API keys
Enable API key credential management in the Portal frontend app so that your users can self-service API keys to access Portal APIs.
You can protect an API product route with API keys. This way, access to the API is denied by default. Portal users must present a valid API key in their request to be successfully authenticated and be able to work with that API.
While you can manage API keys yourself, the Portal frontend app has a built-in capability that allows you to enable API key self-service for Portal users. Once enabled, Portal users can log in to the Portal and create their own API keys to access an API product that they are subscribed to.
Before you begin
- Set up Gloo Portal.
- Set up a backing database for Gloo Portal. This database is used to store the API keys that your users create in the Portal frontend app.
- Complete the tutorial to Create a Portal.
- Set up a secure login for the portal frontend app.
Secure a Portal API with API keys
You enable API key management in the frontend app by creating an AuthConfig. The AuthConfig enables storing the API keys that users create in the portal frontend in the backing database that you set up for Gloo Portal.
To enforce API key authentication, you must associate the AuthConfig with a particular API product route.
The following tutorial sets up API key authentication and credential management for the tracks API.
Create an AuthConfig to enable API key auth for the tracks API. This AuthConfig leverages the
portalAuthcapability that automatically stores API keys that Portal users create through the portal frontend in the Portal backing database.kubectl apply -f- <<EOF apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: tracks-auth namespace: gloo-system spec: configs: - name: tracksAuth portalAuth: url: http://gateway-portal-web-server.gloo-system.svc.cluster.local:8080 cacheDuration: 10s apiKeyHeader: "api-key" EOFCreate a RouteOption that references the AuthConfig that you just created. You also include a CORS policy that allows requests from a different origin to the tracks API.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: tracks namespace: gloo-system spec: options: extauth: configRef: name: tracks-auth namespace: gloo-system cors: allowCredentials: true allowHeaders: - "*" allowMethods: - GET allowOriginRegex: - ".*" EOFUpdate the HTTPRoute for the tracks API to include the RouteOption that you created.
kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: tracks-route namespace: gloo-system spec: hostnames: - api.tracks.com parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: https namespace: gloo-system rules: - backendRefs: - group: "" kind: Service name: tracks-rest-api namespace: tracks port: 5000 weight: 1 filters: - type: URLRewrite urlRewrite: path: replacePrefixMatch: / type: ReplacePrefixMatch - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: tracks matches: - path: type: PathPrefix value: /tracks EOF
Create API keys
Now that you enabled API key credential management in the frontend app, Portal users can self-service their own API keys in the frontend app to access Portal APIs. Then, you can Test API access.
Note that you cannot create API keys as an admin user by using the Portal frontend app.
Verify API keys in the backing database
After Portal users created their own API keys in the Portal frontend, you can verify that these API keys are properly stored in the Portal backing database.
For example, if you set up Postgres as your backing database, you can follow the steps in Verify that Portal stores data in Postgres.