RAM-based access control
Use Resource Access Management (RAM) with API Gateway to manage access to your resources in a fine-grained manner and improve resource access security.
Identity management
Avoid using your Alibaba Cloud root account to access API Gateway. Instead, create RAM identities — RAM users, RAM roles, and RAM user groups — and grant each identity only the permissions it needs. This reduces the impact of compromised credentials and simplifies permission audits.
Introduction to RAM user.
Operations related to RAM users.
Introduction to RAM user group.
Operations related to RAM user groups.
Introduction to RAM role.
Operations related to RAM roles.
References.
For more information, see Identity management.
Identity-based permission policies
A permission policy defines which resources a RAM identity can access, which actions it can perform, and under what conditions. RAM offers two policy types:
-
System policies
Alibaba Cloud creates and maintains system policies. You can use but cannot modify system policies. When API Gateway releases new features, the corresponding system policies are updated automatically — any RAM identity attached to that policy receives the new permissions without manual changes.
-
Custom policies
If system policies do not meet your requirements, create a custom policy to apply the principle of least privilege. Custom policies give you fine-grained control over exact resources, actions, and conditions, so you can scope access precisely to your API Gateway resources.
For more information, see Identity-based permission policies.
Service-linked role of API Gateway
AliyunServiceRoleForApiGateway is a service-linked role that grants API Gateway the permissions it needs to call Function Compute on your behalf. API Gateway accesses Function Compute by assuming the service-linked role.
Use scenarios.
Introduction to AliyunServiceRoleForApiGateway.
Delete the service-linked role.
For more information, see Service-linked role of API Gateway.