This context provides a tutorial on managing serverless APIs with API Gateway in Google Cloud Platform (GCP), including developing, deploying, securing, and managing APIs.
Abstract
The tutorial begins with an introduction to Google Cloud API Gateway, a fully managed service that simplifies the creation, publication, maintenance, monitoring, and security of APIs. The architecture involves creating an app with three different services: Cloud Functions, Cloud Run, and App Engine Standard environment, with API Gateway acting as a proxy service. The tutorial covers setting up the environment, deploying secured backend services, and deploying an API on API Gateway. It also includes enabling required services, creating an API, creating an API config, enabling the API, creating a gateway, and testing the API routes. The tutorial concludes with securing access by using an API key and bearer auth token.
Deploying an API on API Gateway: enabling required services, creating an API, creating an API config, enabling the API, creating a gateway
Testing API routes
Securing access by using an API key and bearer auth token
Tracking API activity
Conclusion: API Gateway vs Cloud Endpoints
References: Secure APIs in Cloud Run, Cloud Functions and App Engine Using Cloud Endpoints ESPv2 (Beta), Quickstart: Deploy an API on API Gateway using the gcloud command-line tool
In Google Cloud Next 2020, new API management service has been introduced. Google Cloud API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor and secure APIs. It acts as “Front Door” for an application deployed on backend service like Cloud Functions, Cloud Run and App Engine, Compute Engine and Google Kubernetes Engine.
In this tutorial, we are going to deploy Employee APIs endpoints in Cloud Function, Cloud Run and App Engine Standard environment with front end proxy by API Gateway. These APIs will be secured with API Keys and Oauth2 Bearer Token.
# openapi-definition.yamlswagger:"2.0"info:title:my-apidescription:Serverless APIs with API Gatewayversion:1.0.0schemes:-httpsproduces:-application/jsonpaths:/employee/{employee_id}:get:summary:Get an EmployeeoperationId:getEmployeex-google-backend:address:https://us-central1-api-gateway-289215.cloudfunctions.net/employee #Replace with Cloud Function URLprotocol:h2parameters:-name: employee_idin:pathdescription:Employee Idrequired:truetype:stringresponses:'200':description:A successful responseschema:type:stringdelete:summary:Delete Employee using Google App Engine service.operationId:deleteEmployeex-google-backend:address:https://api-gateway-289215.uc.r.appspot.com/ #Replace with your Google App Engine Servicepath_translation:APPEND_PATH_TO_ADDRESSparameters:-name: employee_idin:pathdescription:Employee Idrequired:truetype:stringresponses:'200':description:A successful responseschema:type:string/employee:post:summary:Add Employee using Cloud Run ServiceoperationId:add_update_employeex-google-backend:address:https://employee-r3t4hr3y3a-uc.a.run.app #Replace with your Cloud Run Service.path_translation:APPEND_PATH_TO_ADDRESSparameters:-name: employeein:bodydescription:Employee to be Addedschema:$ref:'#/definitions/Employee'responses:'200':description:A successful responseschema:type:stringdefinitions:Employee:type:objectrequired:-id-firstname-lastnameproperties:id:type:stringfirstname:type:stringlastname:type:string
This will give you defaultHostname: GATEWAY_ID-hash.uc.gateway.dev
API Gateway Authorization
We have deployed three services and an API gateway.
Now we need to give authorization to API gateway so that that it will be able to access resources in services.
Gateway endpoint service is deployed using backend-auth-service service account.
Cloud Run
As describe previously, a private Cloud Run service can be reached by authenticated user with roles/run.invoker. So, let’s grant this role to the backend-auth-service service-account.
Like for Cloud Run, and as described previously, a private Cloud Functions service can be reached by authenticated user with roles/cloudfunctions.invoker.
UNAUTHENTICATED:Methoddoesn'tallowunregisteredcallers(callers without established identity). PleaseuseAPIKeyorotherformofAPIconsumeridentitytocallthisAPI.
Creating API Key
For reaching the service, you have to use an API Key. For this you have to create one in Google Cloud console.
Go to API & Services and select Credentials. Click on Create credentialsand select API Key.
Because of the low level of security of an API Key, the best practice is to restrict the key.
Edit the key (click on the pencil), under API restrictions, click on Restrict key and, in the drop down list, only check your API Name.