Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for API Gateway Authentication Method

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Google Cloud API Gateway is configured to use an authentication method in order to validate incoming requests before passing them to your API backend.

Security

Google Cloud API Gateway needs authentication to act as a security checkpoint. By validating requests with authentication methods such as API keys or JSON Web Tokens (JWTs), it prevents unauthorized access to your backend APIs, protects sensitive data, and can help mitigate potential attacks like DDoS or injection attacks.

Audit

To determine if Google Cloud API Gateway service uses an authentication method to secure access to your API backend, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

04 On the APIs listing page, click on the name (link) of the API Gateway API that you want to examine, available in the Name column.

05 Select the CONFIGS tab and click on the name of the API configuration associated with the selected API.

06 Select the CONFIG FILE tab and check the API configuration file (YAML format) for security and securityDefinitions blocks that define authentication methods such as API keys or JSON Web Tokens (JWTs). If the security and securityDefinitions blocks are not present in the API configuration file or their definitions are empty, the selected API Gateway API is not configured to use an authentication method to secure access to your API backend, allowing open access to the API.

07 Repeat steps no. 4 - 6 for each API Gateway API available in the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run api-gateway apis list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each API Gateway API created for the selected project: 

gcloud api-gateway apis list
	--project cc-web-project-123123
	--format="table(NAME)"

04 The command output should return the fully qualified identifier for each API: 

NAME: projects/cc-web-project-123123/locations/global/apis/tm-project5-api
NAME: projects/cc-web-project-123123/locations/global/apis/tm-map-app-api

05 Run api-gateway api-configs list command (Windows/macOS/Linux) with the ID of the API Gateway API that you want to examine as the identifier parameter and custom output filters to describe the ID of the API configuration associated with the selected API: 

gcloud api-gateway api-configs list
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--format="table(NAME)"

06 The command output should return the fully qualified identifier of the associated API config: 

NAME: projects/cc-web-project-123123/locations/global/apis/tm-project5-api/configs/tm-project5-api-config

07 Run api-gateway api-configs describe command (Windows/macOS/Linux) with the ID of the API configuration that you want to examine as the identifier parameter and custom output filters to describe the API configuration's source file in YAML format: 

gcloud api-gateway api-configs describe projects/cc-web-project-123123/locations/global/apis/tm-project5-api/configs/tm-project5-api-config
	--view=FULL
	--format="value(openapiDocuments[].document.contents)" | base64 --decode && echo

08 The command output should return the requested configuration file (YAML format): 

swagger: '2.0'
info:
	title: Project5API
	description: Project5 API Gateway API
	version: 1.0.0
host: "cc-web-project-123123.gateway.dev"
x-google-endpoints:
- name: "cc-web-project-123123.gateway.dev"
	allowCors: true
schemes:
- https
produces:
- application/json
paths:
	/directions:
	get:
		summary: Get Directions
		operationId: getDirections
		responses:
		'200':
			description: A successful response
			schema:
			type: string
		x-google-backend:
		address: https://project5service-123456789012.us-central1.run.app

Check the API configuration file returned by the api-gateway apis describe command output for security and securityDefinitions sections that define authentication methods such as API keys or JSON Web Tokens (JWTs). If the security and securityDefinitions sections are not present in the API configuration file or their definitions are empty, the selected API Gateway API is not configured to use an authentication method to secure access to your API backend, allowing open access to the API.

09 Repeat steps no. 5 - 8 for each API Gateway API created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that Google Cloud API Gateway service uses an authentication method to secure access to your API backend, perform the following operations:

As an example, the Remediation section provides instructions on how to implement the API key authentication method for an API Gateway REST API.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials, choose CREATE CREDENTIALS, and select API key to create the API key required for API Gateway authentication. Copy your new API key and choose CLOSE.

05 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

06 On the APIs listing page, click on the name (link) of the API Gateway API that you want to configure, available in the Name column.

07 Select the CONFIGS tab, click on the name of the API configuration associated with your API, choose the CONFIG FILE tab, and save the existing OpenAPI definition (OpenAPI spec) to a YAML file.

08 Modify the YAML file to configure the API key authentication method for your API, using security and securityDefinitions, as shown in the example below: 

swagger: '2.0'
info:
	title: Project5API
	description: Project5 API Gateway API
	version: 1.0.0
host: "cc-web-project-123123.gateway.dev"
x-google-endpoints:
- name: "cc-web-project-123123.gateway.dev"
	allowCors: true
schemes:
- https
produces:
- application/json
paths:
	/directions:
	get:
		summary: Get Directions
		operationId: getDirections
		security:
		- api_key: []
		responses:
		'200':
			description: A successful response
			schema:
			type: string
		x-google-backend:
		address: https://project5service-123456789012.us-central1.run.app
securityDefinitions:
	api_key:
	type: "apiKey"
	name: "key"
	in: "query"

09 Because your API configuration has been changed, you must replace the existing API gateway with a new one based on the modified OpenAPI definition file. Navigate back to your API page and choose CREATE GATEWAY from the top-right menu to create a new API gateway.

