I have single azure function app. I want to create 2 different API endpoints in Azure APIM. How I can do that?
According to some test, it seems we can't implement the requirement by adding an operation in api management because it will show error message Operation with the same method and URL template already exists.
And if we use some other methods such as clone the operation, it will also fail with 404 error because the URL field will change and can not match the function url.
So I think you can just add another api in your api management to implement the requirement (shown like below screenshot).
The two APIM endpoints should be:
https://huryapim.azure-api.net/huryFun1/HttpTrigger1 and https://huryapim.azure-api.net/huryFun2/HttpTrigger1. Both of them request the same azure function url in backend.
Related
I have a Google Cloud Function. I also have a web application. I want to authenticate requests to the cloud function by using a service account.
I have the json key file.
I know that I have to follow https://cloud.google.com/functions/docs/securing/authenticating#service-to-function. But that is leading me to an IAP page that does not apply to google cloud functions.
Another similar instructions are found in https://developers.google.com/identity/protocols/oauth2/service-account
But if I am following the python library code, I end up with the sample code there :
import googleapiclient.discovery
sqladmin = googleapiclient.discovery.build('sqladmin', 'v1beta3', credentials=credentials)
response = sqladmin.instances().list(project='exciting-example-123').execute()
This does not directly relate to invoking a cloud function.
This question's answer somewhat deals with my requirement but is using a Call API which is only suitable for testing.
Also, I want to expose this API to multiple applications using another tech like .net. So I believe the best option for me will be to use the HTTP method (given on the same page):
https://developers.google.com/identity/protocols/oauth2/service-account#httprest
But whatever I do I am unable to get the signature right.
Any help to get this sorted will be highly appreciated as I am stuck on this for the past few days.
You can use the Google auth library like this
from google.oauth2.id_token import fetch_id_token
from google.auth.transport import requests
audience="my_audience"
r = requests.Request()
token=fetch_id_token(r,audience)
print(token)
The fetch_id_token method will use the default credentials
The service account key file defined in the environment variable GOOGLE_APPLICATION_CREDENTIALS
The service account loaded in the Google Cloud environment
For now, I followed this answer in PHP
In the claims section, I removed the scope. Instead added a claim of target_audience.
"target_audience" => "google-function-http-trigger"
the cloud function http trigger will look like https://us-central1-test-project-name.cloudfunctions.net/function-name",
This will give the required assertion key.
Then I follow https://developers.google.com/identity/protocols/oauth2/service-account#httprest to get the id_token
Then with the id_token as the bearer token we can call the cloud function.
please note that the token expires depending on the time set in the "exp" claim. Once expired you have to redo the steps to generate the new id_token
I want to authenticate requests to the cloud function by using a service account.
I am not sure I understand the context correctly, but I would try to assign a roles/cloudfunctions.invoker IAM role to that service account (which is used to run your code in the web application) - see Cloud Functions IAM Roles .
In that case a code under that service account "Can invoke an HTTP function using its public URL"
I reckon no json keys are required in this case.
I want to serve a request by APIM policy only, is it required to have API and operation for the same ?
for example
https://myapim/myapi/myoperation
I will serve this request from policy itself by calling few external APIs, do i need to create myapi API and myopration as blank operation ? or is there anyway to handle this ? currently i am getting 404 from APIM before reaching to policy code.
When you create api in APIM, it will ask you to input your backend url like below screenshot.
And then when you create operation, if you input /myoperation/ into the "URL" box like below:
It will request https://your-backend-url/myoperation in the backend, but your backend url is https://your-backend-url. So you may get 404 error. To solve this problem, you can just input / into the "URL" box when you create operation.
I had to create a dummy operation in my API by this my policy is getting executed and serving the request.
I have 2 APIs in azure API gateway.
Generates a token from 1 API.
Use that token in authentication in another API
How can I combine the above APIs into 1 or connect both in 1 flow?
Note: Both the APIs are on different servers
If the backend url is different, its better to configure as two APIs.
Please follow the steps below.
Create Auth API and set the auth server as backend url
Create your API which consumes and set the backendurl.
Create a product which links these 2 apis. (So the subscription key will be same for the both apis.)
The user can call the auth url and get the token
Add it as a header to the next api.
If you only want to configure single api, follow below steps.
Create the api with auth endpoint in it.
Use the <set-backend-service/> for the auth url to set the differnt backend server.
see more on https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#SetBackendService
create a product with single api
Here the url prefix will be same and functionality will be working as expected.
I want to use from my android/ios app the autocomplete api. For this I need to call url like:
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=paris&key=<myapikey>
the problem is: What can make that someone else will not extract from my app my api key and use it for his own purpose ? It's important because at the end it's me who will be billed by google for the usage ...
Your intention is to call a Places API web service. Google Maps web services support only IP address restrictions.
You can check what type of restriction is supported by each API on the following page:
https://developers.google.com/maps/faq#keysystem
In order to protect an API key that is used with your sample request you should create an intermediate server and send your requests from this server. So your application should send request to intermediate server, intermediate server should send Places autocomplete request with protected API key to Google and pass response back to your app. In this case you can use an IP address of your intermediate server to protect unauthorized access with your API key.
I hope this helps!
What if you create and intermediate server and create a token for each single user, and also create a monitoring service which block suspicious behavior?
for example, a normal user would request x times/per day || hour || ...
Or
when a user runs application for the first time, application receives the [encrypted api + decryption key] and store them to a safe place like keychain(for iOS)
As I know, if you request directly to google-map-api there is always a way to sniffing packets.
we have an production issue where the order is submitted twice. Currently we have an API for order and we are exposing this to client using API management and in these we have policies for URL mapping for customer facing to actual .
Now , our actual API got 2 request so we thought customer submitted twice but they have confirmed that they have not submitted twice , so either there is issue with API management which fired 2 request.
How can i Identify the request received by the API management ?
Is there any chance that API management will fire the request twice ?
Appreciate any pointers
The only way to fire request twice in APIM would be by the means of Retry policy or manually using SendRequest. Otherwise it should be a client calling your API two times. Each request in APIM get it's own unique id accessible in policies as context.RequestId, this is the main way to track and identify them. But these ids are produced inside APIM itself thus are useful only if you're tracking a call from APIM and into backend.
Your best option now is to try to identify requests by client ip, method, uri, and time frame. APIM allows you to grab logs for certain periods of time (better if kept short) in JSON or CSV with data I mentioned above. To do that look into byRequest report (https://learn.microsoft.com/en-us/rest/api/apimanagement/reports#ReportByRequest), grab JSON/CSV and try to identify calls of interest,
For future you could look into onboarding your service to azure monitor (https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor) or log analytics those provide easier way to traverse logs.