Using API Keys
This page describes how to use API keys in API Gateway.
An API key is a string that identifies a Google Cloud project for quota, billing, and monitoring purposes. Developers generate an API key in a project in the Google Cloud console. They then embed that key in every call to your API as a query parameter or in a request header.
If you specify an API key requirement in your API config, API Gateway uses the API key to look up the associated Google Cloud project. API Gateway rejects requests unless the API key was generated in your Google Cloud project or within other Google Cloud projects in which your API has been enabled.
To create an API key, or view API keys already available within your Google Cloud project, go to the APIs & Services > Credentials page.
Use an API key
To use API Gateway features such as quotas , you can pass in an API key so that API Gateway can identify the Google Cloud project that the client application is associated with.
Configure API key authentication for API Gateway
To secure access to your gateway using an API key:
- Enable API key support for your service. Enter the following command, where:
- MANAGED_SERVICE_NAME
specifies the name of the managed service created when you deployed the API. This can be viewed in the Managed Service property listed with the
gcloud api-gateway apis describecommand. - PROJECT_ID specifies the name of your Google Cloud project.
gcloud services enable MANAGED_SERVICE_NAME .apigateway. PROJECT_ID .cloud.goog
gcloud services enable my-api - 123abc456def1 .apigateway. my-project .cloud.goog
- MANAGED_SERVICE_NAME
specifies the name of the managed service created when you deployed the API. This can be viewed in the Managed Service property listed with the
- Modify the OpenAPI specification used to create your API config to include instructions to enforce an API key validation security policy on all traffic. Add the
securitytype andsecurityDefinitionsorsecuritySchemesas shown:OpenAPI 2.0
# openapi2-functions.yaml swagger : '2.0' info : title : API_ID optional-string description : Sample API on API Gateway with a Google Cloud Functions backend version : 1.0.0 schemes : - https produces : - application/json paths : /hello : get : summary : Greet a user operationId : hello x-google-backend : address : https:// GCP_REGION - PROJECT_ID .cloudfunctions.net/helloGET security : - api_key : [] responses : '200' : description : A successful response schema : type : string securityDefinitions : # This section configures basic authentication with an API key. api_key : type : "apiKey" name : "key" in : "query"
The
securityDefinitionconfigures your API to require an API key passed as a query parameter namedkeywhen requesting access to all paths defined in the spec.OpenAPI 3.x
# openapi-functions.yaml openapi : 3.0.4 info : title : API_ID optional-string description : Sample API on API Gateway with a Google Cloud Functions backend version : 1.0.0 # Define reusable components in x-google-api-management x-google-api-management : backend : functions_backend : address : https:// GATEWAY_LOCATION - PROJECT_ID .cloudfunctions.net/helloGET pathTranslation : APPEND_PATH_TO_ADDRESS protocol : "http/1.1" # Apply the backend configuration by referencing it by name. Set at the root so this applies to all operations unless overridden. x-google-backend : functions_backend components : # This section configures basic authentication with an API key. securitySchemes : google_api_key : type : apiKey name : x-api-key in : header security : - google_api_key : [] paths : /hello : get : summary : Greet a user operationId : hello responses : '200' : description : A successful response content : application/json : schema : type : string
The
securitySchemesconfigures your API to require an API key passed as a query parameter namedkeywhen requesting access to all paths defined in the spec. - Create a new API config with the modified OpenAPI description using the following command:
gcloud api-gateway api-configs create NEW_CONFIG_ID \ --api= API_ID --openapi-spec= NEW_API_DEFINITION \ --project= PROJECT_ID --backend-auth-service-account= SERVICE_ACCOUNT_EMAIL
gcloud api-gateway api-configs create my-config-key \ --api= my-api --openapi-spec= openapi-functions.yaml \ --project= my-project --backend-auth-service-account= 0000000000000compute@developer.gserviceaccount.com
- Run the following command to update your existing gateway
with the new API config:
gcloud api-gateway gateways update GATEWAY_ID \ --api= API_ID --api-config= NEW_CONFIG_ID \ --location= GATEWAY_LOCATION --project= PROJECT_ID
gcloud api-gateway gateways update my-gateway \ --api= my-api --api-config= my-config-key \ --location= us-central1 --project= my-project
Restricting API keys
By default, API keys are unrestricted, which makes the vulnerable to unauthorized use. Add API restrictions whenever possible. API restrictions specify which APIs can be called using the API key. All API keys used by production applications should have API restrictions.
To add API restrictions:
-
Find the title of the API as noted in your API Config. In the following example, the API title is
My Example Config:OpenAPI 2.0
# openapi.yaml swagger : '2.0' info : title : My Example Config description : Sample API on API Gateway version : 1.0.0 ...
OpenAPI 3.x
# openapi.yaml openapi : 3.0.4 info : title : My Example Config description : Sample API on API Gateway version : 1.0.0 ...
-
In the Google Cloud console, go to the APIs & Services > Credentials page.
-
Select the name of the API key you want to use for your API.
-
In the API restrictionssection of the API key detail page, click Restrict key.
-
Select the API that your API key will be used to access from the drop-down list of available APIs. For example, select
My Example Config. -
Click Save.
Your restriction should take effect momentarily.
