Fine-grained permissions for API keys – any best practices, great examples, etc?

3 pointscoopr11y ago3 comments

Can you offer, or point to, any advice on providing fine-grained permissions for API keys? Any great example implementations you've seen? Any docs or best practices I should look at?

(I'm not interested in the technical implementation - I'm more interested in the UI, the documentation, etc)

By "fine grained permissions for API keys", I mean that a user could create an API key with a certain set of permissions (eg CREATE resource type X, READ (but not modify) resource type Y, prohibit access to endpoints A and B, etc), then create another key with other permissions, etc. Admins would need to see what keys were created by whom, what permissions those keys have, usage on a per-key basis, do key regeneration, etc.

3 comments

3 comments · 2 top-level

amarcus11y ago· 1 in thread

I am unsure if any such pre-built solutions exist but, we have created something similar for our app.

A user can setup an unlimited number of different API Keys for their account. For each API Key, we allow them to specify:

- Name/Description: For internal reference

- High Level Permissions:

Admin: (access to make any account updates).

Read-Only: (provide read-only access to the data).

Write Only: (allows for read & write operations).

- Low Level Permissions:

Access to various end-points that can be turned on/off.

- Throttling Options

Allow the user to specify Max Read Requests p/second and max write requests p/second

cooprOP11y ago

Very nice, thanks @amarcus - do you have any public-facing documentation I could review?

lovelearning11y ago

I find the AWS IAM documentation[1][2] easy to follow. One thing I didn't like are the demo videos; I prefer step by step descriptions with screenshot images.

[1]: http://aws.amazon.com/iam/

[2]: http://aws.amazon.com/iam/details/manage-permissions/

j / k navigate · click thread line to collapse