Create Policies to Control Access to Network and API Gateway-Related Resources

Before users can start using the API Gateway service to create API gateways and deploy APIs on them, as a tenancy administrator you have to create a number of Oracle Cloud Infrastructure policies to grant access to API Gateway-related and network resources.

To grant access to API Gateway-related and network resources, you have to:

See Details for API Gateway for more information about policies.

Create a Policy to Give API Gateway Users Access to API Gateway-Related Resources

When API Gateway users define a new API gateway and new API deployments, they have to specify a compartment for those API Gateway-related resources. Users can only specify a compartment that the groups to which they belong have been granted access. To enable users to specify a compartment, you must create an identity policy to grant the groups access.

To create a policy to give users access to API Gateway-related resources in the compartment that will own those resources:

  1. Log in to the Console as a tenancy administrator.
  2. In the Console, open the navigation menu and click Identity & Security. Under Identity, click Policies. A list of the policies in the compartment you're viewing is displayed.
  3. Select the compartment that will own API Gateway-related resources from the list on the left.
  4. Click Create Policy.
  5. Enter the following:

    • Name: A meaningful name for the policy (for example, acme-apigw-developers-manage-access). The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
    • Description: A meaningful description (for example, Gives api-gateway developers access to all resources in the acme-apigw-compartment). You can change this later if you want to.
    • Statement: The following policy statement to give the group access to all API Gateway-related resources in the compartment:

      As Statement 1:, enter the following policy statement to give the group access to all API Gateway-related resources in the compartment:

      Allow group <group-name> to manage api-gateway-family in compartment <compartment-name>

      For example:

      Allow group acme-apigw-developers to manage api-gateway-family in compartment acme-apigw-compartment
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create to create the policy giving API Gateway users access to API Gateway-related resources in the compartment.
Tip

Normally, API gateways and API deployments are created in the same compartment. However, in large development teams with many API developers, you might find it useful to create separate compartments for API gateways and for API deployments. Doing so will enable you to give different groups of users appropriate access to those resources.

Create a Policy to Give API Gateway Users Access to Network Resources

When API Gateway users define a new API gateway, they have to specify a VCN and a subnet in which to create the API gateway. Users can only specify VCNs and subnets that the groups to which they belong have been granted access. To enable users to specify a VCN and subnet, you must create an identity policy to grant the groups access. In addition, if you want to enable users to create public API gateways, the identity policy must allow the groups to manage public IP addresses in the compartment that owns the network resources.

To create a policy to give API Gateway users access to network resources:

  1. Log in to the Console as a tenancy administrator.
  2. In the Console, open the navigation menu and click Identity & Security. Under Identity, click Policies. A list of the policies in the compartment you're viewing is displayed.
  3. Select the compartment that owns the network resources from the list on the left.
  4. Click Create Policy.
  5. Enter the following:

    • Name: A meaningful name for the policy (for example, acme-apigw-developers-network-access). The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
    • Description: A meaningful description (for example, Gives api-gateway developers access to all network resources in the acme-network compartment). You can change this later if you want to.
    • Statement: The following policy statement to give the group access to network resources in the compartment (including the ability to manage public IP addresses):

      Allow group <group-name> to manage virtual-network-family in compartment <compartment-name>

      For example:

      Allow group acme-apigw-developers to manage virtual-network-family in compartment acme-network
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create to create the policy giving API Gateway users access to network resources and public IP addresses in the compartment.

Create a Policy to Give API Gateway Users Access to Functions

When API Gateway users define a new API gateway, one option is to specify a serverless function defined in Oracle Functions as the API back end. Users can only specify functions that the groups to which they belong have been granted access. If you want to enable users to specify functions as API back ends, you must create an identity policy to grant the groups access. Note that in addition to this policy for the user group, to enable users to specify functions as API back ends you also have to create a policy to give API gateways access to Oracle Functions (see Create a Policy to Give API Gateways Access to Functions).

Another reason to create an identity policy that grants groups access to Oracle Functions is if you want to enable users to use the Console (rather than a JSON file) to define an authentication request policy and specify an authorizer function defined in Oracle Functions (see Using Authorizer Functions to Add Authentication and Authorization to API Deployments).

To create a policy to give API Gateway users access to functions defined in Oracle Functions:

  1. Log in to the Console as a tenancy administrator.
  2. In the Console, open the navigation menu and click Identity & Security. Under Identity, click Policies. A list of the policies in the compartment you're viewing is displayed.
  3. Select the compartment that owns the functions from the list on the left.
  4. Click Create Policy.
  5. Enter the following:

    • Name: A meaningful name for the policy (for example, acme-apigw-developers-functions-access). The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
    • Description: A meaningful description (for example, Gives api-gateway developers access to all functions in the acme-functions-compartment). You can change this later if you want to.
    • Statement:The following policy statement to give the group access to the functions in the compartment:

      Allow group <group-name> to use functions-family in compartment <compartment-name>

      For example:

      Allow group acme-apigw-developers to use functions-family in compartment acme-functions-compartment
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create to create the policy giving API Gateway users access to functions in the compartment.

