DocsAmbassador CloudAmbassador Cloud Security overview
Ambassador Cloud Security overview
The Ambassador Cloud Security page allows you to create and manage API keys for Edge Stack through the online Ambassador Cloud interface.
API keys and filters
API keys in Ambassador Cloud are managed by the FilterPolicy
and Filter
resources in your cluster.
When you click the Generate Filter button in Ambassador Cloud, it opens the slideout to create the FilterPolicy
and Filter
resources for your API keys.
The FilterPolicy
resource is used by all the filters created in the Ambassador Cloud Security page. The Filter
resource references the secret for all API Keys created within the designated Ambassador Cloud filter group.
Once you have added the FilterPolicy
and Filter
resources to your cluster, Ambassador Cloud will display any Filter
resources you created in the UI with a Generate an API Key button to the right of the Filter name.
Creating filters
Before you create API keys, you need to create a FilterPolicy
resource and a Filter
resource.
To create these filter resources:
- Click the Create Filter button to open the filters slideout.
- Enter a name for the filter and the hosts and paths to associate with the filter. These hosts and paths will apply to any API keys you generate for this filter in the future. Filters can only be generated for the ambassador namespace.
- Once you've filled out the fields in the slideout, Click Generate Filter.
Ambassador Cloud generates the YAML text for the
FilterPolicy
andFilter
resources. - Copy the
FilterPolicy
andFilter
resources from the slideout and paste them into a YAML file. Once you've saved the YAML file, synchronize it with your preferred GitOps tool or apply it directly to your cluster usingkubectl
:
When you reload the Security page in Ambassador Cloud, your filter displays on the page. Now you can create API keys to use with this filter.
Creating API keys
Once you've created the FilterPolicy
and Filter
resource and added them to your cluster, you can create API keys in Ambassador Cloud. API keys are a special token that are added to HTTP headers.
To create a key:
- Locate the filter you want to create the API key for, and click Generate an API key to open the API key slideout.
- Enter a name and description for the API key, then click Generate. The slideout displays the API key. Be sure to copy this key down; this is the only time the key is displayed.
- Pass the API key with cURL.
For example, for the endpoint at
https://${EDGE_STACK_IP}/api/my-service
with the HTTP headerx-api-key
, the following request will respond with HTTP status code200
:
Revoke an API key
To revoke a key, click on the filter in Ambassador Cloud to expand the list of all keys associated with the filter. Find the key you want to revoke access for and click REVOKE.