Limit access to Cumulocity Microservice REST API

Hi Guys,

I have several JAVA microservices running on Cumulocity.
Most of the services are accessible by other external services and that is fine. But I have one service - which is used by the other services - for which the REST API it provides should not be accessible from “outside” of Cumulocity.

For example:
c8y.MicroServiceA ----> c8y.ManagementService … access ok
c8y.MicroServiceB ----> c8y.ManagementService … access ok
ExternalService —X–> c8y.ManagementService … no access
Postman Client —X–> c8y.ManagementService … no access

ManagementService is accessible by other services from “inside” the Cumulocity platform but not accessible for external services/clients.
Is this possible?

Best Regards,

To be honest , I am not sure if I understood your query fully… However you can play around users and roles related to micro service to see if it help.
There are three types of users:

  • Tenant user: The user that invokes a microservice through its REST API endpoints /service// passed through by the proxy.
  • Service user: A generated user that allows a microservice to access a subscribed tenant independent of a REST API invocation, e.g., for initialization or regular jobs.
  • Microservice bootstrap user: A user passed to the microservice for requesting subscribed tenants and service users.

The following role types are defined for users:

  • Required roles: The roles that are predefined to allow access to Cumulocity IoT Rest APIs. For instance, if a microservice creates measurements using the service user, measurement admin role must be added as a required role of the application. Required roles are added to the service users.
  • Roles: The custom roles provided to tenant platform users by the microservice developer. These roles can be assigned or revoked to the tenant platform users or groups using the Administration application.

The roles are set in the Microservice manifest.