Configuring the development environment

This document describes how to configure your API Gateway development environment.

Prerequisites

Before you can create an API on API Gateway, ensure that you have:

  • Created a Google Cloud project in which you have the Editor or Owner role. After the initial deployment, you can grant the more restrictive Service Config Editor role to a user, group, or service account.

  • Prepared the Google Cloud CLI as described below.

  • Enabled the required Google services as described below.

  • Configure the service account used to create API configs as described below.

Preparing the Google Cloud CLI for deployment

To prepare gcloud for the deployment:

  1. Install and initialize the gcloud CLI.
  2. Update gcloud CLI:
    gcloud components update
  3. Make sure that gcloud CLI is authorized to access your data and services:
    gcloud auth login

    A new browser tab opens and you are prompted to choose an account.

  4. Set the default project. Replace PROJECT_ID with your Google Cloud project ID:
    gcloud config set project PROJECT_ID 

Enabling required services

API Gateway requires that you enable the following Google services:

Name Title
apigateway.googleapis.com API Gateway API
servicemanagement.googleapis.com Service Management API
servicecontrol.googleapis.com Service Control API

To confirm that the required services are enabled:

gcloud services list

If you do not see the required services listed, enable them:

gcloud services enable apigateway.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com

For more information about the gcloud services, see gcloud services.

Configuring a service account

An API config deployed on a gateway executes with the permissions associated with the gateway service account.

As a best practice, create a separate service account in the same project you are using for API Gateway. Then, assign the service account only the permissions necessary to access the backend service. In that way, you limit the permissions associated with the API config.

For API Gateway, the user creating or updating an API config or gateway requires the iam.serviceAccounts.actAs permission on the service account object. This permission is included in the Service Account User role.

The role and permission can be added to the service account for the user with the following command:

gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
  --member user:USER_EMAIL \
  --role roles/iam.serviceAccountUser

where:

  • SERVICE_ACCOUNT_EMAIL is the email of the service account, in the format SA_NAME@PROJECT_ID.iam.gserviceaccount.com.
  • USER_EMAIL is the email address of the user.

For example:

gcloud iam service-accounts add-iam-policy-binding my-service-account@my-project.iam.gserviceaccount.com \
  --member user:myemail@email.com \
  --role roles/iam.serviceAccountUser

In addition, the gateway service account requires the permissions necessary to access your backend service. For example:

  • For a Cloud Function backend, the service account must be assigned the role of Cloud Functions Invoker.
  • For a Cloud Run backend, the service account must be assigned the role of Cloud Run Invoker.
  • For an App Engine backend, you must follow the steps in Setting up IAP access to grant the service account associated with your gateway the IAP-secured Web App User role.

By limiting the permissions associated with the API config, you can better secure your backend systems. For more information, see the Identity and Access Management (IAM) documentation.

After you create the service account, use the --backend-auth-service-account option to specify the email address of that service account when creating an API config:

gcloud api-gateway api-configs create CONFIG_ID \
  --api=API_ID --openapi-spec=API_DEFINITION --project=PROJECT_ID \
  --backend-auth-service-account=SERVICE_ACCOUNT_EMAIL

See Creating an API for more on creating API configs.

Using a default service account

Some GCP products define a default service account. For example, if you are using Compute Engine and have enabled the Compute Engine API for your project, a default Compute Engine service account is created for you. The default service account is identifiable by its email address:

PROJECT_NUMBER-compute@developer.gserviceaccount.com

If you assign the necessary permissions to the default service account, you can omit the --backend-auth-service-account option when creating an API config:

gcloud api-gateway api-configs create CONFIG_ID \
  --api=API_ID --openapi-spec=API_DEFINITION --project=PROJECT_ID

See Using the Compute Engine Default Service Account for more.

Using OpenID Connect

Requests from API Gateway to backend services may use authentication. These requests are secured using OpenID Connect (OIDC) tokens signed by the gateway's service account. You should confirm that your backend service is correctly configured to accept OIDC tokens for authentication and authorization. Cloud Functions, Cloud Run, and the Identity Aware Proxy (IAP) provide this option.

What's next