Applying Identity Auth Tokens for Secure OCI API Gateways

Question

Pulumi · Accepted Answer

In Oracle Cloud Infrastructure (OCI), you can secure API gateways by applying identity authentication tokens. These tokens serve as a means for authenticating and authorizing API clients before they can access any backend services. In Pulumi, you can manage these resources using the OCI provider.

To achieve this, we'll need to perform the following steps:

Create auth tokens that can be used for secure communication.
Set up an API Gateway in OCI.
Apply the necessary policies to ensure that only authenticated calls can access the gateway.

We will use the oci.Identity.AuthToken, oci.ApiGateway.Api, and oci.Identity.Policy resources provided by the Pulumi OCI provider to accomplish this task.

Here's how you can write a program in Pulumi to set up Identity Auth Tokens and secure an OCI API Gateway:

import pulumi
import pulumi_oci as oci

# Assume the user ID is provided, or retrieved from OCI dynamically.
user_id = "ocid1.user.oc1..<unique_ID>"

# Create an Auth Token for the user
auth_token = oci.identity.AuthToken("authToken",
    user_id=user_id,
    description="AuthToken for secure access to API Gateway")

# Set up an API Gateway
# Note: You need to have a VCN and Subnet already set up in your OCI environment.
# The following `compartment_id` and `subnet_id` are placeholders and should be replaced
# with the real ID values from your environment.

compartment_id = "ocid1.compartment.oc1..<unique_ID>"
subnet_id = "ocid1.subnet.oc1..<unique_ID>"

api_gateway = oci.apigateway.Gateway("apiGateway",
    compartment_id=compartment_id,
    subnet_id=subnet_id,
    display_name="MySecureApiGateway")

# Define an Identity Policy to secure the API Gateway access
policy_statements = [
    f"Allow service PSM to manage all-resources in compartment {compartment_id}",
    f"Allow group APIGatewayAdmins to manage api-gateways in compartment {compartment_id}"
]

identity_policy = oci.identity.Policy("identityPolicy",
    compartment_id=compartment_id,
    description="Policy for API Gateway access control",
    statements=policy_statements,
    name="MyApiGatewayPolicy")

# Exporting some important URIs and tokens that can be used to interact with the API Gateway
pulumi.export("api_gateway_id", api_gateway.id)
pulumi.export("auth_token", auth_token.token)

Here's a step-by-step explanation of the Pulumi program:

We import the required modules, specifically pulumi and pulumi_oci.
We create an identity AuthToken using oci.identity.AuthToken, which is used to authenticate API requests to OCI services. The user_id here should be replaced with the actual OCID of the user for whom the token will be generated.
We then set up an API Gateway with oci.apigateway.Gateway. This gateway will serve as the entry point for API requests. You need to replace compartment_id and subnet_id with actual values from your environment. The subnet refers to the networking context where the API Gateway will be placed.
An Identity Policy is created with oci.identity.Policy to define who gets what kind of access to the API Gateway. The policy statements are written in the format that OCI expects.
Finally, we export the API Gateway ID and auth token value which can be used for further automation or integration in your CI/CD pipelines.

Make sure to replace placeholder strings such as <unique_ID> with the actual identifiers from your OCI environment. These identifiers point to your specific resources, like compartments, users, and subnets.

This program assumes that you are familiar with establishing an API Gateway within OCI and have configured your networking (VCN and Subnet) accordingly. The security of the API Gateway leverages policies and tokens that OCI Identity and Access Management (IAM) provide.