1

I am new in API Gateway and trying to enable security on my API. I follow some instruction which I found on the internet like this: https://medium.com/swlh/manage-serverless-apis-with-api-gateway-in-gcp-b7f906efec1a

Here is my YAML file:

# openapi2-functions.yaml
swagger: '2.0'
info:
  title: simple-test
  description: Sample API on API Gateway with a Google Cloud Functions backend
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /direcciones:
    get:
      summary: get direcciones
      operationId: direcciones
      x-google-backend:
        address: http://publicIP/api/v1/app/catalogos/direcciones
        security:
        - api_key: []
      responses:
        '200':
          description: A successful response
          schema:
            type: string
securityDefinitions:
 api_key:
    type: "apiKey"
    name: "key"
    in: "query"

While deploying this config file in API gateway config, I am getting the following error:

INVALID_ARGUMENT Cannot convert to service config. 'location: "evva.yaml: x-google-backend" kind: ERROR message: "Extension x-google-backend cannot be converted into proto type google.api.BackendRule. Details: Cannot find field: security in message google.api.BackendRule" location: "evva.yaml: x-google-backend" message: "Address field in extension x-google-backend is empty. In this case, the backend address must be provided to the proxy via a runtime flag." location: "evva.yaml: Operation \'get\' in path \'/direcciones\'" message: "Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : \'apiKey\'." ' com.google.apps.framework.request.BadRequestException: Cannot convert to service config. 'location: "evva.yaml: x-google-backend" kind: ERROR message: "Extension x-google-backend cannot be converted into proto type google.api.BackendRule. Details: Cannot find field: security in message google.api.BackendRule" location: "evva.yaml: x-google-backend" message: "Address field in extension x-google-backend is empty. In this case, the backend address must be provided to the proxy via a runtime flag." location: "evva.yaml: Operation \'get\' in path \'/direcciones\'" message: "Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : \'apiKey\'." '

I don't understand this error what change should i need to do in YAML file to make it acceptable while deploying.

user565
  • 871
  • 1
  • 22
  • 47

1 Answers1

3

The security entry mustn't be "in" the x-google-backend, but bellow the get:. Like this.

paths:
  /direcciones:
    get:
      summary: get direcciones
      operationId: direcciones
      x-google-backend:
        address: http://publicIP/api/v1/app/catalogos/direcciones
      security:
        - api_key: []
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • That's strange, a few spaces change the semantics :( – user565 Oct 15 '20 at 09:36
  • 1
    Yaml, like Python, is based on the indentation. Less character to print/type/save, but weaker structure. – guillaume blaquiere Oct 15 '20 at 12:07
  • one more question, is it possible to mapp API with local IP address which is running in compute instance within a GCP? I tried to use local address but then call from the API Gateway fail. Any idea about that? – user565 Oct 15 '20 at 19:18
  • What do you mean by "local IP"? Private IP in your VPC? – guillaume blaquiere Oct 15 '20 at 19:37
  • Sorry, Yes private IP address of the service which is running on VM in GCP. – user565 Oct 16 '20 at 07:42
  • 1
    No, API Gateway (and other serverless product like Cloud Scheduler, Cloud Task or PubSub) aren't compliant with serverless VPC connector and don't have a foot in the VPC, and thus, can't communicate with private IP in your VPC. – guillaume blaquiere Oct 16 '20 at 07:52
  • I understand. Is there any other service within GCP which can help in this scenario? I don't want to expose my service/API over the public IP address and looking some sort of proxy which has an IAM feature to control to the access. By considering API Gateway means first I need to implement some kind of security in my external service and then map it with API gateway. – user565 Oct 16 '20 at 08:47
  • 1
    The only solution is to wrap the call in a Cloud Function or a Cloud Run to build this chain: API Gateway -> OAuth2 id_token -> CLoud Function/Run -> Serverless VPC Connector -> ComputeEngine private IP. – guillaume blaquiere Oct 16 '20 at 11:47