Fine-grained permissions for API keys – any best practices, great examples, etc?
Can you offer, or point to, any advice on providing fine-grained permissions for API keys? Any great example implementations you've seen? Any docs or best practices I should look at?
(I'm not interested in the technical implementation - I'm more interested in the UI, the documentation, etc)
By "fine grained permissions for API keys", I mean that a user could create an API key with a certain set of permissions (eg CREATE resource type X, READ (but not modify) resource type Y, prohibit access to endpoints A and B, etc), then create another key with other permissions, etc. Admins would need to see what keys were created by whom, what permissions those keys have, usage on a per-key basis, do key regeneration, etc.
3 comments
[ 5.1 ms ] story [ 18.7 ms ] threadA user can setup an unlimited number of different API Keys for their account. For each API Key, we allow them to specify:
- Name/Description: For internal reference
- High Level Permissions:
Admin: (access to make any account updates).
Read-Only: (provide read-only access to the data).
Write Only: (allows for read & write operations).
- Low Level Permissions:
Access to various end-points that can be turned on/off.
- Throttling Options
Allow the user to specify Max Read Requests p/second and max write requests p/second
[1]: http://aws.amazon.com/iam/
[2]: http://aws.amazon.com/iam/details/manage-permissions/