Can you offer, or point to, any advice on providing fine-grained permissions for API keys? Any great example implementations you've seen? Any docs or best practices I should look at?<p>(I'm not interested in the technical implementation - I'm more interested in the UI, the documentation, etc)<p>By "fine grained permissions for API keys", I mean that a user could create an API key with a certain set of permissions (eg CREATE resource type X, READ (but not modify) resource type Y, prohibit access to endpoints A and B, etc), then create another key with other permissions, etc. Admins would need to see what keys were created by whom, what permissions those keys have, usage on a per-key basis, do key regeneration, etc.
I am unsure if any such pre-built solutions exist but, we have created something similar for our app.<p>A user can setup an unlimited number of different API Keys for their account. For each API Key, we allow them to specify:<p>- Name/Description: For internal reference<p>- High Level Permissions:<p>Admin: (access to make any account updates).<p>Read-Only: (provide read-only access to the data).<p>Write Only: (allows for read & write operations).<p>- Low Level Permissions:<p>Access to various end-points that can be turned on/off.<p>- Throttling Options<p>Allow the user to specify Max Read Requests p/second and max write requests p/second
I find the AWS IAM documentation[1][2] easy to follow. One thing I didn't like are the demo videos; I prefer step by step descriptions with screenshot images.<p>[1]: <a href="http://aws.amazon.com/iam/" rel="nofollow">http://aws.amazon.com/iam/</a><p>[2]: <a href="http://aws.amazon.com/iam/details/manage-permissions/" rel="nofollow">http://aws.amazon.com/iam/details/manage-permissions/</a>