This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee hide resources using IAM Condition Policies

Posted on 10-27-2023 10:04 AM
igallardo
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I've created a custom Role for a group with this privileges:

apigee.deployments.get
apigee.deployments.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.operations.get
apigee.operations.list
apigee.projectorganizations.get

So I need users who belong to this group to ONLY see (and work with) some ENVIRONMENTS in the Apigee UI (and obviously only privileges in those environments).

I made this IAM conditions policies:

resource.name.startsWith("organizations/{org}/apis/dti-") ||

resource.name.startsWith("organizations/{org}/sharedflows/dti-") ||

resource.name.startsWith("organizations/{org}/environments/dti-") ||

(

    resource.name.startsWith("organizations/{org}/apis/dti-test/keyvaluemaps") &&

    resource.type == "apigee.googleapis.com/KeyValueMap"

) ||

(

    resource.name.startsWith("organizations/{org}/apiproducts/dti-") &&

    resource.type == "apigee.googleapis.com/ApiProduct"

) ||

resource.type == "cloudresourcemanager.googleapis.com/Project"

igallardo_1-1698426194168.png

This works for API proxies and shared flows, but I can't reproduce this same solution for environments.

Is there documentation for this specific area or maybe some examples to try?

Thanks.

 

 

 

Solved Solved
0 1 271
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gregkuelgen
Staff
Reply posted on --/--/---- --:-- AM

Acesss to environment level resources is actually not controlled by IAM conditions. Rather it is controlled by access granted to each individual environment through the Apigee UI or API.  You can learn more in this excellent article from my colleague @kurtkanaskie. Below is the relevant excerpt.

Environments do not support conditional role assignment directly. Rather, access to an environment and its resources is granted via “Access” in the UI or via the Apigee API Environments Set IAM Policy API. Assigning a user as an “Apigee Environment Admin” to an environment (e.g. bu1-test) controls access to environment specific resources such as KVMs, Resource files, TargetServers, References, and KeyStores. It also controls access to deployments and debug sessions for the environment.

 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
gregkuelgen
Staff
Reply posted on --/--/---- --:-- AM

Acesss to environment level resources is actually not controlled by IAM conditions. Rather it is controlled by access granted to each individual environment through the Apigee UI or API.  You can learn more in this excellent article from my colleague @kurtkanaskie. Below is the relevant excerpt.

Environments do not support conditional role assignment directly. Rather, access to an environment and its resources is granted via “Access” in the UI or via the Apigee API Environments Set IAM Policy API. Assigning a user as an “Apigee Environment Admin” to an environment (e.g. bu1-test) controls access to environment specific resources such as KVMs, Resource files, TargetServers, References, and KeyStores. It also controls access to deployments and debug sessions for the environment.

 

Jump to Solution