Secure Admin API

Hi !

I read https://docs.konghq.com/0.13.x/secure-admin-api/
But I am not sure about the solutions.
I added the admin api as a service to Kong.
But now I would like to deny any direct access to the admin api interface to authorize only the access by using the API Gateway.
I don’t understand how I can deny any direct access to the admin api interface.
Is it possible or did I just miss an information ?

Thanks !

So you need a service + route, where service points to the localhost:8001/ , then you create a route like /admin-api or whatever you perfer and tie it to the service. At this point you have achieved exposing a direct endpoint to your admin API now.

Next up add the ACL plugin to your route or service and add a group to the whitelist(I prefer to use the uuid of my route). Then you will want to add either JWT/OAUTH/HMAC or one of the other TTL based Auth patterns to the route or service as well.

Finally you need a consumer to have access to the newly provisioned proxy with its acl+auth configured so add the acl white list group you designated to the consumer and create the consumer a pair of creds. In REST it looks like so:

curl -i -X POST --url http://localhost:8001/services --data 'name=AdminService' --data 'url=http://localhost:8001/' --data 'connect_timeout=10000' --data 'write_timeout=10000' --data 'read_timeout=10000'
curl -i -X POST --url http://localhost:8001/routes --data 'service.id=<POPULATE_THIS>' --data 'paths[]=/admin-api'
curl -X POST http://localhost:8001/routes/<POPULATE_THIS>/plugins --data "name=jwt" --data "config.claims_to_verify=exp" --data "config.maximum_expiration=3600"
curl -X POST http://localhost:8001/routes/<POPULATE_THIS>/plugins --data "name=acl"  --data "config.whitelist=<POPULATE_THIS>"

curl -X POST http://localhost:8001/consumers --data "username=admin"
curl -X POST http://localhost:8001/consumers/admin/jwt -H "Content-Type: application/x-www-form-urlencoded" --data "key=AdminAPIAuth"
curl -X POST http://localhost:8001/consumers/admin/acls --data "group=<POPULATE_THIS_WITH_ROUTE_ID>"
1 Like