Security Actions API

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page describes how to manage security actions using the Apigee Management APIs. For an overview of the security actions functionality, including limitations and latencies, see the Security actions overview and UI.

You can access all of the security actions features through the Apigee Management APIs. See the Security Actions API reference for information on all of the available commands. This page shows examples of some of the available commands.

Variables used in examples

The examples on this page can include these variables:

  • ORG is the organization.
  • ENV is the environment for the security action.
  • ACTION_NAME is the name of the security action.

Create security actions

This section provides examples for how to create security actions with different action types.

Create a deny action

To create a deny action, enter a command similar to the following:

curl -X POST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions?security_action_id=ACTION_NAME \
       -H "Authorization: Bearer $TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"state": "ENABLED", "deny": {"response_code": 404}, "condition_config": {"ip_address_ranges": ["100.0.225.0"]}}'

This creates a security action that denies access to requests to the IP addresses listed after ip_address_ranges and returns a response code 404.

Create a flag action

To create a flag action, enter a command similar to the following:

curl -X POST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions?security_action_id=ACTION_NAME" \
       -H "Authorization: Bearer $TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"state": "ENABLED", "flag": {"headers": [{"name": "senseflag", "value": "flagvalue"}]}, "condition_config": {"ip_address_ranges": ["100.0.230.0"]}}'

This creates a security action that flags requests from the IP addresses listed after ip_address_ranges and adds a header senseflag with value flagvalue.

Create an allow action

To create an allow action, enter a command similar to the following:

curl -X POST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions?security_action_id=ACTION_NAME \
       -H "Authorization: Bearer $TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"state": "ENABLED", "allow": {}, "condition_config": {"ip_address_ranges": ["100.0.220.0", "200.0.0.0"]}}'

This creates a security action that allows requests from the IP addresses listed after ip_address_ranges.

Edit security actions

This section provides an example for how to edit an existing security action configuration. See Enable or disable a security action or Delete a security action to see examples for those types of changes.

Edit a deny action

This section shows an example for editing a deny action. The APIs also support editing the other action types.

update_mask can include any of these options: description,condition_config, api_proxies,expire_time,ttl,flag,allow,deny,* (everything), or omitted (defaults to everything).

See the Security Actions API reference documentation for more information about potential values when editing actions.

  curl -X PATCH "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME?update_mask=deny,condition_config" \
         -H "Authorization: Bearer $TOKEN" \
         -d '{"deny": {"response_code": 404}, "condition_config": {"ip_address_ranges": ["100.0.230.0"]}}' \
         -H "Content-Type: application/json"
         {
           "name": "ACTION_NAME",
           "state": "ENABLED",
           "createTime": "2022-12-29T18:28:50Z",
           "updateTime": "2022-12-29T18:28:50Z",
           "conditionConfig": {
             "ipAddressRanges": [
               "100.0.230.0"
             ]
           },
           "deny": {
             "responseCode": 404
           }
         }

Enable or disable a security action

The following examples show API calls to enable or disable security actions.

Enable a security action

To enable a security action, enter a command similar to the following:

curl -X POST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME:enable"
       -H "Authorization: Bearer $TOKEN"

This returns a response like the following:

{
      "name": "ACTION_NAME",
      "state": "ENABLED",
      "createTime": "2022-12-29T18:27:31Z",
      "updateTime": "2023-01-03T23:19:26.650965481Z",
      "conditionConfig": {
        "ipAddressRanges": [
          "100.0.220.0",
          "200.0.0.0"
        ]
      },
      "allow": {},
      "expireTime": "2028-01-01T00:00:00Z"
}

Disable a security action

To disable a security action, enter a command similar to the following:

curl -X POST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME:disable"
       -H "Authorization: Bearer $TOKEN"

This returns a response like the following:

{
      "name": "actionallow",
      "state": "DISABLED",
      "createTime": "2022-12-29T18:27:31Z",
      "updateTime": "2023-01-03T23:13:04.874540001Z",
      "conditionConfig": {
        "ipAddressRanges": [
          "100.0.220.0",
          "200.0.0.0"
        ]
      },
      "allow": {},
      "expireTime": "2028-01-01T00:00:00Z"
}

Get or list security actions

The following examples show how to get or list security actions

Get a security action

To get a security action, enter a command similar to the following:

curl -X GET "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME"
       -H "Authorization: Bearer $TOKEN"

This returns a response like the following:

{
      "name": "ACTION_NAME",
      "state": "DISABLED",
      "createTime": "2022-12-29T18:27:31Z",
      "updateTime": "2023-01-03T23:13:04Z",
      "conditionConfig": {
        "ipAddressRanges": [
          "100.0.220.0",
          "200.0.0.0"
        ]
      },
      "allow": {},
      "expireTime": "2028-01-01T00:00:00Z"
}

List security actions

To list all security actions, enter a command similar to the following:

curl -X GET "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions"
       -H "Authorization: Bearer $TOKEN"

Pause or resume security actions

The following examples show how to pause or resume security actions

Pause all security actions

To Pause all security actions, enter a command similar to the following:

curl -X PATCH "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActionsConfig" \
       -H "Authorization: Bearer $TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"enabled": "false", "name": "organizations/ORG/environments/ENV/securityActionsConfig"}'

This returns a response like the following:

{
      "name": "organizations/ORG/environments/ENV/securityActionsConfig",
      "enabled": false,
      "updateTime": "2023-01-23T21:44:58.063807Z"
}

Resume paused security actions

To resume paused security actions, enter a command similar to the following:

curl -X PATCH "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActionsConfig" \
       -H "Authorization: Bearer $TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"enabled": "true", "name": "organizations/ORG/environments/ENV/securityActionsConfig"}'

This returns a response like the following:

{
      "name": "organizations/ORG/environments/ENV/securityActionsConfig",
      "enabled": true,
      "updateTime": "2023-01-23T21:44:58.063807Z"
}

Delete security actions

To delete a security action, enter a command similar to the following:

curl -X DELETE "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME"
       -H "Authorization: Bearer $TOKEN"