Create custom policies for Cloud-native API Gateway to enable fine-grained access control when system policies do not meet your requirements.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Authorization modes
Cloud-native API Gateway supports two authorization modes for custom policies:
-
Resource ARN: Specify the resource ARN in the
Resourceelement to scope permissions to a specific gateway instance, API, or all resources. This is the most common mode. -
Condition key: Set
Resourceto*and use theapig:GatewayIdcondition key inConditionto scope permissions to a gateway instance. Use this mode to manage multiple resource types under the same gateway without specifying each resource ARN.
Example overview
The following table summarizes the custom policy examples.
|
Example |
Target resource |
Action scope |
Scoping method |
Use case |
|
Example 1 (Recommended) |
Specific gateway instance |
All actions ( |
resource ARN |
Grant full permissions on a specific gateway instance. |
|
Example 2 |
Specific API |
All actions ( |
resource ARN |
Grant full permissions on a specific API. |
|
Example 3 |
All resources |
Read-only permissions ( |
resource ARN |
Grant read-only permissions on all gateway resources. |
|
Example 4 |
Services and sources under a specific gateway |
Create, read, update, delete, and list services and sources |
condition key ( |
Manage multiple resource types under the same gateway without listing each resource ARN. |
Specify resources by resource ARN
These examples use a resource ARN in the Resource element to define the authorization scope. Start with Example 1 if this is your first custom policy.
-
Example 1 (Recommended): Grant a RAM user full permissions on gateway instance
gw-cpnx*******.{ "Statement": [ { "Action": [ "apig:*" ], "Resource": "acs:apig:*:*:gateway/gw-cpnx*******", "Effect": "Allow" } ], "Version": "1" } -
Example 2: Grant a RAM user full permissions on API api-cpo22t5lhtgxxxxxx.
{ "Statement": [ { "Action": [ "apig:*" ], "Resource": "acs:apig:*:*:httpapi/api-cpo22t5lhtgxxxxxx", "Effect": "Allow" } ], "Version": "1" } -
Example 3: Grant a RAM user read-only permissions on all Cloud-native API Gateway resources.
{ "Statement": [ { "Action": [ "apig:List*", "apig:Get*" ], "Resource": "acs:apig:*:*:*", "Effect": "Allow" } ], "Version": "1" }
Limit resources by condition key
Instead of specifying a resource ARN, the following example uses the apig:GatewayId condition key with * as the Resource to scope permissions to a specific gateway.
-
Example 4: Grant a RAM user permissions to manage services and sources under a specific gateway instance.
Actions in this policy by resource type and operation:
Resource type
Get
List
Create
Update
Delete
service
apig:GetServiceapig:ListServicesapig:CreateServiceapig:UpdateServiceapig:DeleteServicesource
apig:GetSourceapig:ListSourcesapig:CreateSourceapig:UpdateSourceapig:DeleteSource{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "apig:GetService", "apig:GetSource", "apig:ListServices", "apig:ListSources", "apig:CreateService", "apig:CreateSource", "apig:UpdateService", "apig:UpdateSource", "apig:DeleteService", "apig:DeleteSource" ], "Resource": "*", "Condition": { "StringEquals": { "apig:GatewayId": [ "gw-d6h4********65n996e0" ] } } } ] }
References
Review the Authorization information for Cloud-native API Gateway before creating a custom policy.