

Fine-grained permissions for API keys – any best practices, great examples, etc? - coopr

Can you offer, or point to, any advice on providing fine-grained permissions for API keys? Any great example implementations you&#x27;ve seen? Any docs or best practices I should look at?<p>(I&#x27;m not interested in the technical implementation - I&#x27;m more interested in the UI, the documentation, etc)<p>By &quot;fine grained permissions for API keys&quot;, I mean that a user could create an API key with a certain set of permissions (eg CREATE resource type X, READ (but not modify) resource type Y, prohibit access to endpoints A and B, etc), then create another key with other permissions, etc. Admins would need to see what keys were created by whom, what permissions those keys have, usage on a per-key basis, do key regeneration, etc.
======
amarcus
I am unsure if any such pre-built solutions exist but, we have created
something similar for our app.

A user can setup an unlimited number of different API Keys for their account.
For each API Key, we allow them to specify:

\- Name/Description: For internal reference

\- High Level Permissions:

Admin: (access to make any account updates).

Read-Only: (provide read-only access to the data).

Write Only: (allows for read & write operations).

\- Low Level Permissions:

Access to various end-points that can be turned on/off.

\- Throttling Options

Allow the user to specify Max Read Requests p/second and max write requests
p/second

~~~
coopr
Very nice, thanks @amarcus - do you have any public-facing documentation I
could review?

------
lovelearning
I find the AWS IAM documentation[1][2] easy to follow. One thing I didn't like
are the demo videos; I prefer step by step descriptions with screenshot
images.

[1]: [http://aws.amazon.com/iam/](http://aws.amazon.com/iam/)

[2]: [http://aws.amazon.com/iam/details/manage-
permissions/](http://aws.amazon.com/iam/details/manage-permissions/)

