Generate API Key for SSO Login in 7 Steps¶
IBM API Connect: DevOps at Scale¶
Sila Kissuu
© IBM v1.0 2023-01-18
Problem:¶
It is common for APIC deployments to leverage existing enterprise Continuous Integration/Continuous Deployment (CI/CD) practices to automate code delivery. Typically, a pipeline is configured to log onto API Manager and execute a series of CLI commands.
However, when authentication is performed via an external provider, such as OIDC with Single Sing-On (SSO), the default CLI behavior requires the user to authenticate via a browser in order to retrieve the required API key.
Here is an example that uses Azure AD as the OIDC provider:
apic login -s apim.lab.company.com \
-u pipelines@company.com \
-r provider/azure-oidc --context provider \
--sso login.microsoftonline.com
Please copy and paste the url https://apim.lab.company.com/manager/auth/manager/sign-in/?from=TOOLKIT
to a browser to start the authentication process.
Do you want to open the url in default browser? [y/n]: y
API Key?
We provide a solution.
Solution:¶
Use the CLI command apic api-key:create
to create a custom key with a custom TTL and other properties.
Requirements:¶
- An input file describing the API key metadata
- User URL: this property is retrieved separately
Procedure¶
-
Obtain the “user URL” for the userID that will be associated with this API key
- Logon to APIM (provider realm) as using your OIDC user ID
NOTE: this is the only time you will have to interact with the browser.
apic login -s apim.lab.company.com \ -u pipelines@company.com \ -r provider/azure-oidc --context provider \ --sso login.microsoftonline.com Please copy and paste the url https://apim.lab.company.com/manager/auth/manager/sign-in/?from=TOOLKIT to a browser to start the authentication process. Do you want to open the url in default browser? [y/n]: y API Key? <<paste your API key copied from the browser>>
- Logon to APIM (provider realm) as using your OIDC user ID
-
List org members using
apic members:list
apic members:list -s apim.lab.company.com --scope catalog -c sandbox -o my-org pipelines-company.com-from-azure-oidc-of-type-standard [state: enabled] https://platform.lab.company.com/api/catalogs/84bce7eb-354e-49c9-8d6b-48e82ac45084/e0843be8-0beb-43d5-b304-e55861e45f2c/members/4c0764a9-a4d8-4926-9759-1d3d02334c52
The output shows the definition for user
pipelines@company.com
enabled in a Standard type OIDC configuration namedazure-oidc
.Copy the URL from the output - you will need it in the next step.
-
Create a JSON file (we will name it my-key-definition.json) to define metadata for your new API key. Paste in the URL from Step 2 into the
`user_url
property. Here is a sample API key creation file:{ "type": "api_key", "api_version": "2.0.0", "name": "PipelineKey", "title": "PipelineKey", "summary": "Use this key for SSO login.", "client_type": "toolkit", "realm": "provider", "user_url": "https://platform.lab.company.com/api/catalogs/84bce7eb-354e-49c9-8d6b-48e82ac45084/e0843be8-0beb-43d5-b304-e55861e45f2c/members/4c0764a9-a4d8-4926-9759-1d3d02334c52", "description": "API Key for CI/CD operations", "ttl": 62294394 }
NOTE: The value for
user_url
is derived from Step 2. -
Create the API key using the
api-keys:create
command, passing the file created in Step 3. -
Verify the API key was created
-
List API keys
-
Retrieve the API key you just created:
A json file named after the name of your new API key (in this example, PipelineKey), is dumped into you current directory.
THis file represents your API key definition in API Manager.
-
-
Review the contents of the json file:
{ "type": "api_key", "api_version": "2.0.0", "id": "3c0225f7-0aad-45ce-a199-ced575befb9c", "name": "PipelineKey", "title": "PipelineKey", "summary": "Use this key for SSO login.", "client_type": "toolkit", "realm": "provider/azure-oidc", "user_url": "https://platform.lab.company.com/api/catalogs/84bce7eb-354e-49c9-8d6b-48e82ac45084/e0843be8-0beb-43d5-b304-e55861e45f2c/members/4c0764a9-a4d8-4926-9759-1d3d02334c52", "id_token": "eyJhbGciOiJSUzI1Ni...bT4IX7w", "token_exp": 1674104837, "token_iat": 1674076037, "token_jti": "c73472c2-8c93-4fb6-bc8e-9b6a88775dfd", **_"api_key"_**: "14f27ecd-919a-41f5-a4f1-2a6012cb471c", "description": "API Key for CI/CD operations", "created_at": "2023-01-18T21:35:19.000Z", "updated_at": "2023-01-18T21:35:19.000Z", "url": "https://platform.lab.company.com/api/cloud/api-keys/b6882e4a-4b8e-43b0-963f-0478b79c7948" }
Your new API key, ready for use, is highlighted above.
-
Test the new API key
We have successfully logged into APIM and can now proceed with CI/CD operations.
Conclusion¶
You are now able to automate CI/CD operations using a pre-defined API key.