1. Secure AI APIs with GCP API Gateway.


    Securing AI APIs on GCP (Google Cloud Platform) involves several steps, including creating an API Gateway, configuring an API with security policies, and applying IAM (Identity and Access Management) policies to control access.

    Below is a Pulumi Python program that demonstrates how to:

    1. Create an API on GCP API Gateway using the gcp.apigateway.Api resource.
    2. Create an API config for the API using the gcp.apigateway.ApiConfig resource.
    3. Bind IAM policies to the API config to secure it using the gcp.apigateway.ApiConfigIamPolicy resource.

    For this example, we assume that you have an OpenAPI specification ready for your AI API, and it's available at a specific URL or a path in Cloud Storage. Consequently, this program doesn't include the specifics of setting up AI services, as it focuses on the API Gateway and IAM security aspects.

    import pulumi import pulumi_gcp as gcp # Replace these variables with appropriate values. project = "your-gcp-project-id" api_id = "your-api-id" api_gateway_id = "your-gateway-id" api_config_id = "your-api-config-id" openapi_spec_path = "path/to/your/openapi/spec.yaml" # This should be the path to your OpenAPI specification in Cloud Storage or other accessible URL. # Create an API on GCP API Gateway. ai_api = gcp.apigateway.Api("ai-api", api_id=api_id, project=project, labels={ "purpose": "AI-API", }, display_name="AI API") # Create an API config for the API. api_config = gcp.apigateway.ApiConfig("api-config", api_config_id=api_config_id, project=project, api=ai_api.api_id, openapi_documents=[{ "document": { "path": openapi_spec_path, "contents": openapi_spec_contents, }, }], display_name="AI API Config") # Bind IAM policies to the API config to secure it. # This example grants the 'roles/apigateway.invoker' role to a specific member. api_config_iam_policy = gcp.apigateway.ApiConfigIamPolicy("api-config-iam-policy", project=project, api=ai_api.api_id, api_config=api_config.id, policy_data=pulumi.Output.all(ai_api.api_id, api_config.id).apply( lambda args: json.dumps({ "bindings": [{ "role": "roles/apigateway.invoker", "members": ["user:someone@example.com"], }], }) )) # Export the URL of the deployed API Gateway. pulumi.export('gateway_url', pulumi.Output.concat('https://', api_gateway_id, '-', project, '.apigateway.cloud.google.com'))

    In this program:

    • We create an Api resource named ai-api, which corresponds to an abstraction of our AI services. We give it a unique api_id and label it with a purpose.

    • We create an ApiConfig resource named api-config. An API Config in GCP API Gateway is a collection of OpenAPI specifications and related settings that define the behavior of the API. We provide the openapi_documents parameter with the path to the OpenAPI spec file that describes our AI API.

    • We set up an IAM policy for our API Config using the ApiConfigIamPolicy resource named api-config-iam-policy. In this policy, we specify who has the role of apigateway.invoker, which allows invocation of the API. For the sake of an example, we're granting this role to someone@example.com.

    • Lastly, we export the URL of our API Gateway for easy access to the endpoint once it's deployed.

    This setup provides a layer of security using IAM roles, thereby ensuring that only authorized users and services can invoke your AI API endpoints.