Background
Many customers have asked for fine-grained access to develop API Proxies and Shared Flows that allows development teams to work privately and to control access to specific environments. This solution guide provides a step-by-step solution that works nicely for both Apigee APIs and in the Apigee management console.
See also RBAC with Fine Grained Access - Apigee X - Using Groups.
User Story
As a security stakeholder, I want to restrict access to Apigee resources so that I can assign them to separate business units or projects.
- Business unit leads should be able to grant user access to their own environment(s).
- Business unit members should only be able to access Apigee resources that belong to the business unit. These resources should include:
- Development resources:
- API Proxy
- Shared Flow
- Deployments
- Debug Sessions
- Flow Hooks- Developer resources:
- API Products
- Rate Plans (see Limitations and Caveats)
- App Developers (see Limitations and Caveats)
- Applications (see Limitations and Caveats)- Environment resources: (see Environment Access)
- KVMs
- Resource files
- TargetServers
- References
- KeyStores
- Development resources:
Overview
Supported Resource Types
Apigee supports adding resource conditions in IAM policies to these supported resources types using conditional role bindings during role assignment. Conditions can be based on time (e.g. schedule, expiry) or a named resource (e.g. type and name starts with âbu1-â). Roles can be assigned to individual users or to a group.
TIP: Assigning conditional access to a group simplifies management as once the conditions have been specified for the group, individual users are simply added to the group. This avoids updating the conditions on every user assignment.
NOTE: This guide uses a single user role assignment in a project, but the steps are similar when using a group in an organization.
Environment Access
Environments do not support conditional role assignment directly. Rather, access to an environment and its resources is granted via âAccessâ in the UI or via the Apigee API Environments Set IAM Policy API. Assigning a user as an âApigee Environment Adminâ to an environment (e.g. bu1-test) controls access to environment specific resources such as KVMs, Resource files, TargetServers, References, and KeyStores. It also controls access to deployments and debug sessions for the environment.
Unsupported Resource Types
These resource types do not support âconditionalâ role based assignment, access to these resources can be managed via built in roles or custom roles.
- Analytics Dashboards
- Custom Reports
- Advanced API Security
- Advanced API Ops
- Integrated Developer Portals
- Integrations
- Connectors
Limitations and Caveats
- Rate Plans
- Rate Plans are associated with an API Product, therefore access can be protected by the API Product name.
- Rate Plans are identified using a UUID; itâs not demonstrated how to apply conditional role assignment.- App Developers
- Developers are identified using either an email or a UUID; itâs not demonstrated how to apply conditional role assignment.- Applications
- Although Applications can be restricted by name, The âAppsâ list page in the UI performs a âGET /apps?expand=trueâ API call which returns all the details for an App thereby allowing the user to see any Appâs keys.
Overview of Steps
Using GCP IAM Console or GCP APIs:
- Assign Apigee API Admin and Apigee Developer Admin roles to user or group with conditions on role assignment.
- Create and assign a custom role âCustom Role Apigee Deploy and Debugâ with get and list permissions for environments and deployments, to users without conditions. This fixes UI errors preventing deployments and debug sessions.
Using Apigee UI or Apigee APIs:
- Assign Apigee Environment Admin âAccessâ for the user to specific Environments (e.g. bu1-test).
Solution Details
Apigee supports adding resource conditions in IAM policies on specific resource types (proxies, shared flows) used in the Apigee builtin rules through GCP IAM. Not all resource types are âconditionalâ, in particular Environments. Access to environments is done via âAccessâ in the UI or via the Apigee API Environments Set IAM Policy API. Assigning a user as an âApigee Environment Adminâ to an environment (e.g. bu1-test) controls access to environment specific resources such as KVMs, Resource files, TargetServers, References, and KeyStores.
Create Custom Role
This is required to allow the user to manage deployments and debug sessions in the Apigee UI. It also enables configuring Flow Hooks, for the assigned environment.
Create a custom role (e.g. Custom Role Apigee Deploy and Debug) that allows get and list permissions on deployments and environments.
apigee.deployments.get
apigee.deployments.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.operations.get
apigee.operations.list
apigee.projectorganizations.get
apigee.setupcontexts.get
Assign Roles
The Apigee built in roles for Apigee API Admin and Apigee Developer Admin are required for an âAPI proxy developerâ to create and test proxies and shared flows. Apigee API Admin role is required to create API proxies, shared flows and related artifacts such as API Products. Apigee Developer Admin role is required to create Developers and Apps for testing.
Assign Conditions to Assigned Roles
Add the following conditions to both the Apigee API Admin and Apigee Developer Admin role assignments.
- The use of (resource.type == âapigee.googleapis.com/Developerâ) allows users to list Developers and their Apps.
- The use of (resource.type == âapigee.googleapis.com/DeveloperAppâ && resource.name.extract(â/apps/{name}â).startsWith(âbu1-â)) allows access to named Developer Apps.
NOTE: the resource.name.startsWith() condition uses the name of the project (e.g. apigeex-exp).
resource.name.startsWith("organizations/apigeex-exp/apis/bu1-") ||
resource.name.startsWith("organizations/apigeex-exp/sharedflows/bu1-") ||
resource.name.startsWith("organizations/apigeex-exp/apiproducts/bu1-") ||
(resource.type == 'apigee.googleapis.com/Developer') ||
(resource.type == 'apigee.googleapis.com/DeveloperApp' && resource.name.extract('/apps/{name}').startsWith('bu1-')) ||
resource.type == "cloudresourcemanager.googleapis.com/Project"
- Navigate to IAM & Admin â IAM in the GCP Console
- Add a principal and assign Apigee API Admin role.
- Click the pencil to âEdit principalâ
- Click the pencil to add the Condition
Select âCONDITION EDITORâ and paste the condition from above, adjusting âbu1-â to be your resource prefix.
Repeat for the Apigee Developer Admin role.
The final role assignment for the user:
Assign User Access to Environment
Access for users to specific environments is done in Apigee UI or via APIs on the environment. Access to environments is required to allow management of environment specific resources such as Target Servers, KVMs and PropertySets, since these are not named resources and cannot be used in conditional role assignments. Access to environments is also required to manage deployments for the specific environment.
Role assignment in the Apigee Management UI
References
GCP IAM and Roles
Apigee Users and Roles