Google Cloud Platform Api Gateway
github repo --> here
What is API Gateway?
As per the documentation, Api gateway is a fu...
For further actions, you may consider blocking this person and/or reporting abuse
Great article @amammay ,
I am trying to accomplish something similar but with an API key approach. I followed similar steps and changed the openapi yml to use API key as the security definition. Unfortunately, I keep getting 403 errors even after I created an API key with no restrictions. Would you have some tips when integrating API Gateway with API keys on Cloud Run? Appreciate your help
Yea sure thing! ill dig into it, and write up a post about it 😀
@rhernand3z after doing a bit of digging the main thing i could see you having problems with api key auth is to make sure you have this in your security definition
and in addition to create the api key entry for
API_ID specifies the name of your API.
PROJECT_ID specifies the name of your Google Cloud project.
gcloud services enable API_ID.apigateway.PROJECT_ID.cloud.googi believe you still need to run that command even if your api key is set to unrestricted to create the entry in GCP behind the scenes.
Hey Alex,
I'll give this a shot, I didn't execute the last step via
gcloud services enable..., might have been the culprit. Thanks for digging into this 👍Hey @amammay -- I was able to get it working properly. You were right the culprit was not executing:
gcloud services enable ...Thanks for your help and a great article!
Hi Alex @amammay ! Thank you for the article! It's good to see that the google product is starting to get traction because there's still missing some documentation around it. I have a case where I am trying to use two security methods: api-key OR firebase. But whenever I place the firebase authentication, it only works with that one. Any pointers to solve this?
securityDefinitions:
api_key:
type: "apiKey"
name: "x-api-key"
in: "header"
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# Replace YOUR-PROJECT-ID with your project ID
x-google-issuer: "securetoken.google.com/YOUR-PROJEC..."
x-google-jwks_uri: "googleapis.com/service_accounts/v1..."
x-google-audiences: "YOUR-PROJECT-ID"
schemes:
If I use firebase it works, but if I use api-key it says:
{
"message": "Jwt is missing",
"code": 401
}
hmmm that is quite interesting, it seems as your swagger definition looks good. Ill have to give it a try and see if it produces similar results
@amammay So... i've tried recreating the gateway, changing different alternatives of security order but nothing. I've created a bug in their issue tracker but I think it will take some time to fix...
issuetracker.google.com/issues/186...
There doesn't seem to be a lot of help around this online, thank you for your post.
I have a question around verifying the token, I am using NodeJS.
I am able to get the User information out of 'X-Apigateway-Api-Userinfo' - I am not sure if I need to use the Admin SDK to verify this Token, or whether I now just pull out the information, like you do, and trust the token has been verified - is that right?
Yea, you should be able to pull the base64 encoded token straight from X-Apigateway-Api-Userinfo. Once you grab the header you should be to do base64 decode on it and it will have the correct json stucture
Hi Alex, Nice article @amammay
I've a cloud run in private mode with only authenticated users enabled, I'm not sure how'd I authenticate with firebase and where do you get the token from? As per other documents it looks like you need another layer for authentication and this model won't work in case cloud run is private and no-allow-unauthenticated and since cloud run supports IAM what'd be the use of this in that case?
@techd1984 sorry for getting back to you late, but the overall flow is like so
your web app (managing your users with the firebase js sdk for them to sign in etc.) get their firebase auth token --- http call with auth in header ---> api gateway (api gateway contains the auth definition to say to use firebase auth to verify access to the endpoint specified in the yaml file --- api gateway proxies request to your cloud run endpoint using service account credentials ---> your private cloud run endpoint.
this allows you to make sure native GCP iam is used to access the raw cloud run url, and only a subset of your endpoints is exposed to your users with firebase auth. As for auth with firebase... check out this video to get some more context around firebase youtube.com/watch?v=9kRgVxULbag at the end of the day you would just be calling api gateway with your end users tokens.
I have a question, how can we change the url of the gateway api for our custom domain. And what is the difference with Google Cloud Endpoints?
Hi, if the requests are unauthenticated, will they still be passed to our services (App Engine)? I am afraid of getting a huge bill due to DDOS attack. Thank you.
The requests will not be forwarded to the target endpoint if the auth is missing (as long as you have auth strictly defined within your open api spec).