Adding resource conditions in IAM policies

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This page describes how to add resource conditions in your IAM policies. A resource condition lets you have granular control over your Apigee resources.

Before you begin

Apigee uses Google Cloud's Identity and Access Management (IAM) to manage roles and permissions for Apigee's resources. Therefore, before you specify or modify conditions for your IAM policies, familiarize yourself with the following IAM concepts:

Adding resource conditions

To add an IAM condition for a resource, you must have the following information with you:

Examples

The table lists a few sample resource conditions and the corresponding permissions:

Condition Description
resource.name.startsWith("organizations/{org-name}/apis/catalog-") || resource.type == "cloudresourcemanager.googleapis.com/Project"

This condition provides the following permissions:

  • List all proxies
  • Get, Create, Update, and Delete operations on API proxies whose name starts with catalog-.
  • All operations on the Revision and KeyValueMap resources belonging to the catalog-* API proxies.
(resource.name.startsWith("organizations/{org-name}/apis/catalog-proxy/keyvaluemaps") && resource.type == "apigee.googleapis.com/KeyValueMap") || resource.type == "cloudresourcemanager.googleapis.com/Project" This condition provides permissions for Get, Create, Update, and Delete operations on KeyValueMaps in the catalog-proxy API proxy.
resource.type == "apigee.googleapis.com/Proxy" || resource.type == "cloudresourcemanager.googleapis.com/Project" This condition provides permissions for List, Get, Create, Update, and Delete operations on all API proxies.

What's next

Go through the following information in the IAM documentation: