OpenAPI config for a Graphql backend using GCP API Gateway?

Question

I have an apollo/graphql server sitting behind a GCP API gateway. Google says it requires an OpenAPI spec to secure endpoints: https://cloud.google.com/api-gateway/docs/get-started-cloud-run#creating_an_api_config

But how exactly would this look for securing a single graphql endpoint? Also, as a side question, is a new API Gateway needed to be created for each Cloud Run/App Engine service?

Thanks in advance.

Answer 1

Here's a repo that demonstrates what you want to achieve. It's a GCP API Gateway fronting a GraphQL API on Cloud Run, secured with Identity-Aware Proxy. Here's the API config from the link:

api-spec.yaml

swagger: '2.0'
info:
  title: gcp-demo-api
  description: Sample GraphQL API on API Gateway with a Cloud Run backend
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /:
    post:
      summary: GraphQL endpoint
      operationId: gql
      x-google-backend:
        address: https://PROJECT_AND_RANDOM_STRING.a.run.app/graphql  # App URL/endpoint
        jwt_audience: LONG_RANDOM_STRING.apps.googleusercontent.com # IAP client ID
      responses:
        '200':
          description: A successful response
          schema:
            type: object

To answer your side question, it is important to understand what an API Gateway does. An API Gateway is what stands between your user requests and your collection of backend services so all API requests goes through it.

Therefore, you don't need to create a new API gateway for each service. It is possible in API Gateway to serve multiple services such as Cloud Run, App Engine, Cloud Functions, etc. by specifying the backend address on each endpoint. Here's a link that further explains the concept.