Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for API Gateway Authentication Method

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Google Cloud API Gateway is configured to use an authentication method in order to validate incoming requests before passing them to your API backend.

Security

Google Cloud API Gateway needs authentication to act as a security checkpoint. By validating requests with authentication methods such as API keys or JSON Web Tokens (JWTs), it prevents unauthorized access to your backend APIs, protects sensitive data, and can help mitigate potential attacks like DDoS or injection attacks.


Audit

To determine if API Gateway uses an authentication method to secure access to your API backend, perform the following operations:

Getting the API configuration file information via Google Cloud CLI (gcloud) is not currently supported.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

04 On the APIs listing page, click on the name (link) of the API Gateway API that you want to examine, available in the Name column.

05 Select the CONFIGS tab and click on the name of the API configuration associated with the selected API.

06 Select the CONFIG FILE tab and check the API configuration file (YAML format) for security and securityDefinitions sections that define authentication methods such as API keys or JSON Web Tokens (JWTs). If the security and securityDefinitions sections are not present in the API configuration file or their definitions are empty, the selected API Gateway API is not configured to use an authentication method to secure access to your API backend.

07 Repeat steps no. 4 - 6 for each API Gateway API available in the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

Remediation / Resolution

To ensure that Google Cloud API Gateway uses an authentication method to secure access to your API backend, perform the following operations:

As an example, the Remediation section provides instructions on how to implement the API key authentication method for an API Gateway REST API.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to APIs & Services console available at https://console.cloud.google.com/apis/credentials.

04 In the main navigation panel, select Credentials, choose CREATE CREDENTIALS, and select API key to create the API key required for API Gateway authentication. Copy your new API key and choose CLOSE to close the panel.

05 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

06 On the APIs listing page, click on the name (link) of the API Gateway API that you want to configure, available in the Name column.

07 Select the CONFIGS tab, click on the name of the API configuration associated with your API, choose the CONFIG FILE tab, and save the existing OpenAPI definition (OpenAPI spec) to a YAML file.

08 Edit the YAML file to configure the API key authentication method for your API, using security and securityDefinitions, e.g.:

swagger: '2.0'
	info:
		title: tm-project5-api-config
		description: Project5 API Gateway API
		version: 1.0.0
	schemes:
		- https
	produces:
		- application/json
	paths:
		/direcciones:
			get:
				summary: Get Directions
				operationId: getDirections
				x-google-backend:
					address: http://publicIP/api/v1/app/catalogs/directions
				security:
					- api_key: []
				responses:
					'200':
						description: A successful response
						schema:
							type: string
	securityDefinitions:
		api_key:
			type: "apiKey"
			name: "key"
			in: "query"

09 Because the API configuration has been changed, you must replace the existing API gateway with a new one based on the modified OpenAPI definition file. Go back to your API page and choose CREATE GATEWAY from the top-right menu to create a new gateway.

10 On the Create gateway setup page, perform the following actions:

  1. For API, select your API.
  2. For API Config, choose to create a new API configuration, upload the OpenAPI spec modified at step no. 6, provide a name for the new API config, and select the service account that will be used by the new gateway.
  3. For Gateway details, provide a name for the gateway and select the appropriate location (must match the existing gateway location).
  4. Choose CREATE GATEWAY to create your new API gateway.

11 Update your application to use the new, secure API gateway.

12 (Optional) You can delete the old, non-compliant API gateway. Open your API, select the GATEWAYS tab, choose the old gateway, click on the 3-dot button to open the options menu, and select Delete.

13 Because API keys are unrestricted by default, we recommend that you add API restrictions for your API key. Go back to APIs & Services console at https://console.cloud.google.com/apis/credentials, select Credentials from the navigation panel, choose your API key, click on the 3-dot button to open the options menu, and select Edit API key.

14 In the API restrictions section, choose Restrict key, select the name of your API from the setting dropdown list, select OK, and choose SAVE to apply the changes.

