A customer is trying to architect a Cloud Endpoints (ESPv2) solution for 2 use-cases across a collection of ~400 APIs defined via openAPI specs.
They currently use API Keys issued to each API Consumer, be they SWE/developer or another API service.
We are hoping to migrate them away from API Keys and use JWTs or GCP ID token auth'n.
The API consumers in scope are currently deployed using k8s within on-premise, AWS, and GKE environments.
The API providers in scope will be deployed using GKE, likely behind GCLB (https) for global public access.
1. The first use-case: How best to securely auth'n and auth'z API service to service w/o GCP Service Accounts
2. The second use-case: How best to securely auth'n and auth'z SWE/developer access to said API services, again w/o GCP Service Accounts
I'm hoping we can use GCP Workload Identities for k8s service accounts and create GCP IAM Role bindings to use the Cloud Endpoints defined API Service.
So my questions are:
1. Do docs exist for patterns or architectures addressing both use-cases? If so, please point me to them.
2. Am I missing other options that you might recommend?