API keys
Authenticate requests by using an API key.
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
About API keys
API keys are secure, long-lived UUIDs that clients provide when they send a request to your service. You might use API keys in the following scenarios:
- You know the set of users that need access to your service. These users do not change often, or you have automation that easily generates or deletes the API key when the users do change.
- You want direct control over how the credentials are generated and expire.
When you use API keys, your services are only as secure as the API keys. Storing and rotating the API key securely is up to the user.
API keys in Gloo Gateway
To secure your services with API keys, first provide Gloo Gateway with your API keys in the form of Kubernetes secrets. Then in the external auth policy, you refer to the secrets in one of two ways.
- Specify a label selector that matches the label of one or more API key secrets. Labels are the more flexible, scalable approach.
- Refer to the name and namespace of each secret.
Gloo Gateway matches a request to a route that is secured by the external auth policy. The request must have a valid API key in a header. You can configure the name of the expected header. If the header is missing, or the API key is invalid, Gloo Gateway denies the request and returns a 401
response.
Internally, Gloo Gateway maps API keys to user identities for all API keys in the system. The user identity for an API key is the name of the secret that has the API key. Gloo Gateway adds the user identity to the request as a header, x-user-id
by default. Gloo Gateway can use this header in subsequent filters. The extauth plugin that handles the API key flow is part of the AuthNStage
stage. All filters after this stage have access to the user identity header. For example, this functionality is used in Gloo Gateway’s rate limiting API to provide different rate limits for anonymous vs. authorized users. Note that for security purposes, Gloo Gateway sanitizes the header from the response before the response leaves the gateway proxy.
Before you begin
Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Setup
From your API management tool such as Gloo Portal, generate an API key to use for your app’s domain. For example, your key might be
N2YwMDIxZTEtNGUzNS1jNzgzLTRkYjAtYjE2YzRkZGVmNjcy
.Create a Kubernetes secret to store your API key.
Verify that the secret is created. Note that the
data.api-key
value is base64 encoded.kubectl get secret infra-apikey -n httpbin -oyaml
Example output:
apiVersion: v1 kind: Secret metadata: name: infra-apikey namespace: httpbin labels: team: infrastructure type: extauth.solo.io/apikey data: api-key: TjJZd01ESXhaVEV0TkdVek5TMWpOemd6TFRSa1lqQXRZakUyWXpSa1pHVm1OamN5
Create an AuthConfig resource and add your external authentication rules. The following example configures API key authentication. When a request comes in for a route that is secured by this AuthConfig, Gloo Gateway extracts the API key from the
api-key
request header. Then, it uses the Kubernetes secret with the labelteam: infrastructure
to check if the API key in that Kubernetes secret matches the API key from the request.kubectl apply -f- <<EOF apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: apikey-auth namespace: httpbin spec: configs: - apiKeyAuth: # The request header name that holds the API key. # This field is optional and defaults to api-key if not present. headerName: api-key labelSelector: team: infrastructure EOF
Create a RouteOption resource and reference the AuthConfig resource that you just created.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: apikey-auth namespace: httpbin spec: options: extauth: configRef: name: apikey-auth namespace: httpbin EOF
Create an HTTPRoute resource for the httpbin app that requires authentication for requests on the
extauth.example
domain.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-apikey-auth namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - extauth.example rules: - filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: apikey-auth backendRefs: - name: httpbin port: 8000 EOF
Send a request to the httpbin app on the
extauth.example
domain without any API key. Verify that your request is denied and that you get back a 401 HTTP response code.Example output:
* Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < www-authenticate: Basic realm="gloo" < date: Fri, 19 Apr 2024 17:41:01 GMT < server: envoy < content-length: 0
Send another request to the httpbin app. This time, you include the API key in the
api-key
header. Verify that the request succeeds and that you get back a 200 HTTP response code.Example output:
* Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < access-control-allow-credentials: true < access-control-allow-origin: * < date: Fri, 19 Apr 2024 17:44:06 GMT < content-length: 0 < x-envoy-upstream-service-time: 0 < server: envoy
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete authconfig apikey-auth -n httpbin
kubectl delete routeoption apikey-auth -n httpbin
kubectl delete httproute httpbin-apikey-auth -n httpbin
kubectl delete secret infra-apikey -n httpbin