Create a Policy to Give API Gateways Access to Functions

When API Gateway users define a new API gateway, one option is to specify a serverless function defined in Oracle Functions as the API back end. Before creating the API gateway, the API Gateway service verifies that the new API gateway will have access to the specified function through an IAM policy.

Note that in addition to this policy for API gateways, to enable users to specify functions as API back ends you also have to create a policy to give users access to Oracle Functions (see Create a Policy to Give API Gateway Users Access to Functions).

To create a policy to give API gateways access to functions defined in Oracle Functions:

  1. Log in to the Console as a tenancy administrator.
  2. Create a new policy to give API gateways access to functions defined in Oracle Functions:

    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Select the compartment containing the function-related resources to which you want to grant access. If the resources are in different compartments, select a common parent compartment (for example, the tenancy's root compartment).
    3. Follow the instructions in To create a policy, and give the policy a name (for example, acme-apigw-gateways-functions-policy).
    4. Enter a policy statement to give API gateways access to the compartment containing functions defined in Oracle Functions:

      ALLOW any-user to use functions-family in compartment <functions-compartment-name> where ALL {request.principal.type= 'ApiGateway', request.resource.compartment.id = '<api-gateway-compartment-OCID>'}

      where:

      • <functions-compartment-name> is the name of the compartment containing the functions you want to use as back ends for API gateways.
      • <api-gateway-compartment-OCID> is the OCID of the compartment containing the API gateways that you want to have access to the functions.

      For example:

      ALLOW any-user to use functions-family in compartment acme-functions-compartment where ALL {request.principal.type= 'ApiGateway', request.resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa7______ysq'}
    5. Click Create to create the policy giving API gateways access to functions defined in Oracle Functions.

Create a Policy to Give API Gateways Access to Cache Server Credentials in the Vault Service

If API Gateway users define an API gateway that caches response data in an external cache server (such as a Redis server), the credentials to authenticate with the cache server must be stored as a secret in a vault in the Vault service. To enable API gateways to authenticate with the cache server, you have to create a policy that grants API gateways access to secrets in the Vault service.

To create a policy to give API gateways access to cache server secrets in the Vault service:

  1. Log in to the Console as a tenancy administrator.
  2. Create a new dynamic group comprising one or more API gateways:

    1. Open the navigation menu and click Identity & Security. Under Identity, click Dynamic Groups.
    2. Follow the instructions in To create a dynamic group, and give the dynamic group a name (for example, acme-apigw-dyn-grp).
    3. When specifying a rule for the dynamic group, consider the following examples:

      • If you want all API gateways in a compartment to be able to access cache server secrets, enter a rule similar to the following that adds all API gateways in the compartment with the specified compartment OCID to the dynamic group:

        ALL {resource.type = 'ApiGateway', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa23______smwa'}
      • If you want a specific API gateway to be able to access cache server secrets, enter a rule similar to the following that adds the API gateway with the specified OCID to the dynamic group:

        ALL {resource.type = 'ApiGateway', resource.id = 'ocid1.apigateway.oc1.iad.aaaaaaaab______hga'}
    4. Click Create Dynamic Group.

    Having created a dynamic group that includes one or more API gateways, you can now create a policy to give the dynamic group access to one or more cache server secrets.

  3. Create a new policy to grant the dynamic group access to one or more cache server secrets in the Vault service:

    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-apigw-dyn-grp-policy).
    3. When specifying a policy statement, consider the following examples:

      • If you want API gateways in the acme-apigw-dyn-grp to be able to access all secrets in a compartment (including, but not limited to, secrets that contain cache server credentials), enter a policy statement similar to the following:

        allow dynamic-group acme-apigw-dyn-grp to read secret-bundles in compartment acme-apigw-compartment
      • If you want API gateways in the acme-apigw-dyn-grp to be able to access a specific secret that contains the cache server credentials, enter a policy statement similar to the following:

        allow dynamic-group acme-apigw-dyn-grp to read secret-bundles in compartment acme-apigw-compartment where secret.version.id='ocid1.vaultsecret.oc1.iad.amaaaaaa______qia'
    4. Click Create to create the new policy giving API gateways in the dynamic group access to the specified cache server secrets in the Vault service.