
Before you begin
- Labs create a Google Cloud project and resources for a fixed time
- Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
- On the top left of your screen, click Start lab to begin
It is important to identify the caller during an API call.
In this lab, you create an API product and associate it with an API proxy. You will then create an application and associate it with the API product, and use the application's API key when calling the API.
In this lab, you learn how to perform the following tasks:
For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.
Sign in to Qwiklabs using an incognito window.
Note the lab's access time (for example, 1:15:00
), and make sure you can finish within that time.
There is no pause feature. You can restart if needed, but you have to start at the beginning.
When ready, click Start lab.
Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.
Click Open Google Console.
Click Use another account and copy/paste credentials for this lab into the prompts.
If you use other credentials, you'll receive errors or incur charges.
Accept the terms and skip the recovery resource page.
Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.
Google Cloud Shell provides command-line access to your Google Cloud resources.
In Cloud console, on the top right toolbar, click the Open Cloud Shell button.
Click Continue.
It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
Output:
Example output:
Output:
Example output:
These assets have already been added to the Apigee organization:
The highlighted items in the list are used during this lab.
In this task, you add a VerifyAPIKey policy to force callers to present an API key when accessing the API.
In the Google Cloud console, on the Navigation menu (), look for Apigee in the Pinned Products section.
The Apigee console page will open.
If Apigee is not pinned, search for Apigee in the top search bar and navigate to the Apigee service.
Hover over the name, then click the pin icon ().
The Apigee console page will now be pinned to the Navigation menu.
On the left navigation menu, select Proxy development > API proxies.
Select the retail-v1 proxy.
Click the Develop tab.
In the Navigator pane, click Proxy endpoints > default > PreFlow.
On the Request PreFlow, click Add Policy Step (+).
The VerifyAPIKey policy should be one of the first policies executed, because you want to avoid most of the processing if the caller is not allowed to use the API proxy.
In the Add policy step pane, select Create new policy, and then select Security > Verify API Key.
Specify the following values:
Property | Value |
---|---|
Name | VA-VerifyKey |
Display name | VA-VerifyKey |
It is important to correctly set the policy step name. The VerifyAPIKey policy will populate variables that include the step name, and you will use those variables in later labs.
Click Add.
Click on Policies > VA-VerifyKey and look at the APIKey element. The configuration currently expects the API key in a query parameter named apikey.
Change the policy configuration so it expects the API key in a header named apikey. Replace:
with:
To save the updates, click Save, and then click Save as New Revision.
Click Deploy.
To specify that you want the new revision deployed to the eval environment, select eval as the Environment, and then click Deploy.
Click Confirm.
You will return to the API proxy later in the lab.
In this task, you create an API product associated with your API proxy.
API products can be associated with developer applications, providing access to your APIs.
Certain assets, including API products, developers, developer apps, and KVMs, cannot be saved until the runtime is available.
For example, when navigating to the API products page, you might see an error message that reads "Products were not loaded successfully."
This is an error you should see when you are waiting for the runtime instance to be available. Once the runtime is available, refreshing the page will remove the error.
If you get this type of error, you can check the status of provisioning.
In Cloud Shell, to confirm that the runtime instance has been installed and the eval environment has been attached, run the following commands:
When the script returns ORG IS READY TO USE
, you can proceed to the next steps.
On the left navigation menu, select Distribution > API products.
To create a new API product, click +Create.
In the Product details section, specify the following:
Property | Value |
---|---|
Name | retail-fullaccess |
Display Name | retail (full access) |
Description | full access to retail API |
Environment | select eval, and then click OK |
Access | select Public |
Leave Automatically approve access requests selected.
In the Operations section, click +Add an Operation.
Operations are used to specify which requests in which API proxies are allowed for an application associated with the API product.
In the Operation pane, specify the following values:
Property | Value |
---|---|
API Proxy | select the retail-v1 API proxy |
Path | /** |
Methods | select GET, PATCH, POST, PUT, and DELETE |
The path expression "/**" indicates that any path suffix of any depth is a match for the operation.
In a production environment, you might choose to add each operation that is allowed separately, rather than using this wildcard path expression.
Click Save to save the operation.
In the Custom Attributes section for the API product, click +Add Custom Attribute.
Custom attributes can be used to attach any data that you would like to be available in the proxy to control access.
In this case, because this is the full access API product for your retail API, you'll create a custom attribute that indicates that the application calling the API should be allowed full access.
Specify the following:
Property | Value |
---|---|
Name 1 | full-access |
Value 1 | yes |
Click OK to save the custom attribute.
To save the API product, click Save.
Return to the API Products page. Your API product will be listed.
In this task, you create a read-only API product associated with your API proxy.
To create a new API product, click +Create.
In the Product details pane, specify the following:
Property | Value |
---|---|
Name | retail-readonly |
Display Name | retail (read-only) |
Description | read-only access to retail API |
Environment | select eval, and then click OK |
Access | select Public |
Leave Automatically approve access requests selected.
