i’m a few steps to migrate from edge to X, but wondering what setup are recommend concerning two topics like management and security..
Requirements:
full control over proxies “create/deploy” by each team/project
full control over api products / apps “create/delete” by each team/project
one gcp project, multiple api’s proxies
Two options comes to mind:
one organization to the entire company
a quick look into iam policies doesn’t seem to be possible, even with custom roles "control which proxies an service-account has permissions.. but even with that being possible, how about api products and apps?
one organization per _project
all the requirements seems to be achieved with apigee being managed by each terraform project, and deployments being contexted/related to each project..
Thanks for bringing this question to the Apigee community! Let’s see what the community has to offer in terms of suggestions or ideas. Thanks for your patience, and we’ll keep an eye on this discussion
In Google Cloud, you can create custom roles for an entire GCP organization or for a specific project within that organization. These custom roles can include a collection of permissions that will allow a user with the custom role to manage proxies or API products.
Below are the permissions you may include in a custom role for managing proxies:
apigee.proxies.create
apigee.proxies.delete
apigee.proxies.get
apigee.proxies.list
apigee.proxies.update
Additionally, here are the permissions you may include in a custom role for managing API products:
apigee.apiproducts.create
apigee.apiproducts.delete
apigee.apiproducts.get
apigee.apiproducts.list
apigee.apiproducts.update
For more information about users and roles, please refer to this document. You can find additional details about Apigee roles and their specific permissions in this document.
Hello - @jadelgado thank you for providing a detailed reply! @davidanrod , we’d love to hear if the solution helped resolve your issue. If so, please mark the answer as accepted to help others find it easily. We also encourage you to keep engaging in the forum - whether by asking questions or sharing your knowledge with others.
Thank you both for being part of the Apigee community!
even though the answer is good, it’s not exactly what i asked about.. One of the scnarios was a gblobal apigee org with multiple projects.. so imagine each project can create multiple proxies.. in the particular case, how can i control which proxies can be managed by a specific project?
ie:
projectA has create/delete permissions only for proxy A1/A1
Considering this, you could have different projects in Google Cloud, each with one Apigee organization, and assign roles to users based on the Google Cloud projects. For example:
Project A (GCP) → Apigee Org A → Proxy A
Project B (GCP) → Apigee Org B → Proxy B
In this setup, roles could be managed so a group of users would have access only to Apigee Org A, while another group would have access only to Apigee Org B.
In another scenario, where there is only one Apigee organization (and therefore only one GCP project), for example:
Apigee Org A → Environment A → Proxy A, B
Apigee Org A → Environment B → Proxy A, B
In this case, roles could be managed at the environment level instead of by specific proxies. For example, a developer might need full access to the development environment but have no write access in the production environment.
