question

Francois Boucher-Genesse avatar image
Francois Boucher-Genesse asked

Can we deny Admin API method calls with API policies?

We're implementing the password recovery flow with a custom page on our website to change the password. We're using the Admin API ResetPassword to do this.

We're taking measures to secure the secret key on our website without it being visible in the browser client, but to be extra safe we would like to limit possible calls to other Admin methods we're not currently using.

We've been able to update the Client API policy using the Admin API UpdatePolicy. But so far we've had no luck restricting calls to the Admin API, testing with the ResetPassword method.

My current understanding is that the following policy should allow all Client/Server methods and restrict every Admin API method but GetPolicy and UpdatePolicy (in order to not lock us out of changing that policy down the road). Is the policy wrong, or is it just impossible to deny admin methods?

    [
        {
            "Resource": "pfrn:api--/Client/*",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "The default allow all statement."
        },
        {
            "Resource": "pfrn:api--/Server/*",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "The default allow all statement."
        },
        {
            "Resource": "pfrn:api--/Admin/UpdatePolicy",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "Preserve our ability to call UpdatePolicy"
        },
        {
            "Resource": "pfrn:api--/Admin/GetPolicy",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "Preserve our ability to call GetPolicy"
        }
    ]
apis
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Sarah Zhang avatar image
Sarah Zhang answered

PlayFab API policy doesn’t support denying Admin API methods. You can use the following statement to deny all Client API calls.

[
        {
            "Resource": "pfrn:api--*",
            "Action": "*",
            "Effect": "Deny",
            "Principal": "*",
            "Comment": "…"
        }
]

For your situation, we would suggest you use a secret key that can be disabled. Please check this documentation -- https://docs.microsoft.com/en-us/gaming/playfab/gamemanager/secret-key-management to learn more about secret key management.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Francois Boucher-Genesse avatar image Francois Boucher-Genesse commented ·

Understood, we will indeed use another secret key for this in case it gets compromised. Thanks for the quick answer Sarah.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.