RAM-based access control

Updated at:
Copy as MD

Use Resource Access Management (RAM) with API Gateway to manage access to your resources in a fine-grained manner and improve resource access security.

Identity management

Avoid using your Alibaba Cloud root account to access API Gateway. Instead, create RAM identities — RAM users, RAM roles, and RAM user groups — and grant each identity only the permissions it needs. This reduces the impact of compromised credentials and simplifies permission audits.

  • Introduction to RAM user.

  • Operations related to RAM users.

  • Introduction to RAM user group.

  • Operations related to RAM user groups.

  • Introduction to RAM role.

  • Operations related to RAM roles.

  • References.

For more information, see Identity management.

Identity-based permission policies

A permission policy defines which resources a RAM identity can access, which actions it can perform, and under what conditions. RAM offers two policy types:

  • System policies

    Alibaba Cloud creates and maintains system policies. You can use but cannot modify system policies. When API Gateway releases new features, the corresponding system policies are updated automatically — any RAM identity attached to that policy receives the new permissions without manual changes.

  • Custom policies

    If system policies do not meet your requirements, create a custom policy to apply the principle of least privilege. Custom policies give you fine-grained control over exact resources, actions, and conditions, so you can scope access precisely to your API Gateway resources.

For more information, see Identity-based permission policies.

Service-linked role of API Gateway

AliyunServiceRoleForApiGateway is a service-linked role that grants API Gateway the permissions it needs to call Function Compute on your behalf. API Gateway accesses Function Compute by assuming the service-linked role.

  • Use scenarios.

  • Introduction to AliyunServiceRoleForApiGateway.

  • Delete the service-linked role.

For more information, see Service-linked role of API Gateway.