Reference for API Gateway custom policies

Updated at:
Copy as MD

If system policies do not meet your requirements, you can create custom policies to implement least-privilege access. Custom policies enable fine-grained permission control and improve resource access security. This topic describes custom policies and provides policy examples for common API Gateway scenarios.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Custom policies

Section 1: Policy overview

A policy contains the following basic elements: Effect, Resource, Action, and Condition.

Create a custom policy to grant finer-grained permissions on specific actions or resources. For example, you can create a custom policy to grant the edit permissions on GetUsers. To view your custom policies, log on to the RAM console, choose Permissions > Policies, and select Custom Policy from the Policy Type drop-down list.

Section 2: Policy syntax

A policy uses a specific syntax to define permissions. Attach a policy to a user or group to grant permissions on specific resources.

{
  "Version": "1",
  "Statement": [
    {
  "Action": "apigateway:Describe*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
                

This policy allows a Resource Access Management (RAM) user to query all resources in API Gateway.

The Action element specifies one or more API operations in the following format:

 "Action":"<service-name>:<action-name>"

In the preceding code:

  • service-name: the name of an Alibaba Cloud service. In this example, apigateway is specified.

  • action-name: the name of an API operation. You can use the wildcard character (*) for the name. For more information about API operations that are provided by API Gateway, see the table in "Section 3" of this topic.

    If you set "Action" to "apigateway:Describe*", the authorized RAM user has the permissions to query all resources in API Gateway.

    If you set "Action" to "apigateway:*", the authorized RAM user has the permissions to manage all resources in API Gateway.

Section 3: Resource

The Resource element specifies the objects that a statement covers. In API Gateway, you can specify API groups, throttling policies, and applications. Use the following format:

acs:<service-name>:<region>:<account-id>:<relative-id>

In the preceding code:

  • acs: the abbreviation of Alibaba Cloud Service, which indicates Alibaba Cloud public cloud.

  • service-name: the name of an Alibaba Cloud service. In this example, apigateway is specified.

  • region: the region where the policy applies. A wildcard character (*) indicates all regions.

  • account-id: the ID of the account, such as 123456789012****. This parameter supports wildcard characters (*).

  • relative-id: the resource on which you want to grant permissions. Specify this parameter in a file path-like format.

Format:

acs:apigateway:$regionid:$accountid:apigroup/$groupId

Example:

acs:apigateway:*:*:apigroup/cbd157704e624ab58a204fd3e0b5ad79

The following table lists the API operations that you can specify for the action-name parameter when you create policies for API Gateway. For more information, see "API Gateway API Reference".

action-name

Description

Resource

CreateApiGroup

Creates an API group.

acs:apigateway:$regionid:$accountid:apigroup/*

ModifyApiGroup

Modifies an API group.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

DeleteApiGroup

Deletes an API group.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

DescribeApiGroups

Queries API groups.

acs:apigateway:$regionid:$accountid:apigroup/*

CreateApi

Creates an API.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

DeployApi

Publishes an API.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

AbolishApi

Unpublishes an API.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

DeleteApi

Deletes an API.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

DescribeApis

Queries APIs.

acs:apigateway:$regionid:$accountid:apigroup/*

CreatePlugin

Creates a plug-in.

acs:apigateway:$regionid:$accountid:plugin/*

ModifyPlugin

Modifies a plug-in.

acs:apigateway:$regionid:$accountid:plugin/$pluginId

DeletePlugin

Deletes a plug-in.

acs:apigateway:$regionid:$accountid:plugin/$pluginId

AttachPlugin

Binds a plug-in to an API.

acs:apigateway:$regionid:$accountid:plugin/$pluginId

DetachPlugin

Unbinds a plug-in from an API.

acs:apigateway:$regionid:$accountid:plugin/$pluginId

DescribePluginsByApi

Queries plug-ins that are bound to an API.

acs:apigateway:$regionid:$accountid:plugin/$pluginId

CreateApp

Create an application.

acs:apigateway:$regionid:$accountid:app/*

ModifyApp

Modifies an application.

acs:apigateway:$regionid:$accountid:app/$appId

DeleteApp

Deletes an application.

acs:apigateway:$regionid:$accountid:app/$appId

DescribeAppAttributes

Queries applications.

acs:apigateway:$regionid:$accountid:app/$appId

SetApisAuthorities

Authorizes an application to call APIs.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

DescribeAuthorizedApps

Queries applications that are authorized to call an API.

acs:apigateway:$regionid:$accountid:apigroup/$groupId

SetVpcAccess

Creates a virtual private cloud (VPC) access authorization.

acs:apigateway:$regionid:$accountid:vpcaccess/*

RemoveVpcAccess

Deletes a VPC access authorization.

acs:apigateway:$regionid:$accountid:vpcaccess/*

DescribeVpcAccesses

Queries VPC access authorizations.

acs:apigateway:$regionid:$accountid:vpcaccess/*

DescribeInstances

Queries dedicated instances.

acs:apigateway:$regionid:$accountid:instance/$instanceId

Examples

Authorize a RAM user to query all APIs:

{
          "Version": "1",
          "Statement": [
            {
                      "Action": "apigateway:Describe*",
                      "Resource":"acs:apigateway:$regionid:$accountid:apigroup/*",
                      "Effect": "Allow"
            }
          ]
}                        

Authorize a RAM user to query all API groups to which the `version:v1` tag is attached:

{
	  "Version": "1",
	  "Statement": [
	    {
      		"Action": "apigateway:Describe*",
	      	"Resource":"acs:apigateway:$regionid:$accountid:apigroup/*",
	      	"Effect": "Allow", 
                 "Condition": {
                        "StringEquals": {
                             "apigateway:tag/version": "v1"
                        }
                 }
             }
	  ]
}			

Authorize a RAM user to manage all APIs in an API group:

{
          "Version": "1",
          "Statement": [
            {
                      "Action": "apigateway:*",
                      "Resource": [
                              "acs:apigateway:$regionid:$accountid:apigroup/$groupId",
                              "acs:apigateway:$regionid:$accountid:app/$appId",
                              "acs:apigateway:$regionid:$accountid:vpcaccess/*"
                      ],
                      "Effect": "Allow"
            }
          ]
}

Note: In the preceding examples, you can specify wildcard characters (*) for variables based on your business requirements.

Authorization information

Before you create a custom policy, make sure that you understand the authorization information of API Gateway. For more information, see RAM authorization.