API key auth

This HTTP filter can be used to authenticate users based on the unique API key. The filter will extract the API keys from either an HTTP header, a parameter query, or a cookie and verify them against the configured credential list.

If the API key is valid and the related client is allowed, the request will be allowed to continue. If the API key is invalid or not exists, the request will be denied with 401 status code. If the API key is valid but the related client is not allowed, the request will be denied with 403 status code.

Configuration

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuth.

  • v3 API reference

An example configuration of the filter may look like the following:

 1          - name: api_key_auth
 2            typed_config:
 3              "@type": type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuth
 4              credentials:
 5              - key: one_key
 6                client: one_client
 7              - key: another_key
 8                client: another_client
 9              key_sources:
10              - header: Authorization

Per-Route Configuration

It’s possible to override the filter’s configuration for a specific scope like a route or virtual host. And the overriding configuration could be partial to override only credential list or to override only the API key source.

And this filter also provides very limited authorization control. A simple allowed_clients could be configured for specific scope like a route or virtual host to allow or deny specific clients.

An example scope specific configuration of the filter may look like the following:

 1            name: local_route
 2            virtual_hosts:
 3            - name: local_service
 4              domains: ["*"]
 5              routes:
 6              - match:
 7                  path: "/admin"
 8                route:
 9                  cluster: upstream_com
10                typed_per_filter_config:
11                  api_key_auth:
12                    "@type": type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuthPerRoute
13                    key_sources:
14                    - query: api_key
15                    allowed_clients:
16                    - another_client
17              - match:
18                  path: "/special"
19                route:
20                  cluster: upstream_com
21                typed_per_filter_config:
22                  api_key_auth:
23                    "@type": type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuthPerRoute
24                    credentials:
25                    - key: special_key
26                      client: special_client
27                    key_sources:
28                    - header: X-Special-Key
29              - match:
30                  prefix: "/static"
31                route:
32                  cluster: upstream_com
33                typed_per_filter_config:
34                  api_key_auth:
35                    "@type": type.googleapis.com/envoy.config.route.v3.FilterConfig
36                    disabled: true
37              - match:
38                  prefix: "/"
39                route:
40                  cluster: upstream_com

In this example we customize key source for /admin route and only allow limited clients to access this route. We also customize the credential list for /special route and disable the filter for /static route.

Combining the per-route configuration example and the filter configuration example, given the following requests, the filter will behave as follows:

# The request will be allowed because the API key is valid and the client is allowed.
GET /admin?api_key=another_key HTTP/1.1
host: example.com

# The request will be denied with 403 status code because the API key is valid but the client is
# not allowed.
GET /admin?api_key=one_key HTTP/1.1
host: example.com

# The request will be denied with 401 status code because the API key is invalid.
GET /admin?api_key=invalid_key HTTP/1.1
host: example.com

# The request will be allowed because the API key is valid and no client validation is configured.
GET /special HTTP/1.1
host: example.com
X-Special-Key: "special_key"

# The request will be allowed because the filter is disabled for specific route.
GET /static HTTP/1.1
host: example.com

# The request will be allowed because the API key is valid and no client validation is configured.
GET / HTTP/1.1
host: example.com
Authorization: "Bearer one_key"

Statistics

The HTTP API key auth filter outputs statistics in the http.<stat_prefix>.api_key_auth. namespace.

Name

Type

Description

allowed

Counter

Total number of allowed requests

unauthorized

Counter

Total number of requests that have invalid API key

forbidden

Counter

Total number of requests that have valid API key but not allowed