I am trying to get the policies for all the resources so I can view the roles and members associated with them. Any method of getting all the policies through the API would work for me.
I am currently trying to list the organizations (resources) so that I can then get the policies for each resource with a command like GetIamPolicy. However, the organizations.list command returns null. Let me know if any of you have had success getting any policy.
I am using the C# API with a service key to connect to my Google Cloud account.
If I understand correctly, you're trying to get the list of all of your GCP Organization resources so that you can cycle through the list to get the IAM policy bindings for each organization.
Get organizations from Cloud Resource Manager API:
To accomplish this, you would first use organizations.search (with no filter) to get a list of all of your organizations.
Try it here with the API Explorer.
Get organization IAM policy from the Cloud Resource Manager API.
Then, for each organization, you would use the organization name to call organizations.getIamPolicy in order to get the IAM Policy for that organization.
Try it here with the API Explorer (update the resource to reflect your organization name).
Note: IAM Policy is how you control access to resources in GCP. There are various levels at which you can manage IAM Policies, including organizations, folders and projects. There is a entirely separate concept called Org Policy, which allows you to control which API services can be enabled in each of your projects.
Related
I like to have User-A can contribute to the API-A but doesn't have access to the API-B.
When I look at the Azure APIM Built-in roles (link below) I am noticing that the API Management Service Contributor role is defined for all APIs.
Is it possible to to define a "Service Contributor" role per API as opposed with all APIS?
If not, is there any other technique that help me to achieve the same goal
AFAIK, you can restrict the user to specific set of APIs.
1) Through Product Level where you can add the APIs and allow all APIS to the specific set of users by keeping the Scope level to Product for the users.
Created 2 different APIs in APIM Instance like the below:
Open the New APIM Developer Portal after adding the APIs and publish the APIM instance > Portal Overview under Developer Portal.
In APIM Instance > Products > Added new product "Dotnet6FunctionAPIs" - Added the Net 6 Function App APIs > Checked the options "Requires Subscription", "Requires approval" and then published the product.
4. In APIM Instance > Users - created a user and in Products > Dotnet6FunctionAPIs Product > Access control > Allowed the access to Developers group.
Login to the developer portal with the new user login credentials https://<apiminstance_name>.portal.azure-api.net/ > Products > Dotnet6FunctionAPIs product > Click on Subscribe.
Here the Admin can approve the access of that product APIs to the user and can cancel the subscription whenever admin wants to.
After Subscription approval, the user can test the API present in the product.
If you observe here, I have allowed the users (under Developer group) to the product "Dotnet6FunctionAPIs" that contains specific APIs added to it.
This is one of the ways to restrict users from not accessing the other APIs by adding only specific APIs to the product and giving that product access to the users.
Updated Answer:
As Markus told, there are 3 built-in roles in APIM. API Management Service Contributor is for CRUD access to Complete APIM Instance (all APIS & Operations) and cannot be restricted to specific APIs.
I have seen the permissions given to API Management Service Contributor built-in role. Among those permissions, I believe we need to modify at API Policy Level which is
Write (Access) - Set API policy configuration (Permissions) - Creates or updates policy configuration for the API.
I've created lots of Google App Script scripts for Classroom API and the Admin Groups and Drive APIs but I can't seem to get started with AdminReports.
I get the message:
"AdminReports is not defined"
and I can't see it listed in the services that one can add in the scripting environment.
Is it because it's an advanced service? Is there something else that I need to do to get it up and running?
Enable Advanced Google Services:
To use an advanced Google service, follow these instructions:
New Editor:
Configuration
Select Admin SDK API
Select reports_v1 as API Version
(Optional) Replace AdminDirectory with AdminReports
*From https://developers.google.com/admin-sdk/reports/reference/rest?hl=en
Service: admin.googleapis.com
To call this service, we recommend that you use the Google-provided client libraries. If your application needs to use your own libraries to call this service, use the following information when you make the API requests.