In the Operations section, click +Add an Operation.
In the Operation pane, specify the following values:
Property | Value |
---|---|
API Proxy | select the retail-v1 API proxy |
Path | /** |
Methods | select GET |
By specifying only the GET method, you are limiting API requests to read-only operations.
Click Save to save the operation.
To save the API product, click Save.
Return to the API Products page. Your second API product will be listed.
In this task, you create an app developer, which will allow you to register an app.
On the left navigation menu, click Distribution > Developers.
To create a new app developer, click +Create.
Specify the following:
Property | Value |
---|---|
First Name | Joe |
Last Name | Developer |
joe@example.com | |
Username | joe |
To create the app developer, click Add.
In this task, you create an app for your app developer.
On the left navigation menu, click Distribution > Apps.
To create a new app, click +Create.
In the App Details pane, specify the following:
Property | Value |
---|---|
App Name | retail-app |
Display Name | Joe's retail app |
Developer | select Joe Developer |
In the Credentials section, click +Add Credential.
In the Credential pane, click Add Products.
In the Select products dropdown, select retail (read-only), and then click Ok.
Click Add.
Click the check box for the retail-readonly product, and then click Approve.
To create the app, click Create.
The Key and Secret are now configured for the app.
For the Key, click on the not shown icon ().
The API key for Joe's retail app is shown.
In this task, you will verify that requests made to the proxy provide the correct access.
The eval environment in the Apigee organization can be called using the hostname eval.example.com. The DNS entry for this hostname has been created within your project, and it resolves to the IP address of the Apigee runtime instance. This DNS entry has been created in a private zone, which means it is only visible on the internal network.
Cloud Shell does not reside on the internal network, so Cloud Shell commands cannot resolve this DNS entry. A virtual machine (VM) within your project can access the private zone DNS. A virtual machine named apigeex-test-vm was automatically created for this purpose. You can make API proxy calls from this machine.
The curl command will be used to send API requests to an API proxy. The -k
option for curl tells it to skip verification of the TLS certificate. For this lab, the Apigee runtime uses a self-signed certificate. For a production environment, you should use certificates that have been created by a trusted certificate authority (CA).
In Cloud Shell, open a new tab, and then open an SSH connection to your test VM:
The first gcloud command retrieves the zone of the test VM, and the second opens the SSH connection to the VM.
If asked to authorize, click Authorize.
For each question asked in the Cloud Shell, click Enter or Return to specify the default input.
Your logged in identity is the owner of the project, so SSH to this machine is allowed.
Your Cloud Shell session is now running inside the VM.
To copy the key into the clipboard, for the Key, click Copy to clipboard ().
In the Cloud Shell SSH session, run the following command:
Replace {key} with the API key for Joe's app. The command should look similar to this:
On the left navigation menu, click Proxy development > API proxies.
Click on the retail-v1 proxy.
You should see that the proxy is deployed to the eval environment.
Click the Debug tab, and then click Start Debug Session.
In the Start debug session pane, on the Environment dropdown, select eval.
The deployed revision number will also show in the dropdown.
Click Start.
Back in the Cloud Shell SSH session, execute this curl command:
The API request should return 401.
In Debug, click on the GET request, and then click VA-VerifyKey.
You should see that the policy retrieved the request.header.apikey variable, but the value was empty.
The error message is "Failed to resolve API Key variable request.header.apikey". The API key was not found.
Add the apikey header with an incorrect API key by using this command:
The API request still returns 401, but the error is "Invalid ApiKey." Looking at the Debug tool, the key was found in request.header.apikey with the value 123.
This error means you are passing the API key in the correct location.
Verify that the API key has been copied to the environment variable using this command:
If the variable is empty, return to Task 5 for the instructions to create the variable.
Add the apikey header with the correct API key by using this command:
With the correct API key, you should see the list of categories.
If you look at the debug tool, you will notice that many extra variables have been populated, including the API product name, app name, and developer email. These variables are all available for use in your proxy.
Try a non-GET command with the same API key:
There isn't a DELETE /categories operation in the backend API, but the request never reached the backend because Joe's app is using the read-only API product, where the only method allowed is GET. Joe's request was blocked by the VerifyAPIKey policy, returning the error "Invalid ApiKey for given resource."
In this lab, you created two API products (one read-only and one with full access), a developer, and an app, and you used a VerifyAPIKey policy in your API proxy to require that only registered apps can call your API.
When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.
You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.
The number of stars indicates the following:
You can close the dialog box if you don't want to provide feedback.
For feedback, suggestions, or corrections, please use the Support tab.
Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
This content is not currently available
We will notify you via email when it becomes available
Great!
We will contact you via email if it becomes available
One lab at a time
Confirm to end all existing labs and start this one