Add restricted api video

[julianleonard123]

Adding this video to public docs for Restricted API access configuration: https://www.youtube.com/watch?v=IQE1VGzvVpI

[vercel]

@julianleonard123 is attempting to deploy a commit to the Authzed Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Feb 12, 2025 3:44pm

[jzelinskie]

@julianleonard123 can you copy and paste the fgam config you use in the video into this thread? thanks

[julianleonard123]

@jzelinskie config used:

apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata: 
  name: dev                                #Change optional: you can change this name, but be mindful of your dispatch TLS certificate URL and service selector
  namespace: spicedb
spec:
  config:
    image: 290266275315.dkr.ecr.us-east-1.amazonaws.com/spicedb-enterprise:v1.39.1-enterprise.v1
    envPrefix: SPICEDB_ENTERPRISE
    cmd: spicedb-enterprise
    extenderEnabled: authzed-fgam
    extenderAuthzedFgamEndpoint: "/etc/config/fgam/fgam.yaml"
    imagePullPolicy: "Always"
    datastoreEngine: postgres                          
    replicas:  2                           #Change optional: at least two replicas are required for HA           
    tlsSecretName: spicedb-le-tls
    dispatchUpstreamCASecretName: dispatch-root-secret
    dispatchClusterTLSCertPath: "/etc/dispatch/tls.crt"
    dispatchClusterTLSKeyPath: "/etc/dispatch/tls.key"
  secretName: dev-spicedb-config
  patches:                                
  - kind: Deployment
    patch:  
      spec:
        template:
          spec:
            containers:
            - name: spicedb
              volumeMounts:
              - name: custom-dispatch-tls
                readOnly: true
                mountPath: "/etc/dispatch"
              - name: fgam-config
                readOnly: true
                mountPath: "/etc/config/fgam"
            volumes:
            - name: custom-dispatch-tls
              secret:
                secretName: dispatch-root-secret
            - name: fgam-config
              secret:
                secretName: fgam-config
---
apiVersion: v1
kind: Secret
metadata:
  name: dev-spicedb-config
  namespace: spicedb
stringData:
  preshared_key: "averysecretpresharedkey" #Change: this is your API token definition and should be kept secure. 
  datastore_uri: "postgresql://postgres:usZQLm%21%3A~%296o%29.5d~6p9%239%5D0P%[email protected]:5432" #Change: this is a Postgres connection string
---
apiVersion: v1
kind: Secret
metadata:
  name: fgam-config
  namespace: spicedb
stringData:
  fgam.yaml: |
    role:
    - id: "admin"
      permission:
        authzed.v1/ReadSchema:              ""
        authzed.v1/WriteSchema:             ""
        authzed.v1/ReadRelationships:       ""
        authzed.v1/WriteRelationships:      ""
        authzed.v1/DeleteRelationships:     ""
        authzed.v1/CheckPermission:         ""
        authzed.v1/CheckBulkPermissions:    ""
        authzed.v1/ExpandPermissionTree:    ""
        authzed.v1/LookupResources:         ""
        authzed.v1/LookupSubjects:          ""
        authzed.v1/ImportBulkRelationships: ""
        authzed.v1/ExportBulkRelationships: ""
        authzed.v1/Watch:                   ""
    - id: "schemaWriter"
      permission:
        authzed.v1/ReadSchema:              ""
        authzed.v1/WriteSchema:             ""
    - id: "checkPermissions"
      permission:
        authzed.v1/CheckPermission:         "CheckPermissionRequest.resource.object_type==\"doc\""
        authzed.v1/CheckBulkPermissions:    ""
        authzed.v1/LookupResources:         ""
        authzed.v1/LookupSubjects:          ""
    - id: "relationshipWriter"
      permission:
        authzed.v1/ReadRelationships:       ""
        authzed.v1/WriteRelationships:      ""
        authzed.v1/DeleteRelationships:     ""
    service_account:
      - id: "my_admin_account"
        token:
          - id: "token_01"
            hash: "7d7cf2b7e5ee6ca575b2dc7ba1819cf7fdbb44057d803cdb985e4b1994d25f1f"
          - id: "token_02"
            hash: "8b8fc29cab9421b071461e5b0986adc99e21187be1c66997181ecf076eb27566"
      - id: "my_schema_writer_account"
        token:
          - id: "token_01"
            hash: "631741c4b8effa9ee63a6798fd9c068b772a44daafa778b8fb2676f9298d164f"
      - id: "my_permissions_check_account"
        token:
          - id: "token_01"
            hash: "c48e3bb15279a1df8030e81828af71c202130774d65eb762fc35fab994338258"
      - id: "my_relationship_writer_account"
        token:
          - id: "token_01"
            hash: "ea199fbaee6c99fab2402f99797f41083218acf4f41163fc4f5c9bd9b234619c"
    policy:
      - id: "admin_policy"
        principal_id: "my_admin_account"
        principal_type: "service_account"
        roles:
          - "admin"
      - id: "schema_writer_policy"
        principal_id: "my_schema_writer_account"
        principal_type: "service_account"
        roles:
          - "schemaWriter"
      - id: "permissions_check_policy"
        principal_id: "my_permissions_check_account"
        principal_type: "service_account"
        roles:
          - "checkPermissions"
      - id: "relationship_writer_policy"
        principal_id: "my_relationship_writer_account"
        principal_type: "service_account"
        roles:
          - "relationshipWriter"