Create Policies to Control Access to Network and API Gateway-Related Resources

Before users can start using the API Gateway service to create API gateways and deploy APIs on them, as a tenancy administrator you have to create a number of Oracle Cloud Infrastructure policies to grant access to API Gateway-related and network resources.

To grant access to API Gateway-related and network resources, you have to:

See Details for API Gateway for more information about policies.

Create a Policy to Give API Gateway Users Access to API Gateway-Related Resources

When API Gateway users define a new API gateway and new API deployments, they have to specify a compartment for those API Gateway-related resources. Users can only specify a compartment that the groups to which they belong have been granted access. To enable users to specify a compartment, you must create an identity policy to grant the groups access.

To create a policy to give users access to API Gateway-related resources in the compartment that will own those resources:

  1. Log in to the Console as a tenancy administrator.
  2. In the Console, open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're viewing is displayed.
  3. Select the compartment that will own API Gateway-related resources from the list on the left.
  4. Click Create Policy.
  5. Enter the following:

    • Name: A meaningful name for the policy (for example, acme-apigw-developers-manage-access). The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
    • Description: A meaningful description (for example, Gives api-gateway developers access to all resources in the acme-apigw-compartment). You can change this later if you want to. Avoid entering confidential information.
    • Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in YYYY-MM-DD format. For more information, see Policy Language Version.
    • Statement: The following policy statement to give the group access to all API Gateway-related resources in the compartment:

      As Statement 1:, enter the following policy statement to give the group access to all API Gateway-related resources in the compartment:

      Allow group <group-name> to manage api-gateway-family in compartment <compartment-name>

      For example:

      Allow group acme-apigw-developers to manage api-gateway-family in compartment acme-apigw-compartment
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create to create the policy giving API Gateway users access to API Gateway-related resources in the compartment.
Tip

Normally, API gateways and API deployments are created in the same compartment. However, in large development teams with many API developers, you might find it useful to create separate compartments for API gateways and for API deployments. Doing so will enable you to give different groups of users appropriate access to those resources.

Create a Policy to Give API Gateway Users Access to Network Resources

When API Gateway users define a new API gateway, they have to specify a VCN and a subnet in which to create the API gateway. Users can only specify VCNs and subnets that the groups to which they belong have been granted access. To enable users to specify a VCN and subnet, you must create an identity policy to grant the groups access. In addition, if you want to enable users to create public API gateways, the identity policy must allow the groups to manage public IP addresses in the compartment that owns the network resources.

To create a policy to give API Gateway users access to network resources:

  1. Log in to the Console as a tenancy administrator.
  2. In the Console, open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're viewing is displayed.
  3. Select the compartment that owns the network resources from the list on the left.
  4. Click Create Policy.
  5. Enter the following:

    • Name: A meaningful name for the policy (for example, acme-apigw-developers-network-access). The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
    • Description: A meaningful description (for example, Gives api-gateway developers access to all network resources in the acme-network compartment). You can change this later if you want to. Avoid entering confidential information.
    • Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in YYYY-MM-DD format. For more information, see Policy Language Version.
    • Statement: The following policy statement to give the group access to network resources in the compartment (including the ability to manage public IP addresses):

      Allow group <group-name> to manage virtual-network-family in compartment <compartment-name>

      For example:

      Allow group acme-apigw-developers to manage virtual-network-family in compartment acme-network
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create to create the policy giving API Gateway users access to network resources and public IP addresses in the compartment.

Create a Policy to Give API Gateway Users Access to Functions

When API Gateway users define a new API gateway, one option is to specify a serverless function defined in Oracle Functions as the API back end. Users can only specify functions that the groups to which they belong have been granted access. If you want to enable users to specify functions as API back ends, you must create an identity policy to grant the groups access. Note that in addition to this policy for the user group, to enable users to specify functions as API back ends you also have to create a policy to give API gateways access to Oracle Functions (see Create a Policy to Give API Gateways Access to Functions).

Another reason to create an identity policy that grants groups access to Oracle Functions is if you want to enable users to use the Console (rather than a JSON file) to define an authentication request policy and specify an authorizer function defined in Oracle Functions (see Using Authorizer Functions to Add Authentication and Authorization to API Deployments).

To create a policy to give API Gateway users access to functions defined in Oracle Functions:

  1. Log in to the Console as a tenancy administrator.
  2. In the Console, open the navigation menu. Under Governance and Administration, go to Identity and click Policies. A list of the policies in the compartment you're viewing is displayed.
  3. Select the compartment that owns the functions from the list on the left.
  4. Click Create Policy.
  5. Enter the following:

    • Name: A meaningful name for the policy (for example, acme-apigw-developers-functions-access). The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
    • Description: A meaningful description (for example, Gives api-gateway developers access to all functions in the acme-functions-compartment). You can change this later if you want to. Avoid entering confidential information.
    • Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in YYYY-MM-DD format. For more information, see Policy Language Version.
    • Statement:The following policy statement to give the group access to the functions in the compartment:

      Allow group <group-name> to use functions-family in compartment <compartment-name>

      For example:

      Allow group acme-apigw-developers to use functions-family in compartment acme-functions-compartment
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create to create the policy giving API Gateway users access to functions in the compartment.

Create a Policy to Give API Gateways Access to Functions

When API Gateway users define a new API gateway, one option is to specify a serverless function defined in Oracle Functions as the API back end. Before creating the API gateway, the API Gateway service verifies that the new API gateway will have access to the specified function through an IAM policy.

Note that in addition to this policy for API gateways, to enable users to specify functions as API back ends you also have to create a policy to give users access to Oracle Functions (see Create a Policy to Give API Gateway Users Access to Functions).

To create a policy to give API gateways access to functions defined in Oracle Functions:

  1. Log in to the Console as a tenancy administrator.
  2. Create a new policy to give API gateways access to functions defined in Oracle Functions:

    1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.
    2. Select the compartment containing the function-related resources to which you want to grant access. If the resources are in different compartments, select a common parent compartment (for example, the tenancy's root compartment).
    3. Follow the instructions in To create a policy, and give the policy a name (for example, acme-apigw-gateways-functions-policy).
    4. Enter a policy statement to give API gateways access to the compartment containing functions defined in Oracle Functions:

      ALLOW any-user to use functions-family in compartment <functions-compartment-name> 
      where 
      ALL { request.principal.type= 'ApiGateway' , 
            request.resource.compartment.id = '<api-gateway-compartment-OCID>' 
      }

      where:

      • <functions-compartment-name> is the name of the compartment containing the functions you want to use as back ends for API gateways.
      • <api-gateway-compartment-OCID> is the OCID of the compartment containing the API gateways that you want to have access to the functions.

      For example:

      ALLOW any-user to use functions-family in compartment acme-functions-compartment 
      where 
      ALL { request.principal.type= 'ApiGateway' , 
            request.resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa7______ysq' 
      }
    5. Click Create to create the policy giving API gateways access to functions defined in Oracle Functions.