The page has been translated by Gen AI.
Resource-Based Policy Guide
Resource-based policy overview
API Gateway’s resource-based policy (Resource-based Policy) is a policy attached to a resource that can decide to allow or deny (Effect) an action (Action) on a specific resource only for a principal (Principal). You can directly define the principal that can call the API by using resource-based policies.
Reference
While a typical IAM policy (Identity-based) grants permissions to users, a resource-based policy is applied to the API itself to allow external access.
Through resource-based policies, you can define the following to allow secure API calls.
- User of the specified Samsung Cloud Platform account
- Specified source IP address range or CIDR block
A source policy is defined as a JSON policy document attached to the API, which controls whether a specified security principal (typically an IAM role or group) can call the API.
| Category | description | example |
|---|---|---|
| Principal(Principal) | Specify the entity that will call the API | - |
| Task(Action) | Define the allowed features | - |
| Condition(Condition) | Restrict to allow only in specific situations | Allow only requests originating from a specific SRN. |
Table. Entity that controls whether an API call is made
Reference
- API Gateway’s resource-based policies leverage the rules of IAM’s resource-based policies.
- Please refer to the JSON Writing Guide for how to create or modify policies using JSON.
Resource-based policy usage scenario
The primary use cases for resource-based policies are as follows.
Resource-based policy scenario
The resource-based policy scenario used when a specific function of API Gateway operates is as follows.
| Category | description | Reference example |
|---|---|---|
| Default policy | This is the DEFAULT resource policy that is created by default when an API is created.
| Basic Policy Example |
| Allowed Account List | You can define account(s) that can call the API. | Account Allowlist Example |
| IP range blocklist | You can define IP ranges that are not allowed to call the API. | IP range blocklist example |
Table. Resource-based policy scenario
User addition usage scenario
It is not automatically registered as a resource‑based policy of API Gateway, but users can add and use it as needed. The scenarios that users can add and utilize are as follows.
- Cross-Account Access
- If an IAM user in account A wants to invoke the API of account B, register account A in the function policy of account B.
- Hybrid Access Control
- It can be configured so that access is allowed only when both conditions are met—a specific user and a specific IP range—rather than simply restricting by account or IP alone.
Resource-based policy management for API Gateway
To view and set resource-based policies for API Gateway, follow these steps.
- Click the All Services > Application Service > API Gateway menu. Go to the Service Home page of API Gateway.
- On the Service Home page, click the API Gateway > Resource Policy menu. You will be taken to the Resource Policy page.
- Click the Edit button of the Policy Details item. The Edit Resource Policy popup opens.
- Click the Delete button to delete the registered policy.
- Edit Resource Policy In the popup window, select Policy Template, then write the policy.
- For policy examples by policy template, refer to Resource-based policy example.
- When the writing is complete, click the Done button.
Example of resource-based policy
Users can define additional resource-based policies as needed or modify existing policies for use.
Reference
- For some features, a resource-based policy (or credentials) must be registered to use them in API Gateway.
- In the resource-based policy examples described in this guide, API Gateway automatically registers the example resource-based policies when each feature is enabled or linked.
Default Policy
This is a policy that is automatically registered when creating an API.
Policy Template
Color mode
{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Policy Example
Color mode
{
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Effect": "Allow",
"Principal": "*"
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Effect": "Allow",
"Principal": "*"
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Color mode
{
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Effect": "Allow"
"Principal": "*",
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Effect": "Allow"
"Principal": "*",
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Account allowlist
This is a policy that allows only users of a specific SCP account (Root user or IAM Role) to call the API.
Policy Template
Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:{{Offering}}::{{AccountID}}:::iam:user/{{UserSrn}}
]
},
"Resource": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:{{Offering}}::{{AccountID}}:::iam:user/{{UserSrn}}
]
},
"Resource": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}
],
"Sid": "Statement1"
}
]
}Policy Example
Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:s::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:s::accountId1:::iam:user/userId1"
]
},
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:s::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:s::accountId1:::iam:user/userId1"
]
},
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}IP range blocklist
It is a policy that allows or blocks only specific IP addresses or CIDR ranges.
Policy Template
Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}
]
},
"NotIpAddress": {
"scp:SourceIp": [
{{sourceIpOrCIDRBlock}}
{{sourceIpOrCIDRBlock}}
]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}
]
},
"NotIpAddress": {
"scp:SourceIp": [
{{sourceIpOrCIDRBlock}}
{{sourceIpOrCIDRBlock}}
]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": [
srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}
],
"Sid": "Statement1"
}
]
}Policy example
Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:s::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:s::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Cross-Account Access
This is a resource policy that allows a user of account B to call a specific API resource of account A.
Policy Example
Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
"srn:e::accountId2:::iam:user/userId2"
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
"srn:e::accountId2:::iam:user/userId2"
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:s::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
}
},
"Effect": "Allow"
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
"srn:e::accountId2:::iam:user/userId2"
]
},
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:s::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
}
},
"Effect": "Allow"
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
"srn:e::accountId2:::iam:user/userId2"
]
},
"Resource": [
"srn:s::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Hybrid Access Control
It is a resource policy that can define access control policies by combining user credentials (Account) and connection source (IP).
Policy Example
Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountId1:::iam:user/userId1
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Color mode
{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:s::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:s::accountId1:::iam:user/userId1
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": ""
"Statement": [
{
"Action": [
apigateway:InvokeApigatewayRegion
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
srn:s::accountId1:kr-west1::apigateway:method/apiId1/*/*/*
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24"
5.6.7.8/32
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:s::accountId1:::iam:user/userId1
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}