Securing Cloud Endpoints (ESPv2) API Service to Service and Developer Auth'n

60 views
Skip to first unread message

Erik Gomez

unread,
Jan 8, 2021, 2:31:32 PMJan 8
to api-gate...@googlegroups.com, Salmaan Rashid, Preston Holmes
A customer is trying to architect a Cloud Endpoints (ESPv2) solution for 2 use-cases across a collection of ~400 APIs defined via openAPI specs.

ex. https://pricing.acme.com/api/v1 OR https://apis.acme.com/api/v1/pricing

They currently use API Keys issued to each API Consumer, be they SWE/developer or another API service.
We are hoping to migrate them away from API Keys and use JWTs or GCP ID token auth'n.

The API consumers in scope are currently deployed using k8s within on-premise, AWS, and GKE environments.

The API providers in scope will be deployed using GKE, likely behind GCLB (https) for global public access.


1. The first use-case: How best to securely auth'n and auth'z API service to service w/o GCP Service Accounts

2. The second use-case: How best to securely auth'n and auth'z SWE/developer access to said API services, again w/o GCP Service Accounts

I'm hoping we can use GCP Workload Identities for k8s service accounts and create GCP IAM Role bindings to use the Cloud Endpoints defined API Service.

So my questions are:

1. Do docs exist for patterns or architectures addressing both use-cases? If so, please point me to them.
2. Am I missing other options that you might recommend?

Thanks,

Erik

Erik Gomez | Cloud Solutions Architect | e...@google.com +1-808-372-3745

Marian Diaconu

unread,
Mar 30, 2021, 10:07:31 AMMar 30
to api-gateway-users
Seems like they dont like to answer for free D:
Reply all
Reply to author
Forward
0 new messages