This page applies to Apigee, but not to Apigee hybrid.
View Apigee Edge documentation.
Overview
Use VerifyIAM to enforce authorization checks on API access, based on Google Cloud IAM. This is an alternative to the OAuthv2 policy, and the VerifyAPIKey policy. For information on how to include VerifyIAM in an IAM-based access control solution, see IAM-based API authentication overview.
This policy is a Standard policy and can be deployed to any environment type. For information on policy types and availability with each environment type, see Policy types.
Element reference
This reference shows the elements and attributes of the VerifyIAM policy.
<VerifyIAM async="false" continueOnError="false" enabled="true" name="MyVerifyIAMPolicy"> <DisplayName>Custom label used in UI</DisplayName> <CredentialSource>flow_variable_name_containing_credential_value</CredentialSource> </VerifyIAM>
<VerifyIAM> attributes
<VerifyIAM async="false" continueOnError="false" enabled="true" name="MyVerifyIAMPolicy">
The following table describes attributes that are common to all policy parent elements:
Attribute | Description | Default | Presence |
---|---|---|---|
name |
The internal name of the policy. The value of the Optionally, use the |
N/A | Required |
continueOnError |
Set to Set to |
false | Optional |
enabled |
Set to Set to |
true | Optional |
async |
This attribute is deprecated. |
false | Deprecated |
<DisplayName> element
Use in addition to the name
attribute to label the policy in the
management UI proxy editor with a different, natural-language name.
<DisplayName>Policy Display Name</DisplayName>
Default |
N/A If you omit this element, the value of the policy's |
---|---|
Presence | Optional |
Type | String |
<CredentialSource> element
<CredentialSource>flow_variable_name_containing_credential_value</CredentialSource>
This element specifies the flow variable containing the credential value, and has these characteristics:
- Typically, the client sends the value in a query parameter, HTTP header, or a form
parameter. The string must specify the corresponding flow variable in the form
request.queryparam.token
. - When read from the reference, a direct value is expected. For example, 'Bearer' should not be present as the prefix.
- If omitted, policy execution assumes the value is in the authorization header and in the standard format "Bearer xyz".
Default | N/A |
---|---|
Presence | Optional |
Type | Flow variable |
Example:
<VerifyIAM async="false" continueOnError="false" enabled="true" name="Verify-IAM-Permissions-1"> <DisplayName>VerifyIAM policy for flow 1</DisplayName> <CredentialSource>request.queryparam.token</CredentialSource> </VerifyIAM>
Error reference
This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults.
Runtime errors
These errors can occur when the policy executes.
Fault code | HTTP status | Cause |
---|---|---|
steps.verifyiam.CredentialSourceRefUnresolved |
400 |
Flow variable provided inside credential source could not be resolved. |
steps.verifyiam.CredentialValueNotProvided |
400 |
Credential not found. If the credential source reference is not provided, we look at the default place like authorization header. |
steps.verifyiam.Forbidden |
403 |
Request could not be forwarded due to lack of sufficient permissions or missing access scopes or any other related issues. |
steps.verifyiam.MiscellaneousAuthorizationConfigurationError |
500 |
An issue with the authentication request to IAM. The API producer needs to fix this error based on details in the error response. |
steps.verifyiam.Unauthorized |
401 |
Problem with the credential, such as the value being invalid or expired. |
steps.verifyiam.UnexpectedAuthorizationInfrastructureError |
500 |
Internal error. |
Deployment errors
This policy does not return any policy-specific deployment errors.
Fault variables
These variables are set when this policy triggers an error at runtime.
Variables | Where | Example |
---|---|---|
fault.name="fault_name" |
fault_name is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. | fault.name="Unauthorized" |
verifyiam.policy_name.failed |
policy_name is the user-specified name of the policy that threw the fault. | verifyiam.Verify-IAMToken.failed = true |