accountid:apigroup/*",
"Effect": "Allow"
}
]
}
Authorize a RAM user to query all API groups to which the `version:v1` tag is attached:
{
"Version": "1",
"Statement": [
{
"Action": "apigateway:Describe*",
"Resource":"acs:apigateway:$regionid:$accountid:apigroup/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"apigateway:tag/version": "v1"
}
}
}
]
}
Authorize a RAM user to manage all APIs in an API group:
{
"Version": "1",
"Statement": [
{
"Action": "apigateway:*",
"Resource": [
"acs:apigateway:$regionid:$accountid:apigroup/$groupId",
"acs:apigateway:$regionid:$accountid:app/$appId",
"acs:apigateway:$regionid:$accountid:vpcaccess/*"
],
"Effect": "Allow"
}
]
}
Note: In the preceding examples, you can specify wildcard characters (*) for variables based on your business requirements.
Authorization information
Before you create a custom policy, make sure that you understand the authorization information of API Gateway. For more information, see RAM authorization.