1

TLDR - moved from one query param (api key) to two in my google api gateway config and it only accepts the first one in the url

Seems like this should be easy, but it's not working. I create a google cloud function with some hardcoded params, deployed it, and put it behind an google api gateway with an api key for auth. Everything worked great. (I was basically following https://cloud.google.com/api-gateway/docs/secure-traffic-console.)

https://GATEWAY_URL/hello?key=API_KEY works. Without a valid api key, I get unauthorized, as desired.

Now I want to add another query param as an input to my cloud function. A small step, one would think. I updated the function so it requires the param, and everything works in the cloud console. Thus, I believe the problem lies with the gateway. But when I update the gateway's config for the additional param, it shows this unexpected behavior:

curl https://GATEWAY_URL/hello?key=API_KEY&foo=bar => internal server error due to foo qp not being passed to cloud function (confirmed in cloud function's logs). This should work, because the qp is there. So gateway did not pass foo=bar to cloud function.

curl https://GATEWAY_URL/hello?foo=bar&key=API_KEY => unauthorized. I feel this should be no different from the previous. Leads me to believe only one QP is being allowed, or perhaps using an api key in query creates undocumented limitations for other path operations' parameters.

The config I have been wrestling with is shown below. I have tried adding the api key to the list of params (no change), I have tried changing the x-google-backend params, and I am not sure what else to try. New section is marked with + symbols in left column

# openapi2-functions.yaml
swagger: "2.0"
info:
  title: hello-world test
  description: A description
  version: 1.0.0
basePath: /v1
schemes:
  - https
paths:
  /search-predict:
    get:
      operationId: hello-world
      summary: Returns a hello
      x-google-backend:
        address: https://redacted.cloudfunctions.net/hello-world-1
      produces:
        - application/json
      security:
        - api_key: []
+     parameters:
+       - name: foo
+         in: query
+         description: assdasd
+         required: true
+         type: string
      responses:
        200:
          description: OK
securityDefinitions:
  # This section configures basic authentication with an API key.
  api_key:
    type: "apiKey"
    name: "key"
    in: "query"
AlexMA
  • 9,842
  • 7
  • 42
  • 64
  • For what it's worth, I have in mind some workarounds. E.g. put the api key in the header, or switch the function from GET to POST. I haven't tried them yet, however. – AlexMA Jul 05 '23 at 03:56
  • I created an issue to track this and have moved my api key to the header in the meantime https://issuetracker.google.com/issues/294415027 – AlexMA Aug 04 '23 at 15:20

1 Answers1

0

To achieve that, you must indicate to API Gateway to append the source data to the address, like this:

      x-google-backend:
        address: https://us-central1-genai-proof-of-concept.cloudfunctions.net/hello-world-1
        path_translation: APPEND_PATH_TO_ADDRESS

More details here

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • I just tried/retried this, but the query parameter still does not get forwarded according to the logs. – AlexMA Jul 05 '23 at 13:39
  • The parameter forward the parameter that API Gateway get in entry. It does not add new/additional parameter. – guillaume blaquiere Jul 05 '23 at 13:40
  • I think my question had a small mistake, I am only using the query parameters that are defined in the config. So both `foo` and `key` are in the config and they are the only query params being tested. It still to forward `foo` to the cloud function. – AlexMA Jul 05 '23 at 13:42
  • My workaround of moving the api key to the headers worked. I am fairly convinced at this point that there is a bug with having both api key and function parameters as query params, or there's a critical flaw in the docs. https://stackoverflow.com/questions/65683004/google-api-gateway-provide-api-key-in-header helped me. – AlexMA Jul 05 '23 at 14:21
  • As you said it seems like a bug. Feel free to raise this issue on the [Public Issue Tracker](https://issuetracker.google.com). – Sandeep Vokkareni Jul 07 '23 at 09:03
  • No, it's not a bug. If you set the apikey in the query param, the APIkey query param is consumed by API gateway and not forwarded. You can't use the same API Key for API Gateway and for your subsequent services. You must set 2 different paremeter, in the query, in the header, whatever! – guillaume blaquiere Jul 07 '23 at 10:21
  • @guillaumeblaquiere I’m not trying to forward the api key. But I can’t forward anything in the query params when the api key is also a query param. It forwards nothing until I move the api key to the headers. – AlexMA Jul 08 '23 at 17:04