Adding Apigee IAM Conditions to policies
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
This page describes how to add IAM Conditions to your Apigee resources. An IAM Conditionlets you have granular control over your Apigee resources.
Before you begin
Apigee uses Google Cloud'sIdentity and Access Management (IAM)to manage roles and permissions for Apigee's resources. Therefore, before you specify ormodify conditions in IAM for your Apigee resources, familiarize yourself with the following IAM concepts:
Adding IAM Conditions
To add an IAM condition to an Apigee resource, you need the following information:
- Named Resource URI - Every resource in Apigee has a unique resource URI. For example, URI for the API products resource is
organizations/{org}/apiproducts/{apiproduct}. For the complete list of all the available URIs, seeApigee REST resources. To control access permissions for a resource at a granular level, you must name your resource according to a naming convention. Based on your requirements, you can decide on what naming convention you want to follow. For example, you can prefix the wordmarketingfor all API products owned by the marketing team. In this example, the resource URI for the marketing team's API products, will begin withorganizations/{org}/apiproducts/marketing-. - Parent only permissions - Check if a resource or any of its child resource(s) require the parent-only permission. For more information, seeParent-only permissions.
- Resource type - You can further narrow the scope of resources, by filtering for a resource type in the condition. Apigee supports conditions for the following resources:
Resource name Resource type API proxy apigee.googleapis.com/Proxy API proxy revision apigee.googleapis.com/ProxyRevision API proxy key-value map apigee.googleapis.com/KeyValueMap API product apigee.googleapis.com/ApiProduct API product attributes apigee.googleapis.com/ApiProductAttribute Developer apigee.googleapis.com/Developer Developer attributes apigee.googleapis.com/DeveloperAttribute Developer app apigee.googleapis.com/DeveloperApp Developer app attributes apigee.googleapis.com/DeveloperAppAttribute Key value entries (API proxy scope) apigee.googleapis.com/KeyValueEntry Rate plan apigee.googleapis.com/RatePlan SharedFlow apigee.googleapis.com/SharedFlow SharedFlow revision apigee.googleapis.com/SharedFlowRevision
Examples
The table lists a few sample resource conditions and the corresponding permissions:
| Condition | Description |
|---|---|
resource.name.startsWith("organizations/{org-name}/apis/catalog-") || resource.type == "cloudresourcemanager.googleapis.com/Project" | This condition provides the following permissions:
|
(resource.name.startsWith("organizations/{org-name}/apis/catalog-proxy/keyvaluemaps") &&resource.type == "apigee.googleapis.com/KeyValueMap") || resource.type == "cloudresourcemanager.googleapis.com/Project" | This condition provides permissions for Get, Create, Update, and Delete operations on KeyValueMaps in thecatalog-proxy API proxy. |
resource.type == "apigee.googleapis.com/Proxy" || resource.type == "cloudresourcemanager.googleapis.com/Project" | This condition provides permissions for List, Get, Create, Update, and Delete operations on all API proxies. |
resource.type == "cloudresourcemanager.googleapis.com/Project"Note: Users must have following additional permissions to view proxy deployments in the UI when providing fine-grained access for particular business unit or teams based on conditions:apigee.deployments.getapigee.deployments.listapigee.environments.getapigee.environments.list
What's next
Go through the following information in the IAM documentation:
- Adding a conditional role binding to a policy
- Modify an existing conditional role binding
- Removing a conditional role binding
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.