All Products
Search

This Product

    API Gateway:RAM-based access control

    Document Center

    API Gateway:RAM-based access control

    Last Updated:Jan 17, 2025

    This topic describes how API Gateway works with Resource Access Management (RAM) to help you manage access to your resources in a fine-grained manner. RAM improves resource access security.

    Identity management

    To ensure the security of your Alibaba Cloud account and cloud resources, we recommend that you do not use your Alibaba Cloud account to access API Gateway. Instead, we recommend that you use RAM identities for secure access. RAM identities include RAM users and RAM roles. Using RAM identities for resource access improves access security and facilitates fine-grained permission management. Specifically:

    • Introduction to RAM user.

    • Operations related to RAM users.

    • Introduction to RAM user group.

    • Operations related to RAM user groups.

    • Introduction to RAM role.

    • Operations related to RAM roles.

    • References.

    For more information, see Identity management.

    Identity-based permission policies

    A policy describes the resources that a user can access, the operations that the user can perform on the resources, and the conditions for the access. RAM provides system policies and custom policies. System policies are created and maintained by Alibaba Cloud. You can use but cannot modify system policies. Custom policies are created and managed by yourself.

    • System policies

      API Gateway adds new permissions to system policies during iteration to support new features. System policy updates affect all RAM identities to which the policy is attached, such as RAM users, RAM user groups, and RAM roles.

    • Custom policies

      If system policies do not meet your requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to achieve fine-grained control over permissions and improve resource access security. This way, you can ensure that your business requirements are met and your resources are protected.

    For more information, see Identity-based permission policies.

    Service-linked role of API Gateway

    The AliyunServiceRoleForApiGateway service-linked role is a RAM role that is used to grant API Gateway the access permissions on Function Compute. API Gateway accesses Function Compute by assuming the service-linked role. Specifically:

    • Use scenarios.

    • Introduction to AliyunServiceRoleForApiGateway.

    • Delete the service-linked role.

    For more information, see Service-linked role of API Gateway.