This topic describes the system policies supported by Cloud-native API Gateway and their associated permissions. Use this information when you grant permissions to a Resource Access Management (RAM) identity.
What are system policies
An access policy is a set of permissions described by a specific syntax. The policy defines the authorized resources, operations, and conditions. RAM provides two types of access policies: system policies and custom policies. Alibaba Cloud creates and maintains system policies, which you can use but cannot modify. You are responsible for managing custom policies, including their creation, updates, and deletion. During product iterations, API Gateway adds new permissions to system policies to support new features. Updates to a system policy affect all RAM identities to which the policy is attached, such as RAM users, RAM user groups, and RAM roles. For more information about RAM access policies, see Overview of access policies.
Product system policies help you get started quickly. They are simple to configure for access to the product and its dependent products from the console. System policies also apply to access methods such as OpenAPI or the command-line interface (CLI). However, for better security, use custom policies in these scenarios to grant specific API access permissions to users and applications on an as-needed basis.
System policies are categorized into product system policies, server role policies, and service-linked role policies. Some cloud products provide only one or two of these policy types. This topic describes only the policy types that apply to this product.
Product system policies
AliyunAPIGFullAccess
You can grant the AliyunAPIGFullAccess policy to a RAM identity. This policy grants full permissions to manage Cloud-native API Gateway.
AliyunAPIGReadOnlyAccess
You can grant the AliyunAPIGReadOnlyAccess policy to a RAM identity. This policy grants read-only permissions for Cloud-native API Gateway.
Service-linked role policy
AliyunServiceRolePolicyForNativeApiGw
API Gateway uses the service-linked role AliyunServiceRoleForNativeApiGw to access your resources in other cloud products. AliyunServiceRolePolicyForNativeApiGw is the authorization policy for this service-linked role. This policy is defined and used by API Gateway, and you cannot modify or delete it. Do not grant this policy to any RAM identity other than the specified service-linked role.
Authorization operation reference
By default, a RAM identity has no permissions. An Alibaba Cloud account administrator must grant permissions to a RAM identity before it can access the account's resources. To ensure data security, follow the Principle of Least Privilege (PoLP). Grant only the necessary permissions to identities that need to access cloud resources. For more information about how to grant permissions, see the following topics: