Scenario
I'm hosting an API in Cloud Run (grpc, but the question would also hold for http) that I wish to secure. The goal is to provide access to multiple applications in our organization. Note that every app has multiple instances running at another location (one for every external client). The API is for internal use only and will not be directly hit by web browsers.
Options
I've identified the following options:
- Not using Cloud Endpoints: I can just have my API non-public and secured by a service account. Bearer tokens (id tokens) can be automatically generated in the appliction.
- Cloud Endpoints + API keys: For every App I generate an API key that is used by all instances of that app. this is very easy to setup as it just requires sending an additional header.
- Cloud Endpoints + self-signed jwt: I use a service account to generate a self-signed token (see GCP documentation on Service-to-Service communication) and have the endpoint configured with that service account. Multiple apps get either their own service account, or I generate new keys from the same one. Note that self-signing the token is not available in all libraries and requires some manual work. Hence refreshing the token is also manual.
- Cloud Endpoints + Google ID: This only provides Authentication, no authorization. It also means that everyone with a Google account can access my API (!). The advantage is that there is easy tooling to generate ID tokens.
- Cloud Endpoints + API Key + Google ID
- Cloud Endpoints + API Key + self-signed jwt
Questions
- Which option is the most advised for my scenario? (other options/suggestions are welcome)
- Is option 1 generally considered secure? If so, why even bother with Cloud Endpoints?
- The Google Documentation mentions different forms of Authentication (see GCP documentation on Authentication methods). However, it feels like some of them are Authorization (e.g. API Keys and Service accounts) and some of then are Authentication (e.g. Google IDs). Is this a correct assessment?
- I assume GCP understands that 3 deals with service accounts and it can verify them in their own way; there is no way someone without a key for the service account can get access.
- In option 3: I would think using multiple service accounts is better, one for every app, and preferably a key per instance. Would that be considered the best way for option 3?
- Is it worthwhile do perform an additional validation in the actual API? If so, why would I even have Cloud Endpoints?
- The GCP documentation does not mention the big issue with option 4. I think this should be made much more clear.
- What would be the benefit of using option 5? The fact that I can identify who makes the call? Why not make more API keys then?
- Is option 6 even useful? Although this is considered Authentication in Cloud Endpoints, this is really Authorization, correct?
- What would change if the API would be hit by a web browser?