I have asp.net core web api app which is hosted in Azure Kubernetes Service and the web api endpoints is secured with Azure Active Directory (AAD). Following the below article,
https://dotnetplaybook.com/secure-a-net-core-api-using-bearer-authentication/
Now I have another asp.net core web api application (Gateway) which is hosted as Azure App Service and this is a client application for above microservice which is hosted in AKS.
I have registered the client app (Gateway) also in AAD and using secret and using this gateway and microservices authenticated and works.
Since AKS hosted microservices talks with Azure App service, can I use Managed Identity so that I don't need to do secret management?
So just to clarify, your service deployed in Azure App Service is calling your application deployed in AKS.
If your Azure App Service is acting on its own behalf (ie: it is a daemon app, and users dont interact with that app), then yes, you can simply use a Managed Identity for that App Service and give that identity the API permissions for the app in AKS.
--an update to the above
I wrote some additional details that walks through all steps to achieve this, take a look at this post: https://blog.identitydigest.com/single-tenant-daemon-managed-identity/ . It also has a pointer to a very rudimentary code sample.
Related
I am looking to host my REST APIs on GKE (microservices), I want other applications and services I develop to authenticate with these APIs using JWT with Spring Boot Security. I want to generate a JWT token from a Google Cloud Service Account from a Google Cloud project and use this to authenticate with my APIs. My question is, is this possible to secure the API's that I develop to allow a JWT token to authenticate against Google Cloud IAM (Service Account). An example on the Spring side would be most helpful..
I am looking to something similar to what you can do in App Engine with the ESP..
You can follow the Google official documentation:
Authentication between services
You have to:
Created a Google Cloud project.
Created an OpenAPI document for your API.
Deployed your OpenAPI document.
Deployed the API backend.
The Api backend can be on Google Kubernetes Engine, Compute Engine, and the App Engine flexible environment. You have to deploy the Extensible Service Proxy (ESP) to Google Kubernetes Engine.
Deploying the API backend
Most of the document I found about GCP, the REST API needs a user interaction for authentication. Is there a possible way to access the GCP resource without an interaction from user.?
eg: I would like to implement a cron job in my local workstation to launch a GCP machine.
Yes, it's possible, this is that service accounts are for:
A service account is a Google account that represents an
application, as opposed to representing an end user.
Important: For almost all cases, whether you are developing locally or in a production application, you should use service
accounts, rather than user accounts or API keys. You can use a service
account by providing its private key to your application, or by using
the built-in service accounts available when running on Google Cloud
Functions, Google App Engine, Google Compute Engine, or Google
Kubernetes Engine.
All GCP APIs support service accounts. For most server applications
that need to communicate with GCP APIs, we recommend using service
accounts, as they are the most widely-supported and flexible way to
authenticate.
For more information, see getting started with authentication.
You'd have to create a service account representing your application (executed as the cron job) and in your application you'd authenticate the REST API calls using that service account's credentials.
I want to expose a REST-ful service as an API to the outside world on Bluemix Public. Therefore I have a liberty app, containing a REST service implemented in JAX-RS.
Additionally I leverage the "API Management Service" to secure that app, via Plans, Authentication etc. So thanks to the API Management Gateway I have a secure proxy to my service exposed.
Yet, the app that provides my service remains accessible to the outside via the Bluemix route. So, it can be called without any credentials or whatsoever.
Is there a way, to only have my API Management gateway access the service implementation app?
One approach would be to delete the route of the service implementing app, but how would you then bind the API Management to the service?
Happy to hear your thoughts or alternative solutions.
If your API is running on Bluemix Public as a Cloud Foundry application, there is currently not a way to create a route such that it is only accessible by the API management service, but not the the outside world. You should implement security within your jax-rs application (easy to with web.xml security-constraint) and add those credentials to APIm service if you still want to use APIm to get monitoring, throttling, discovery, etc.
Another option would be to deploy the application in a VM and then use Secure Gateway to connect to it:
https://github.com/IBM-Bluemix/onprem-integration-demo
I have a public Bluemix CF APP which exposes a REST Service. I would like to have the option, that the public url bound to the CFApp would be inaccessible from outside. The REST Service itself should only be usable from other CF Apps in my org, for example over API Management. I don't want to implement an own security mechanism for it, because API Management provides already everything I need to control, which clients will access my service. So some kind of private route inside Bluemix public, only available to runtimes and services in my Bluemix organisation.
This is not currently possible with IBM Bluemix, due to limitations in Cloud Foundry.
All bound routes are accessible from the external network.
If you want to have a private API exposed, you have the following options.
Add authentication to the REST API, managing the credentials as a user-provided service bound to all the apps. The API will be accessible externally but only by users with the credentials.
Use an application service, like a message queue, to expose an internal RPC-style API. Applications can bind to the same service and it will only be accessible internally.
I have an existing on-premise REST API from an external vendor. I'd like to expose this API unmodified to the outside world through an Azure website. So I have customers that run this API on-premise and I'm developing a PaaS/SaaS app that should access these on-premise API's.
I also have a client SDK from the external vendor that calls the API. Works without issues when running on-premise. However, now I want to use this SDK from my Azure website.
How do I route REST service calls generated by the SDK to the on-premise API? I thought about using Azure Service Bus WebHttpRelayBinding but this seems to require a WCF contract which I do not have.
In other words: is there a way to send unmodified HTTP traffic to an on-premise system from Azure (through Azure Service Bus or by any other means)?
If you want to access an On-Premise service from the Azure service/websites what you need is a Hybrid Connection.
For that you will need a BizTalk service to redirect the trafic to your on-prem service.
Here are the steps to how to setup a Hybrid connection:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-hybrid-connection-get-started/