Imagine a use case where multiple REST APIs (pure API with no UI) are deployed using Cloud Run or Cloud Functions. Each API:
is unique and for a specific outside client, which will use it for
various unknown purposes.
needs to be secured so that it can only be used by the corresponding
client.
The APIs need to be available via the same custom domain, e.g.:
api.example.com/client_1
api.example.com/client_2
The clients are potentially many, so any solution must be possible to automate programmatically.
Is there a good approach for achieving this using GCP? I understand that an API Gateway along with Load Balancing can be used to achieve availability via a custom domain. However I’m not sure how to best tackle the security part. Using API keys seems like an option, but IIUC each key would have access to all APIs encapsulated by the Gateway in that case. Also I’m not sure if the API keys can be created programmatically in a straightforward manner using one of the GCP client libraries.
Are there better options I’m missing?
Using API Gateway for your use case might not be the best possible option, reason being below section of GCP documentation:
Custom domain names are not supported for API Gateway. If you want to customize the domain name, you have to create a load balancer to use your custom domain name and then direct requests to the gateway.dev domain of your deployed API.
This might in turn increase the costs for your application.
So, I would suggest creating your REST APIs via nodejs and deploying it over Cloud Run. Cloud Run supports canonicalizing DNS names.
NOTE: It is still not supported in every regions, so you might want to be thoughtful about that with respect to your Latency Issues.
Coming to the part of securing your API's below can be followed:
You can use create API Keys and configure your API to accept these keys via header/query params
To create your application's API key you can follow the google document:
https://support.google.com/googleapi/answer/6158862?hl=en
https://medium.com/swlh/secure-apis-in-cloud-run-cloud-functions-and-app-engine-using-cloud-endpoints-espv2-beta-b51b1c213aea
You can create multiple APIs using the same domain even without using Load Balancers and complex coding by using OpenAPI. This document outlines the procedure for creating multiple APIs using the sub domains in GCP. There are multiple ways for applying authentication to your OpenAPI follow this documentation for enabling authentication in OpenAPI. Hope this might help you.
Related
I’m trying to pick up API gateway.
What are the different use cases for alb vs API gateway? I’ll be honest to say that I am not completely familiar with the concept of an API. I know we can invoke it backend, and the analogy that it’s a restaurant menu. However, beyond that, I am not clear what the difference is. Is it that applications using ALB has a user interface, but not API gateway? I tried reading through documentation on the features, but got even more lost. As such, I am hoping someone can share the use cases for both services so that I can visualise what it’s used for and the reason for the features. Thanks!
API GW is focused on API and has some additional options - e.g. API definition via swagger, execution of a lambda function, converting the call to an event bridge event, support of authenticators (iam, cognito), multiple deployment stages etc.
The load balancer listens on a port and that's about it.
Q: In what cases would you require these API GW features as opposed to just using an ALB?
A: One obvious benefit is a serverless or "low code". Let's say you want an API which processes asynchronous requests.
It is possible to create an API endpoint which queues all incoming requests to a SQS queue with just one AWS CLI command with no programming (provided the resources do exist):
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services.html
Each API endpoint can be served by a different AWS resource including EC2/ALB.
ALB is well suited for things like traditional monolithic applications (LAMP, Java application servers etc.)
Am I able to define a pre-generated api gateway url for my serverless application?
Currently there are two applications already made that has their own that was generated with cloud formation. The new application is using the serverless framework.
The client asked that I reuse the one that was generated for the other two applications on mine to extend the amount of endpoints over having its own url.
It’s not a custom url that uses a cname just a straight generated api gateway one they would like me to piggy back off of.
Sadly you can't do that with AWS-provided URLs. The only way to join several APIs under a single URL domain is to use custom domains. Then you can hook up multiple APIs to one domain, e.g. api.mydomain.org, api2.mydomain.org.
I'm trying to create an external API using AWS API Gateway that will give users access to data stored in multiple databases. The APIs will mostly be accessed through scripts rather than through a web UI.
Are there any AWS services I can use to manage user access to my API?
I've read a little bit about Amazon Cognito and OAuth 2 but at a glance it seems like those might be more targeted towards cases with a UI for users to interact with. Is there a way to create and manage API keys with AWS?
Thanks in advance for your help!
You can use API Gateway Lambda Authorizer to write your custom login integration. For example a lambda that check in one Database if the user:password (passed as authorization header) exists in table in DynamoDB or SQL.
As far as I understand, there are only three ways to access AWS resources:
Management Console (browser)
AWS CLI
AWS SDK (in various programming languages)
However, why did not AWS provide REST APIs and their reference document so that we can interact with AWS resources directly using a REST client like Postman?
I think they are using REST APIs behind the scenes (All the above three interactions actively use REST API I guess).
Thanks in advance.
There is REST API documentation available as well. Its just that AWS officially encourages the use of more abstract methods such as using CLI and SDK since its easier to use as well as they are maintained by AWS.
Also using the sdk or cli is encouraged because they are perfectly interfaced with the aws rest api with extensive testing and covering all cases. And you don't need to focus on stuff like what headers you need to attach or what should be the request body format. Users can focus on writing their own business logic.
The only source I could find for documentation of rest api are the official docs which I have linked below. Since the direct use of rest api is not preferred hence no commonly available tutorials. I don't think there is anything extra which can be accomplished using the rest api which the cli or sdk doesn't already offer.
A more practical example would be aws s3 cli. It has a lot of underlying implementation which speeds up the process of uploading and downloading, like establishing 10 network connections in parallel to utilize the complete network bandwidth etc. This you would have to implement yourself if you are directly using the api.
Some Examples:
S3 REST API
EC2 REST API
Similarly there is API documentation available for every service.
Is it that Cloud Endpoints enable the implementation of a REST API?
It looks like it is possible to create a REST API by just using Flask to handle different methods (GET, POST, PUT, etc.), so where exactly does Cloud Endpoints meet REST API?
Or, perhaps it is that Cloud Endpoints lets you create your own API service that can be consumed by many apps by providing them their own client ID + client secret?
I am trying to demystify what exactly is scope of usage of Cloud Endpoints.
Cloud endpoint is an esp which means that is a proxy between your APIs (rest or grpc) and the rest of the world.
This endpoint allows you to expose a clean interface and the underlayer implementation can be the mess. You can define endpoints and route query to different implementation: functions, VM, cloud run, app engine,.... And even on other cloud!
You can manage authentications (especially API keys), rate limit, logging, tracing,...
And you can transform a query to another one (change param name, add Decatur default values,...)
It's very powerful and based on open API (swagger).
For example, it allows you to expose a service and to migrate it piece by piece transparently.
The best level is apigee but it's expensive!!