This page applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
This page lists the Identity and Access Management roles and permissions required to use and manage Apigee Spaces and Space resources.
When using Spaces, it is important to note that IAM roles and permissions are primarily granted at the Space level and enable Apigee users to view and manage only the subset of API resources assigned to the Space. This is a change in behavior from Apigee contexts where Spaces are not used, and the roles and permissions granted to Apigee users for the management of API resources typically enable access to all resources of that type.
To learn more about the default roles and permissions required when using Spaces, see the following sections:
- Roles and permissions to create and manage Apigee Spaces
- View Space resources in Google Cloud console
- View and assign roles using IAM in the Google Cloud console
Roles and permissions to create and manage Apigee Spaces
New roles and permissions have been added to IAM to make using Apigee Spaces in Apigee organizations easier for common use cases, as shown in the following sections.
Predefined roles for Apigee Spaces
| Role | Description | Scope |
|---|---|---|
apigee.spaceContentEditor |
Provides full access to resources that can be associated with a Space. This role should be granted at the Space level. | Apigee Space |
apigee.spaceContentViewer |
Provides read-only access to resources that can be associated with a Space. This role should be granted at the Space level. | Apigee Space |
apigee.spaceConsoleUser |
Provides the minimum permissions required to manage resources in a Space using the Google Cloud console. Granted at the Google Cloud project level to users with access to resources in that Space. | Google Cloud project |
To allow Space members to manage resources in that Space, use the setIamPolicy method
on a Space resource to grant the apigee.spaceContentEditor role to the member. For more information,
see
Add an organization member to a Space.
To allow Space members to use the Apigee UI in Cloud console to manage Space resources,
grant the members the apigee.spaceConsoleUser role on the Google Cloud project. For more information, see View
Space resources in Google Cloud console.
If you have a more complex scenario, or would like to understand how usage of Spaces changes the IAM permission hierarchy, see IAM permission hierarchy in Apigee Spaces.
Permissions required to create and manage Apigee Spaces
New permissions have been added to IAM to enable the creation and management of Spaces,
as described in the following table. Apigee users assigned the apigee.admin role
will have the required permissions to create and manage a Space in an Apigee organization.
| Operation | Permission required |
|---|---|
| Create a Space | apigee.spaces.create |
| Update a Space | apigee.spaces.update |
| Delete a Space | apigee.spaces.delete |
| Get details of a Space | apigee.spaces.get |
| List all Spaces in an Apigee organization | apigee.spaces.list |
| Get the IAM policy associated with a Space | apigee.spaces.getIamPolicy |
| Set the IAM policy associated with a Space | apigee.spaces.setIamPolicy |
View Space resources in Google Cloud console
To view API resources associated with Spaces using the Apigee UI in Cloud console,
users must be granted a custom role: apigee.spaceConsoleUser.
For more information on using the UI to view and manage API resources in Spaces, see Manage API resources in Apigee Spaces.
Check to ensure that this custom role is granted to
any user who wants to use Apigee in Cloud console to view and manage Space resources. If the apigee.spaceConsoleUser role is
not already available in IAM for your users, ask your organization administrator to add the
role for the organization's Google Cloud project.
The administrator can create the role using the following command:
gcloud iam roles create apigee.spaceConsoleUser \ --project="PROJECT_ID" \ --title="Apigee Space Console User" \ --description="Apigee Space Console User"\ --permissions="apigee.entitlements.get,apigee.organizations.get,apigee.organizations.list,apigee.projectorganizations.get,resourcemanager.projects.get,apigee.spaces.list,apigee.spaces.get,apigee.deployments.list,apigee.environments.list,apigee.environments.get,apigee.envgroups.list,apigee.envgroupattachments.list,apigee.instances.list,apigee.apps.list" \ --stage=GA
Replace PROJECT_ID with the name of the Google Cloud project where the Apigee organization was created.
View and assign roles using IAM in the Google Cloud console
You can confirm the role assignments and permissions granted to Space members and organization administrators at the Google Cloud project level using IAM in the Google Cloud console.
To check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.
To grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
To check for the IAM policies applied at the Space level, see Manage members and roles in a Space.