We want to provide our API services through the Gcloud Endpoints. Our customers have to generate an API key in order to integrate our API into their project.
Is there a way to generate the Gcloud api key via an interface? How can I assign rights for an api key via an Gcloud-API?
Unfortunately, GCP currently has no API for programmatic provisioning / access of API Keys.
As mentioned by Andrew, currently it’s not possible to create or manage API keys programmatic or using gcloud, but there’s a request to add this functionality, you can track the progress of this request or post your comments on it, but keep in mind that there's no ETA or guarantee that it will be implemented.
Related
I am building a multi-tenancy SaaS with AWS (Cognito, API Gateway, Amplify). I am planning to create API keys/secrets for my tenants and trying to figure out the whole process. However, I could find a clear document from AWS.
So I use custom-attribute-based multi-tenancy with Cognito. 2 questions here:
What is the best practice to manage API keys/secrets for each tenant? It seems I have to create the key pairs and store them in the database all by myself. I am wondering if there are some services that could help.
What is the best practice to verify the keys/secrets? For now, I guess I have to implement the customized authorizer myself to verify the keys.
For the first query, you can simply story API keys/secrets in the AWS SSM - System manager parameter store as secret text and whenever value is required simply call SSM parameter store api to get that value at runtime.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html
Now for the second point, I believe you are not required to explicitly write logic to verify any API keys/secrets as if a user uses an incorrect key they will get invalid key/secret or unauthorized exception directly from API Gateway and Cognito service calls.
I'm trying to create an external API using AWS API Gateway that will give users access to data stored in multiple databases. The APIs will mostly be accessed through scripts rather than through a web UI.
Are there any AWS services I can use to manage user access to my API?
I've read a little bit about Amazon Cognito and OAuth 2 but at a glance it seems like those might be more targeted towards cases with a UI for users to interact with. Is there a way to create and manage API keys with AWS?
Thanks in advance for your help!
You can use API Gateway Lambda Authorizer to write your custom login integration. For example a lambda that check in one Database if the user:password (passed as authorization header) exists in table in DynamoDB or SQL.
Is it possible to create google API KEY programmatically?
I did see the above question but I wanted to verify its functionality for my use case. I have a REST api deployed to Google App Engine that I want to introduce some api key mechanism for external users. I'm not making a website where I would just be trying to make sure it's only my code talking to my code from front-end to back-end, it's a public api that anyone with valid credentials is able to access.
Google Cloud Endpoints will only authenticate api keys generated through GCP, so my thinking goes that if it's possible to create a service account and associated ServiceAccountKey via http request, then it could be plausible to generate api keys (service account keys) for any prospective user by generating a service account per user and then giving them the relevant private key that will allow them to authenticate through Cloud Endpoints (jwt signing?).
It sounds like a good plan to me but in all likelihood I'm missing something that makes this a terrible idea. Thoughts? Has this been done before/proven?
TL;DR: Wrong way
First, API Key on GCP can only authenticate GCP Project, not user or service account.
Then, a service account key file is not an API Key. It's a secret identity that you can use for generating an OAuth2 JWT token (identity token) according with the Oauth2 flow. This identity token can be provided for an authentication (and it's valid only 1H)
In addition, you are limited to 100 service accounts per project, and the meaning of a service account is to authenticate app, not user. If you want to authenticate user, I recommend you to have a look to Cloud Identity Platform
Finally, API key generation has evolved very recently (about 1 month) and .... I would like to find the doc again, but it's a dead link. Maybe that the beta is not ready yet.
Note: Maybe the answer that I performed here (just now) can help you?
I am new user to GCP. I starting to implement an application that is going to use GCP API. In order to authenticate to API I've created service account and stored it in file.
In official documentation it is written that auth file can be assigned to environment variable: GOOGLE_APPLICATION_CREDENTIALS
I would like to make a request to google API from my http client (let's say Postman) and to use this file for authentication.
Is it possible at all or I suppose to use GCP client in order to make HTTP requests?
Yes, you can create an authenticate API key, and use that API key to call GCP API. Here is the doc for Creating and Using API key.
Also, you need to be careful not to expose your API keys to the public, like Github. Because we have seen many people just write their API key directly in the code and expose to the public.
As you said, you would like to use the API key in HTTP request, maybe you should add restrictions to your keys.
Here are some best practices that Google provided, hope this helps!
I have several questions about WSO2 API Manager that I am not able to figure out reading the documentation:
Is it possible to setup a "default" basepath for all API? for example if I have to switch my endpoints from localhost:8080/rest/myapi to 12.43.56.89:8080/rest/myapi is it possible to do it without editing any single API's enpoint?
Is it possible to create create a role which allows access only to sandbox endpoint but not to production endpoint? The only way to do this, as far as I know, is to manually block the access to production once the user has subscribed the API. My idea is to allow all users to access the sandbox but enable only trusted users to access the production APIs once their applications have been validated.
Is it possible to distribute several instances of the AM Gateway? Accordingly with documentation it seems that is only possible to run gateway, store, and publisher+keymanager on different servers but not to run multiple instance of the gateway in parallel.
Thank you!
1) You can use a variable for endpoint base path like this.
http://{uri.var.host}:{uri.var.port}/apis/weather
These variables can be taken from system variables. See this for how to do it.
2) You can use Key Generation (i.e. OAuth App Registration) Workflows for this. This will send a approval request to admin user. If you want to automate it to approve based in user roles or something, you can customize workflows.
3) You can have multiple gateways.