This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Saas - Api Key rotation - Management APIs

Posted on 01-28-2021 09:53 PM
Prashant819
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello community, @Dino-at-Google @Dino @Anil Sagar @ Google

I would like to implement API key rotation in our organization and want to automate the whole process.

High-level steps -

1. Creating a client app with an API key having limited validity e.g 6 months

2. Generating notifications to app developers and Apigee admins about key expiry about 15/30 days prior to the actual expiry date.

3. Generating a new API key with 6 months validity in the same existing App created in step 1.

I was looking for management APIs to script the above 3 steps and could find only one for step 1 and step 2 (custom script to loop over all apps and credentials to check if expiry falls within the next 30 days).

Can someone please confirm if there are management APIs for the above step 2 and 3?

Appreciate it if you can share any better ideas to implement this API key rotation solution.

Thanks.

0 6 1,732
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Upto my understanding, there is no such option for notification, as it will not specify which date it expires in an app. And regarding new key creation you can create another set of credentials using management api, once you create new one, you can disable the old one.

Posted on --/--/---- --:-- AM
Prashant819
Bronze 3
Bronze 3
In response to
Reply posted on --/--/---- --:-- AM

Thanks @Priyadarshi. Do you know if there is a management API to create new API key with expiry in an existing app?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to Prashant819
Reply posted on --/--/---- --:-- AM

You can create using below link

https://apidocs.apigee.com/docs/developer-app-keys/1/overview

But expiry is not an option, you can revoke the permission.

If you have any expiry relationship then you can use Oauth 2.0 for token expiry and you can give an expiry in client credentials grant type.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

There is no facility in Apigee to notify developers and Apigee admins about imminently expiring API keys. I have seen other customers build scripts or programs that run as schedule jobs, which check for this condition and send out notifications.

"Generating a new API Key" is a job for the developer. Ideally the developer visits the dev portal and clicks a button to create a new key. Generally you do not want to use the Admin APIs to create a new key. But there is an administrative API to allow this.

0 Likes

Posted on --/--/---- --:-- AM
Prashant819
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hello @Dino-at-Google,

1. We actually want to use an Integrated developer portal (that comes with the Public cloud Saas version) to enable developers to create their own apps and generate API key themselves. But while exploring the Integrated dev portal, I found that the API key generated during App creation and API key created using ADD KEY button always gets a default expiry of 'Never'.

API key generated during App creation -

10764-apigee-1.png

API key generated on clicking ADD KEY -

10765-apigee-2.png

It seems that there is no facility in the dev portal config to change this default expiry from 'never' to some defined duration say 1 year. Without having the expiry date assigned to each key within each app, it would be difficult to rotate the keys.

2. Therefore I have now moved to another approach of creating Apps and their API keys (with limited validity) using management APIs and sharing it with the developers through script automation using the steps mentioned in the question description. But I am unable to find the management API to create a new API key with expiry into an existing App.

This Create API key management API doesn't seem to accept expiry in input and always defaults it to never.


3. The only way I have found to add a new API key with expiry into an existing developer app is through Edge UI. But I think API key rotation using this manual way would be very tedious for Org admins and doesn't seem to be an ideal solution.

10766-apigee-3.png

Please provide your thoughts. Also please advise if you have come across any better solution for implementing API Key rotation in the Public cloud/ Integrated dev portal.

Thank you.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Today there is no way for you to use the integrated developer portal to create a key with a fixed, set expiry. There is an outstanding feature request for this. ref: b/128330801

You can create new API keys with the management API, and request an expiry. Find more information here.

Sadly, there is a further unfortunate bug: the integrated developer portal will display the expiry as "Never", even if the credential actually has an expiry. ref: b/b/151961459. I haven't (yet?) found an easy way to work around this problem.

EDIT:

You can work around the expiry display problem with this custom script.

https://gist.github.com/DinoChiesa/85e694358137f5c324a0c49c2c448e28

Disclaimer: this script will be brittle. It examines the rendered HTML and changes it if the expiry is displayed as "never". If for whatever reason the portal starts rendering the HTML differently, this custom script will break.

0 Likes