Discovery document
A Discovery Document is a machine-readable specification for describing and consuming REST APIs. It is used to build client libraries, IDE plugins, and other tools that interact with Google APIs. One service may provide multiple discovery documents. This service provides the following discovery document:
https://admin.googleapis.com/$discovery/rest?version=reports_v1
Service endpoint
A service endpoint is a base URL that specifies the network address of an API service. One service might have multiple service endpoints. This service has the following service endpoint and all URIs below are relative to this service endpoint:
https://admin.googleapis.com
REST Resource: activities
list: GET /admin/reports/v1/activity/users/{userKey}/applications/{applicationName}
Retrieves a list of activities for a specific customer's account and application such as the Admin console application or the Google Drive application.
watch:
POST /admin/reports/v1/activity/users/{userKey}/applications/{applicationName}/watch
Start receiving notifications for account activities.
REST Resource: customerUsageReports
get: GET /admin/reports/v1/usage/dates/{date}
Retrieves a report which is a collection of properties and statistics for a specific customer's account.
REST Resource: entityUsageReports
get: GET /admin/reports/v1/usage/{entityType}/{entityKey}/dates/{date}
Retrieves a report which is a collection of properties and statistics for entities used by users within the account.
REST Resource: userUsageReport
get: GET /admin/reports/v1/usage/users/{userKey}/dates/{date}
Retrieves a report which is a collection of properties and statistics for a set of users with the account.
I'm looking to use Azure API Management (APIM) to publish my REST API endpoints to be consumed by external partner apps. I also have an app I own. I would like my app to consume the same endpoints as well as a few additional endpoints. I don't want to expose those additional endpoints to partner apps. Basically, I would like to end up with two packages of endpoints in APIM where I only expose the extra endpoints to my company's apps. My company's client apps are accessible over the Internet and are not isolated in an internal network.
This feels like a common use case, but I wasn't able to find anything directly addressing this. I'm assuming it's because I'm somewhat new to APIM.
See Products: https://learn.microsoft.com/en-us/azure/api-management/api-management-key-concepts#--products They're created specifically for the case of packaging same or different APIs into separate offerings. You can control product visibility as well, so that only users of specific group would be aware of some product, i.e. your own product can be made visible only to service administrators - you.
We have a centralized development instance for Azure API Management Service where developers from different agencies/organization creates their Products, API and subscription. Essentially they have contributor role on resource group of APIM instance. This is a centralized shared APIM instance.
I can probably create a Custom RBAC role that allows me to edit only my API but not sure how to hide my own API and products from others.
Is there a way for developers to hide their Products and API entirely from other developers in Admin portal as well as in Developer portal?
Have you tried implementing the restriction at the product level?
Check your user list.
Create a group with by selecting the required members.
Create an product( Add required APIs) -> Go to access control -> Add a group (you may remove the Administrator group)
I have 2 different restful api-s, and I would like to use Tyk for gateway.
My plan is to have a common url (like: http://viktorservices) which can towards messages to those two api endpoints.
For example, the first api is a user manager api, and has an endpoint:
GET: http://localhost:8080/usermanager/users
And the other api is a car manager api, and it's endpoint:
GET: http://localhost:8081/carmanager/cars
Is it possible somehow, to upload a Swagger JSON for the Tyk Catalog (For developer portal) to be able to se only one API called: User and Car Manager?
And when I click on "View Documentation" in Tyk's developer site, all of the endpoints from both APIs are visible, grouped by their main API names?
I tried to put the two swagger jsons into one as an array, but then it is not visible on the Developer Site.
I am able to upload the swaggers one by one, but then I will have two API-s on the Dev site of Tyk.
I think the main point here is that developer portal documentation/swagger does not have to correlate with the actual APIs you have. Portal gets organized by catalogues/policies. So you can have multiple internal Tyk APIs, but expose them as the single catalog in Portal, by creating Policy which gives access to both APIs. So, just create new "public" swagger file for documentation purpose, which includes endpoints from both of your internal APIs.
Does it make sense?