IAM Conditions lets you to define and enforce conditional, attribute-based access control for Google Cloud resources, including Apigee Integration resources. For more information about IAM Conditions, see Overview of IAM Conditions.
In Apigee Integration, you can enforce conditional access based on the following attributes:
- Date/time attributes: Use to set temporary (expiring), scheduled, or limited-duration access to Apigee Integration resources. For example, you can allow a user to access an integration until a specified date. For more information, see Configuring temporary access.
- Resource attributes: Use to configure conditional access based on a resource name, resource type, or resource service attributes. For example, you can allow a user to manage integrations that are created in a specific region. For a list of supported values. For more information, see Configuring resource-based access.
Add IAM condition
To add an IAM condition to a existing principal (user, group, or service account), perform the following steps:
- In the Google Cloud console, go to the IAM page.
- Select your project, folder, or organization.
- From the list of principals, find the principal for which you want to add the IAM condition, and click
The Edit access pane appears.
(Edit principal).
- Find the role to which you want to add the IAM condition and click + Add IAM Condition.
- In the Add condition pane, provide the following information:
- Title: Enter a name for the condition that you're adding to the role.
- Description: (Optional) Enter a description for the condition.
- You can add a condition using either the Condition builder or the Condition editor.
The Condition builder provides an interactive interface to select your desired condition type, operator, and other applicable details about the expression. The Condition editor provides a text-based interface to manually enter a condition expression using CEL syntax.
For detailed instructions about how to use the Condition builder or the Condition editor, see Configure resource-based access.
- Click Save to apply the condition.
For information about the supported resource attributes for Apigee Integration, see Resource attribute values
- Click Save again from the Edit access pane to update the principal.
Resource attribute values
The following table lists the values that the resource type attribute can contain for Apigee Integration:
Resource name | Resource type | Reference |
---|---|---|
Location | SERVICE_ENDPOINT-integrations.googleapis.com/Location
|
API reference |
Integration | SERVICE_ENDPOINT-integrations.googleapis.com/Integration
|
API reference |
IntegrationVersion | SERVICE_ENDPOINT-integrations.googleapis.com/IntegrationVersion
|
API reference |
Execution | SERVICE_ENDPOINT-integrations.googleapis.com/Execution
|
API reference |
Suspension | SERVICE_ENDPOINT-integrations.googleapis.com/Suspension
|
API reference |
AuthConfig | SERVICE_ENDPOINT-integrations.googleapis.com/AuthConfig
|
API reference |
Examples of using IAM Condtions for Apigee Integration
Example 1: Limit access to any IntegrationVersion resource in a region
You can use the following condition expression in the Condition editor to limit access to the IntegrationVersion resource. Limiting access includes restricting create
, delete
, download
, get
, list
, patch
, publish
, unpublish
, and upload
operations to the integration versions in the region.
!resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION/products/apigee/integrations/INTEGRATION_NAME")
Replace the following:
- PROJECT_ID: The ID of your Google Cloud project.
- LOCATION: The integration service endpoint. See Apigee Integration service endpoint.
- INTEGRATION_NAME: Name of the integration.
Example 2: Allow access to any IntegrationVersion resource in a region
You can use the following condition expression in the Condition editor to allow access to the IntegrationVersion resource:
resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION/products/apigee/integrations/INTEGRATION_NAME") || resource.type == "cloudresourcemanager.googleapis.com/Project")
Replace the following:
- PROJECT_ID: The ID of your Google Cloud project.
- LOCATION: The integration service endpoint. See Apigee Integration service endpoint.
- INTEGRATION_NAME: Name of the integration.
Example 3: Allow access to a specific AuthConfig resource
You can use the following condition expression in the Condition editor to allow access to a specific AuthConfig resource:
(resource.name.extract("authConfigs/{end}" == "AUTH_CONFIG_NAME") || resource.type == "integrations.googleapis.com/Location" || resource.type == "cloudresourcemanager.googleapis.com/Project")
Replace the following:
- AUTH_CONFIG_NAME: The name of the authentication type. See Authentication types.
Example 4: Allow access to any AuthConfig resources in a region
You can use the following condition expression in the Condition editor to allow access to any AuthConfig resource:
(resource.name.startsWith("projects/PROJECT_ID/locations/LOCATION/products/apigee") && resource.type == "integrations.googleapis.com/AuthConfig" || resource.type == "integrations.googleapis.com/Location" || resource.type == "cloudresourcemanager.googleapis.com/Project")
Replace the following:
- PROJECT_ID: The ID of your Google Cloud project.
- LOCATION: The integration service endpoint. See Apigee Integration service endpoint.