10 On the Create gateway setup page, perform the following actions:

  1. For API, select your API.
  2. For API Config, choose to create a new API configuration, upload the OpenAPI spec file modified at step no. 8, provide a display name for the new API config, and select the service account that will be used by the new API gateway.
  3. For Gateway details, provide a name for the new API gateway and select the appropriate location.
  4. Choose CREATE GATEWAY to create your new API gateway.

11 Update your application to use the new, secure API gateway.

12 (Optional) You can delete now the old, non-compliant API gateway. Open your API, select the GATEWAYS tab, choose the old gateway, click on the 3-dot button to open the options menu, and select Delete.

13 Because API keys are unrestricted by default, we recommend that you add API restrictions for your API key. Navigate to APIs & Services console available at https://console.cloud.google.com/apis/credentials, select Credentials from the navigation panel, choose your API key, click on the 3-dot button to open the options menu, and select Edit API key.

14 In the API restrictions section, choose Restrict key, select the name of your API from the setting dropdown list, select OK, and choose SAVE to apply the changes.

15 Repeat steps no. 3 - 14 for each API Gateway API that you want to configure, available in the selected GCP project.

16 Repeat steps no. 2 – 15 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 When you use an API key as an authentication method, you must first enable API key support for your service. Run services enable command (Windows/macOS/Linux) to enable API key support. Replace \<api-managed-service-name\> with the name of the managed service created when you deployed the API: 

gcloud services enable <api-managed-service-name>

02 The command output should return the operation ID: 

Operation "operations/acat.p2-abcdabcd-abcd-abcd-abcd-abcd-abcdabcdabcdabcd" finished successfully.

03 Run services api-keys create command (Windows/macOS/Linux) to create the API key required for API authentication: 

gcloud services api-keys create
	--project=cc-web-project-123123
	--display-name="Project5 API key"

04 The output should return the information available for the new API key: 

Operation operations/akmf.p8-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234 complete.
Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2025-01-10T09:00:00.827886Z",
	"displayName":"cc-project5-api-key",
	"etag":"abcdabcdabcdabcdabcdab==",
	"keyString":"abcd1234abcd1234abcd1234abcd1234abcd123",
	"name":"projects/123456789012/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"uid":"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"updateTime":"2025-01-10T09:00:00.827886Z"
}

05 Modify the OpenAPI definition file (OpenAPI spec) associated with your API configuration to implement API authentication with API keys and save the document to a YAML file named openapi-spec-file.yaml. Include the security and securityDefinitions sections as specified below. You can add the security section at the top level of the YAML file to apply to the entire API or at the method level to apply to a specific method. The following example implements the API key for the GET method: 

swagger: '2.0'
info:
	title: Project5API
	description: Project5 API Gateway API
	version: 1.0.0
host: "cc-web-project-123123.gateway.dev"
x-google-endpoints:
- name: "cc-web-project-123123.gateway.dev"
	allowCors: true
schemes:
- https
produces:
- application/json
paths:
	/directions:
	get:
		summary: Get Directions
		operationId: getDirections
		security:
		- api_key: []
		responses:
		'200':
			description: A successful response
			schema:
			type: string
		x-google-backend:
		address: https://project5service-123456789012.us-central1.run.app
securityDefinitions:
	api_key:
	type: "apiKey"
	name: "key"
	in: "query"

06 Run api-gateway api-configs create command (Windows/macOS/Linux) to create a new API configuration resource for your API, using the OpenAPI definition file modified at the previous step (i.e., openapi-spec-file.yaml): 

gcloud api-gateway api-configs create tm-project5-new-api-config
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--openapi-spec=openapi-spec-file.yaml

07 The command output should return the operation status: 

Waiting for API Config [tm-project5-new-api-config] to be created for API [tm-project5-api]... done.

08 Run api-gateway gateways update command (Windows/macOS/Linux) to update your API Gateway API with the new API configuration: 

gcloud api-gateway gateways update tm-project5-api-gateway
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--api-config=tm-project5-new-api-config
	--location=us-central1

09 The command output should return the operation status: 

Waiting for API Gateway [tm-project5-api-gateway] to be updated... done.

10 Update your application to use the new, secure API gateway.

11 Because API keys are unrestricted by default, we recommend that you add API restrictions for your API key. Run services api-keys update command (Windows/macOS/Linux) to update the configuration of your API key in order to enable API restrictions. Use the --api-target parameter to specify the name of your API Gateway API: 

gcloud services api-keys update projects/cc-web-project-123123/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--api-target=service=tm-project5-api

12 The output should return the information available for the modified API key: 

Operation operations/akmf.p10-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234 complete.
Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2025-01-10T09:00:00.827886Z",
	"displayName":"Project5 API Key",
	"etag":"W/\"abcdabcdabcdabcdabcdab==\"",
	"name":"projects/cc-web-project-123123/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"restrictions":{
		"apiTargets":[
			{
				"service":"tm-project5-api"
			}
		]
	},
	"uid":"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"updateTime":"2025-01-10T09:00:00.827886Z"
}

13 Repeat steps no. 3 - 12 for each API Gateway API that you want to configure, available in the selected GCP project.

14 Repeat steps no. 3 - 12 for each API Gateway API that you want to configure, available in the selected GCP project.

References

Publication date Mar 26, 2024

Related APIGateway rules