Console
    Contact Us Start free

    VerifyIAM policy

    This page applies to Apigee, but not to Apigee hybrid.

    View Apigee Edge documentation.

    Overview

    Use VerifyIAM to enforce authorization checks on API access, based on Google Cloud IAM. This is an alternative to the OAuthv2 policy , and the VerifyAPIKey policy . For information on how to include VerifyIAM in an IAM-based access control solution, see IAM-based API authentication overview .

    This policy is a Standard policy and can be deployed to any environment type. For information on policy types and availability with each environment type, see Policy types .

    Element reference

    This reference shows the elements and attributes of the VerifyIAM policy.

    < VerifyIAM 
  
 async 
 = 
 "false" 
  
 continueOnError 
 = 
 "false" 
  
 enabled 
 = 
 "true" 
  
 name 
 = 
 "MyVerifyIAMPolicy" 
>  
< DisplayName>Custom 
  
 label 
  
 used 
  
 in 
  
 UI 
< / 
 DisplayName 
>  
< CredentialSource>flow_variable_name_containing_credential_value 
< / 
 CredentialSource 
>
< / 
 VerifyIAM 
>

    <VerifyIAM> attributes

    <VerifyIAM async="false" continueOnError="false" enabled="true" name="MyVerifyIAMPolicy">

    The following table describes attributes that are common to all policy parent elements:

    Attribute
    Description
    Default
    Presence
    name

    The internal name of the policy. The value of the name attribute can contain letters, numbers, spaces, hyphens, underscores, and periods. This value cannot exceed 255 characters.

    Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

    N/A
    Required
    continueOnError

    Set to false to return an error when a policy fails. This is expected behavior for most policies.

    Set to true to have flow execution continue even after a policy fails. See also:

    false
    Optional
    enabled

    Set to true to enforce the policy.

    Set to false to turn off the policy. The policy will not be enforced even if it remains attached to a flow.

    true
    Optional
    async

    This attribute is deprecated.

    false
    Deprecated

    <DisplayName> element

    Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, natural-language name.

    <DisplayName>Policy Display Name</DisplayName>
    Default

    N/A

    If you omit this element, the value of the policy's name attribute is used.
    Presence Optional
    Type String

    <CredentialSource> element

    < CredentialSource>flow_variable_name_containing_credential_value 
< / 
 CredentialSource 
>

    This element specifies the flow variable containing the credential value, and has these characteristics:

    • Typically, the client sends the value in a query parameter, HTTP header, or a form parameter. The string must specify the corresponding flow variable in the form request.queryparam.token .
    • When read from the reference, a direct value is expected. For example, 'Bearer' should not be present as the prefix.
    • If omitted, policy execution assumes the value is in the authorization header and in the standard format "Bearer xyz".
    Default N/A
    Presence Optional
    Type Flow variable

    Example:

    <VerifyIAM async="false" continueOnError="false" enabled="true" name="Verify-IAM-Permissions-1">
    <DisplayName>VerifyIAM policy for flow 1</DisplayName>
    <CredentialSource>request.queryparam.token</CredentialSource>
</VerifyIAM>

    Error reference

    This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults .

    Runtime errors

    These errors can occur when the policy executes.

    Fault code HTTP status Cause
    steps.verifyiam.CredentialSourceRefUnresolved
    		400 Flow variable provided inside credential source could not be resolved.
    steps.verifyiam.CredentialValueNotProvided
    		400 Credential not found. If the credential source reference is not provided, we look at the default place like authorization header.
    steps.verifyiam.Forbidden
    		403 Request could not be forwarded due to lack of sufficient permissions or missing access scopes or any other related issues.
    steps.verifyiam.MiscellaneousAuthorizationConfigurationError
    		500 An issue with the authentication request to IAM. The API producer needs to fix this error based on details in the error response.
    steps.verifyiam.Unauthorized
    		401 Problem with the credential, such as the value being invalid or expired.
    steps.verifyiam.UnexpectedAuthorizationInfrastructureError
    		500 Internal error.

    Deployment errors

    This policy does not return any policy-specific deployment errors.

    Fault variables

    These variables are set when this policy triggers an error at runtime.

    Variables Where Example
    fault.name=" fault_name "
    		fault_name is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. fault.name="Unauthorized"
    verifyiam. policy_name .failed
    		policy_name is the user-specified name of the policy that threw the fault. verifyiam.Verify-IAMToken.failed = true
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: