Consuming GCP APIs from a client

There's TWO ways you can consume an API from a client

a. API Keys -Least SEcure way - since the KEY is passwordless -and if compromised, anyone can call the API

b. Service account KEYs (that translate to OAuth tokens ) to be used for actual user (OAuth) authentication. This is secure as long as the private key of the service account is stored securely and rotated often. These are USER service account keys.

What if the Service Account belongs to a Server?

API Keys can also be consumed by executable code running on compute engine (e.g. Cloud Run, Compute engine).

That executable code has an identity - the identity of the service acccount it runs under.

What additional security can be put in place? Can I restrict the API to be only called from specific IP Addresses?

Yes = IN both cases (API Key and Service  accounts), you can restrict the client IPs that can call the API.

Service Account IP Restriction - Defining an access level and a Perimeter

A new access Level can be created. This access level can be a SUBNETWORK (CIDR block of private or public IPs.) The Public IPs would be the NAT'ed IP of the client that was invoking the GCP Service.

When we define the service control perimeter, we PICK (from an access control dropdown) the specific access level that we created in step 1.

Note that the Service Control is defined at the Org Level (and requires you to be an Organizational Admin). However, it  is actually implemented at the PROJECT level - the very first thing you have to do is PICK The projects you are trying to protect.

What if I need to access the resources from Cloud Shell?

Cloud Shell exists OUTSIDE your project - so it will be locked out of a regular perimeter that is based on a CIDR subnetwork access-level.  However, there is a way to add an INGRESS exception that is based on user identities. That ingress is based on your Cloud IAM identity - and can allow you in as a console user.

From the Cloud Shell tab, create an ingress policy that allows your user identity to ingress to the Compute Engine service only, and apply the policy to your perimeter.

API Key IP Restriction

This is simple - simply go into the API Keys - edit - and you should see an option to add restrictions.

The following example shows how to create an API key with a list of allowedIps:

gcurl https://apikeys.googleapis.com/v2/projects/PROJECT_NUMBER/locations/global/keys  \
  --request POST \
  --data  '{
    "displayName" : "API key with server restrictions with IPv4, IPv6 and CIDR",
    "restrictions" : {
      "serverKeyRestrictions": {
        "allowedIps": ["198.51.100.1","198.51.100.0/24","2001:db8::1","2001:db8::/64"]
      }
    }
  }'
  • browserKeyRestrictions: The HTTP referrers (websites) that are allowed to use the key.
  • serverKeyRestrictions: The IP addresses of callers that are allowed to use the key.
  • androidKeyRestrictions: The Android apps that are allowed to use the key.
  • iosKeyRestrictions: The iOS apps that are allowed to use the key.