Securing Cloud Endpoints (ESPv2) API Service to Service and Developer Auth'n
112 views
Skip to first unread message
Erik Gomez
Jan 8, 2021, 2:31:32 PM1/8/21
to api-gate...@googlegroups.com, Salmaan Rashid, Preston Holmes
A customer is trying to architect a Cloud Endpoints (ESPv2) solution for 2 use-cases across a collection of ~400 APIs defined via openAPI specs.
ex. https://pricing.acme.com/api/v1 OR https://apis.acme.com/api/v1/pricing
They currently use API Keys issued to each API Consumer, be they SWE/developer or another API service.
We are hoping to migrate them away from API Keys and use JWTs or GCP ID token auth'n.
The API consumers in scope are currently deployed using k8s within on-premise, AWS, and GKE environments.
The API providers in scope will be deployed using GKE, likely behind GCLB (https) for global public access.
1. The first use-case: How best to securely auth'n and auth'z API service to service w/o GCP Service Accounts
2. The second use-case: How best to securely auth'n and auth'z SWE/developer access to said API services, again w/o GCP Service Accounts
I'm hoping we can use GCP Workload Identities for k8s service accounts and create GCP IAM Role bindings to use the Cloud Endpoints defined API Service.
So my questions are:
1. Do docs exist for patterns or architectures addressing both use-cases? If so, please point me to them.
2. Am I missing other options that you might recommend?
Thanks,
Erik
They currently use API Keys issued to each API Consumer, be they SWE/developer or another API service.
We are hoping to migrate them away from API Keys and use JWTs or GCP ID token auth'n.
The API consumers in scope are currently deployed using k8s within on-premise, AWS, and GKE environments.
The API providers in scope will be deployed using GKE, likely behind GCLB (https) for global public access.
1. The first use-case: How best to securely auth'n and auth'z API service to service w/o GCP Service Accounts
2. The second use-case: How best to securely auth'n and auth'z SWE/developer access to said API services, again w/o GCP Service Accounts
I'm hoping we can use GCP Workload Identities for k8s service accounts and create GCP IAM Role bindings to use the Cloud Endpoints defined API Service.
So my questions are:
1. Do docs exist for patterns or architectures addressing both use-cases? If so, please point me to them.
2. Am I missing other options that you might recommend?
Thanks,
Erik
| Erik Gomez | | Cloud Solutions Architect | | e...@google.com | | +1-808-372-3745 |
Marian Diaconu
Mar 30, 2021, 10:07:31 AM3/30/21
to api-gateway-users
Seems like they dont like to answer for free D:
Reply all
Reply to author
Forward
0 new messages