1

I want to use Kong as an API gateway for all my upstream services. And I want to use API Keys so my customers can use that to use some APIs they are allowed to use.

There is a plugin for managing API Keys: https://docs.konghq.com/hub/kong-inc/key-auth/

But I'm wondering if I can add properties to some API key or link it to some configuration.

Let me explain with an example:

I have 3 apis

  • API 1
  • API 2
  • API 3

On the Kong API Gateway I want to use rate limiting. So I want to generate API keys for 2 customers with some properties

  • customer X: basic subscription which has a rate limit of 10 requests per minute for API 1 and 20 requests per minute for API 2
  • customer Y: premium subscription on API 2 which has a rate limit of 5000 requests per minute and 1000 requests per minute for API 3

So in Kong I create 3 services for those 3 APIs and add the rate limit plugin to that. Is there any way to let the rate limit plugin know (based upon the API key that is sent in the request) what limit it should use for that request that just has been entered?

I seems to me that I need to create new services for the same APIs every time with a specific rate limit with a specific value. This feels a bit unmanageable when dealing with a lot of customers and apis.

Is it possible to fetch the rate limit value based upon the API key that is passed through?

Or is there any solution to do so? Or is this the actual behaviour we want in an API gateway, if yes, why?

koala
  • 1,544
  • 1
  • 20
  • 33
  • I may be wrong, but I think that this is a limitation of Kong. No concept of ACL / Policies. You would have to apply a different rate-limit plugin to each consumer. So you either create loads of services as per your suggestion above, which makes no sense from a design perspective... or you create a RL plugin for each key/consumer - also a bit funky. – Gravy May 02 '19 at 15:04

2 Answers2

0

Kong Enterprise Edition has a plugin called 'Rate Limiting Advanced' that solves this issue. It allows you to specify an 'identifier' for each rate-limit plugin and for this particular case you will use 'identifier: consumer'. If you want two different rate-limits for the same API and different consumers, for e.g.

  • API2: consumerX has 20rpm
  • API2: consumerY has 5000rpm

then you have to configure rate-limiting on the consumer and not on the api. Also, in your question you referring to apis; FYI api objects are deprecated since v0.13.0 and you should move to route/service objects.

Community
  • 1
  • 1
Pankaj
  • 888
  • 10
  • 11
0

You can config plugins at the consumer level as well. This effectively applies the proper rate-limited to each consumer (api key).

Example code from the docs:

$ curl -X POST http://kong:8001/consumers/{consumer}/plugins \
    --data "name=rate-limiting" \
     \
    --data "config.second=5" \
    --data "config.hour=10000"

Documentation: https://docs.konghq.com/hub/kong-inc/rate-limiting/#enabling-the-plugin-on-a-consumer

Jeff Schumacher
  • 3,126
  • 3
  • 23
  • 23