LinkedIn
Twitter
Spaces Overview
Apigee Spaces is a new Role Based Access Control feature that allows API proxies, Shared Flows and API Products to be associated with a "Space". A Space acts as a container for the resources and allows users to be assigned to one or more Spaces. Resources associated with a Space do not need to follow any specific naming conventions and they can only be assigned to a single Space.
Once resources are associated with a Space, they are only visible to users that are assigned the "Apigee Space Content Editor" or "Apigee Space Content Viewer" role on one or more Spaces. To provide visibility in the Apigee GCP console, they are assigned the "Apigee Space Console User" role in the GCP Project IAM. The combination of these roles is what allows Space users to only see the resources associated with their Space. Furthermore, when creating an API Product, users are only able to see the API Proxies associated with the Spaces to which they are assigned.
To allow Space users to manage deployments for API Proxies and Shared Flows, they are provided "Access" using the "Apigee Environment Admin" role for a particular environment.
Finally, to allow Space users to create Developers and Applications for testing, they need to be assigned a custom role that is a subset of the "Apigee Developer Admin" role in the GCP Project IAM. The reason this is required is that using the built-in "Apigee Developer Admin" would allow users to list all API Products, not just the ones they have access to in their Space(s). This may be addressed by new Apigee roles, but for the time being this is a viable work around to ensure correct behavior in the UI for Space users.
References
Use Case Organization Administrator
As an Apigee Organization Administrator,
I need to create Spaces, associate resources, and assign user roles,
so I can isolate developer teams.
This use case is fully covered by the core features of Spaces.
Use Case API Developer
As an API developer in Spaces,
I need to create API proxies, Shared Flows and API Products in my Spaces,
I also need to create test Developers and Apps,
so I can test my API proxy.
This use case requires the use of a custom Role to manage Developers and Apps. It is the primary purpose of this article. See Apigee Spaces Overview and Spaces APIs for steps to manage Spaces, Resources and User assignments.
Solution Overview
Create Spaces and Assign User Roles:
- Create Space(s) using the Apigee API (UI support coming shortly)
- Assign users to Space(s) using setIamPolicy with "Apigee Space Content Editor" role using the Apigee API (UI support coming shortly)
- Assign "Access" to a specific environment with "Apigee Environment Admin" using Apigee UI or API
- Create custom role "Custom Apigee Developer Admin Spaces" role in GCP IAM using UI or API
- Assign user "Apigee Space Console User" and "Custom Apigee Developer Admin Spaces" roles in GCP IAM using UI or API
For example:
Create or Move resources in a Space as per the documentation.
Solution Detail
The custom role is derived from "Apigee Developer Admin" role and removes the following permissions:
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.rateplans.get
apigee.rateplans.list
The custom role can be created using the IAM API:
export ORG=your-apigeex-org
AUTH="Authorization: Bearer $(gcloud auth print-access-token)"
curl -H "$AUTH" -X POST https://iam.googleapis.com/v1/projects/$ORG/roles \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"roleId": "CustomApigeeDeveloperAdminSpaces",
"role":{
"title": "Custom Apigee Developer Admin Spaces",
"description": "Custom role derived from Apigee Developer Admin for use by Space Content Editors",
"includedPermissions": [
"apigee.appgroupapps.create",
"apigee.appgroupapps.delete",
"apigee.appgroupapps.get",
"apigee.appgroupapps.list",
"apigee.appgroupapps.manage",
"apigee.appgroups.create",
"apigee.appgroups.delete",
"apigee.appgroups.get",
"apigee.appgroups.list",
"apigee.appgroups.update",
"apigee.appkeys.create",
"apigee.appkeys.delete",
"apigee.appkeys.get",
"apigee.appkeys.manage",
"apigee.apps.get",
"apigee.apps.list",
"apigee.datacollectors.create",
"apigee.datacollectors.delete",
"apigee.datacollectors.get",
"apigee.datacollectors.list",
"apigee.datacollectors.update",
"apigee.developerappattributes.createOrUpdateAll",
"apigee.developerappattributes.delete",
"apigee.developerappattributes.get",
"apigee.developerappattributes.list",
"apigee.developerappattributes.update",
"apigee.developerapps.create",
"apigee.developerapps.delete",
"apigee.developerapps.get",
"apigee.developerapps.list",
"apigee.developerapps.manage",
"apigee.developerattributes.createOrUpdateAll",
"apigee.developerattributes.delete",
"apigee.developerattributes.get",
"apigee.developerattributes.list",
"apigee.developerattributes.update",
"apigee.developerbalances.adjust",
"apigee.developerbalances.get",
"apigee.developerbalances.update",
"apigee.developermonetizationconfigs.get",
"apigee.developermonetizationconfigs.update",
"apigee.developers.create",
"apigee.developers.delete",
"apigee.developers.get",
"apigee.developers.list",
"apigee.developers.update",
"apigee.developersubscriptions.create",
"apigee.developersubscriptions.get",
"apigee.developersubscriptions.list",
"apigee.developersubscriptions.update",
"apigee.organizations.get",
"apigee.organizations.list",
"apigee.projectorganizations.get",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy"
]
}
}'Conclusion
API developers in Spaces will be able to view and edit API Proxies, Shared Flows and API Products in their own Spaces. They will be able to create deployments in the environment(s) to which they have been given access. They will be able to create API Products in the UI with visibility only to the API Proxies in their Spaces. Similarly, they will be able to create test Developers and Applications in the UI with visibility only to the API Products in their Spaces. Finally, they will be able to test and debug API proxies using API Keys in the environment they have been given access.