15 Repeat steps no. 3 - 14 for each API Gateway API that you want to configure, available in the selected GCP project.

16 Repeat steps no. 2 – 15 for each project deployed within your Google Cloud account.

Using GCP CLI

01 When you use an API key as an authentication method, you must first enable API key support for your service. Run services enable command (Windows/macOS/Linux) enable API key support. Replace \<api-managed-service-name\> with the name of the managed service created when you deployed the API:

gcloud services enable <api-managed-service-name>

02 The command output should return the operation ID:

Operation "operations/acat.p2-abcdabcd-abcd-abcd-abcd-abcd-abcdabcdabcdabcd" finished successfully.

03 Run services api-keys create command (Windows/macOS/Linux) to create the API key required for API authentication:

gcloud services api-keys create 
  --project=tm-project5-123123 
  --display-name="Project5 API key"

04 The output should return the metadata available for the new API key:

Operation operations/akmf.p7-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234 complete.
Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2024-03-21T09:00:00.827886Z",
	"displayName":"cc-project5-api-key",
	"etag":"abcdabcdabcdabcdabcdab==",
	"keyString":"abcd1234abcd1234abcd1234abcd1234abcd123",
	"name":"projects/123456789012/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"uid":"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"updateTime":"2024-03-21T09:00:00.849225Z"
}

05 Update the OpenAPI definition file (OpenAPI spec) associated with your API configuration to implement API authentication with API keys and save the document to a YAML file named openapi-spec-file.yaml. Include the security and securityDefinitions sections as specified below. You can add the security section at the top level of the YAML file to apply to the entire API or at the method level to apply to a specific method. The following example implements the API key for the GET method:

swagger: '2.0'
	info:
		title: tm-project5-api-config
		description: Project5 API Gateway API
		version: 1.0.0
	schemes:
		- https
	produces:
		- application/json
	paths:
		/direcciones:
			get:
			summary: Get Directions
			operationId: getDirections
			x-google-backend:
				address: http://publicIP/api/v1/app/catalogs/directions
			security:
				- api_key: []
			responses:
				'200':
				description: A successful response
				schema:
					type: string
	securityDefinitions:
		api_key:
			type: "apiKey"
			name: "key"
			in: "query"

06 Run api-gateway api-configs create command (Windows/macOS/Linux) to create a new API configuration resource for your API, using the OpenAPI definition file modified at the previous step (i.e. openapi-spec-file.yaml):

gcloud api-gateway api-configs create tm-rest-api-config 
  --api=tm-project5-rest-api 
  --openapi-spec=openapi-spec-file.yaml

07 The command output should return the operation status:

Waiting for API Config [tm-rest-api-config] to be created for API [tm-project5-rest-api]... done.

08 Run api-gateway gateways update command (Windows/macOS/Linux) to update your API gateway with the new API configuration:

gcloud api-gateway gateways update tm-project5-api-gateway 
  --api=tm-project5-rest-api 
  --api-config=tm-rest-api-config 
  --location=us-central1

09 The command output should return the operation status:

Waiting for API Gateway [tm-project5-api-gateway] to be updated... done.

10 Update your application to use the new, secure API gateway.

11 Because API keys are unrestricted by default, we recommend that you add API restrictions for your API key. Run services api-keys update command (Windows/macOS/Linux) to update the configuration of your API key in order to enable API restrictions. Use the --api-target parameter to specify the name of your API Gateway API:

gcloud services api-keys update projects/123456789012/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd 
  --api=tm-project5-rest-api 
  --api-target=service=tm-project5-rest-api

12 The output should return the information available for the modified API key:

Operation operations/akmf.p10-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234 complete. 
Result: {
	"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
	"createTime":"2024-03-21T18:07:05.989182Z",
	"displayName":"Project5 API Key",
	"etag":"W/\"abcdabcdabcdabcdabcdab==\"",
	"name":"projects/123456789012/locations/global/keys/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"restrictions":{
		"apiTargets":[
			{
				"service":"tm-project5-api"
			}
		]
	},
	"uid":"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"updateTime":"2024-03-21T18:07:50.174446Z"
}

13 Repeat steps no. 3 - 12 for each API Gateway API that you want to configure, available in the selected GCP project.

14 Repeat steps no. 1 – 13 for each project deployed within your Google Cloud account.

References

Publication date Mar 26, 2024