Background
I created multiple micro services with Cloud functions and Cloud run. Right now, using Cloud Endpoints, I can securely trigger all my services using an API key. However, I would like to be able to control which micro service each API key is allowed to access. I want to use only one API key by user.
Example
Let's say I'm building a trading API, for security purposes, when a client creates an API key, he can choose whether the API key is only allowed to read data (e.g: watch market prices) or both read and write data (e.g: watch market prices and then place orders). The user can easily change his API key permissions.
I'm not building anything as sensitive as a trading API but this is a very good example of what I'm trying to do.
Research
I've seen a similar post. The accepted answer proposed two solutions :
Using Auth0 and checking user-authorization programmatically I need to monitor the usage of my API endpoints for each API key. Moreover, the API keys security is enough for my use case.
API keys I managed to restrict my API keys to access my Cloud Endpoints API, however, I don't see any option to allow my key to access only some paths of the Cloud Endpoints API.
I also believe that a service like Apigee could do what I need but I'm on a low budget (POC) so I don't think it's a service for me and I would prefer to use GCP products only.
Question
Does Cloud Endpoints propose a solution out of the box for my use case ? If so, what should I do ?
If not, would it be possible to either :
create another proxy using Cloud Functions that would check against a Firestore database whether the API key is allowed to access the requested method ? The logic would be like this : User request with Google's provided API key -> Cloud Endpoints approval -> Custom proxy function approval -> micro service execution
Customize ESP to meet my use case
Manage all the API authentication myself (seems like a lot of work)
