Logging and Monitoring AI API Usage with API Keys

Question

Pulumi · Accepted Answer

In order to log and monitor AI API usage utilizing API keys, you would typically need a system that can issue API keys, record the usage of your APIs, and then store and analyze the logs. Assuming you are using AWS for this infrastructure, you can leverage AWS API Gateway for API key management, AWS Lambda for API endpoint implementation, and AWS CloudWatch for logging and monitoring.

Here is a step-by-step guide with a corresponding Pulumi program in Python to set up this system:

1. **API Gateway**: Manages the frontend of your API and can throttle, authenticate, and handle API requests.
2. **API Keys**: API Gateway can create and manage API keys, which are used to authorize and track API requests.
3. **Lambda Functions**: Serverless compute service to execute backend code for your API without provisioning or managing servers.
4. **CloudWatch**: Monitors your API Gateway and Lambda logs. You can set alarms and visualize logs with dashboards.

In this Pulumi program, we will:
- Create an API Gateway.
- Create an API Key for secure access.
- Define a Lambda function which will be the backend of our API endpoint.
- Configure the API Gateway to use the Lambda function as an integration for our API endpoint.
- Set up CloudWatch logging to monitor requests and responses.

```python
import pulumi
import pulumi_aws as aws

# Create an API and deploy it
api = aws.apigateway.RestApi("api", description="API for logging and monitoring AI API usage")

# Create a resource attached to the API
resource = aws.apigateway.Resource("resource",
    rest_api=api.id, 
    parent_id=api.root_resource_id, 
    path_part="example")

# Create a Lambda function that will be invoked when the API endpoint is called
lambda_func = aws.lambda_.Function("lambda_func",
    code=pulumi.AssetArchive({
        '.': pulumi.FileArchive('./function'), # Replace with the path to your function code
    }),
    runtime="python3.8",
    role=some_role.arn, # Replace with a suitable IAM role ARN
    handler="handler.main") # Replace with your handler file and function

# Give API Gateway permission to invoke the Lambda function
permission = aws.lambda_.Permission("permission",
    action="lambda:InvokeFunction",
    function=lambda_func.name,
    principal="apigateway.amazonaws.com",
    source_arn=pulumi.Output.all(api.execution_arn, resource.id).apply(
        lambda inputs: f"{inputs[0]}/{resource.path_part}/*/*")
)

# Attach the Lambda function to the API resource/method as an integration
integration = aws.apigateway.Integration("integration",
    rest_api=api.id,
    resource_id=resource.id,
    http_method="ANY", # Or your desired HTTP method
    integration_http_method="POST",
    type="AWS_PROXY",
    uri=lambda_func.invoke_arn)

# Create a method that the client will use to call the integration
method = aws.apigateway.Method("method",
    rest_api=api.id,
    resource_id=resource.id,
    http_method="ANY", # Or your desired HTTP method
    authorization="NONE") # Or configure as needed

# Create a stage, which is a snapshot of the API deployment to be invoked 
stage = aws.apigateway.Stage("stage",
    rest_api=api.id,
    deployment=aws.apigateway.Deployment("deployment", rest_api=api.id).__ref__,
    stage_name="prod")

# Deploy the API Gateway
deployment = aws.apigateway.Deployment("deployment",
    rest_api=api.id,
    stage_name=stage.stage_name)

# Create an API key
api_key = aws.apigateway.ApiKey("api_key", enabled=True)

# Create a usage plan to associate the API key with stage and API
usage_plan = aws.apigateway.UsagePlan("usage_plan",
    api_stages=[aws.apigateway.UsagePlanApiStageArgs(
        api_id=api.id,
        stage=stage.stage_name,
    )],
    description="Usage plan for monitoring API usage",
    quota_settings=aws.apigateway.UsagePlanQuotaSettingsArgs(
        limit=1000, # Limit request for a time period
        period="MONTH",
    ),
    throttle_settings=aws.apigateway.UsagePlanThrottleSettingsArgs(
        burst_limit=5, # Configure as required
        rate_limit=10, # Configure as required
    ))

# Associate the API key with the usage plan
key_association = aws.apigateway.UsagePlanKey("key_association",
    key_id=api_key.id,
    key_type="API_KEY",
    usage_plan_id=usage_plan.id)

# Export the invoke URL of the API stage to be used by clients
pulumi.export('invoke_url', pulumi.Output.concat(api.execution_arn, '/', stage.stage_name, '/example'))
```

Please replace `'./function'` with the path to your Lambda function code. The IAM role for the Lambda function should have permissions to execute the Lambda function and log to CloudWatch.

When you run this Pulumi program, it will provision the entire infrastructure outlined above, setting up an API with logging and monitoring capabilities backed by AWS services.