This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Assistance Needed with Apigee API Deployment Using Google Cloud SDK

Posted on 11-28-2023 04:35 AM
bfircef
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello Community,I'm facing a challenge with deploying APIs using the Google Cloud SDK, as outlined in the documentation here: Google Cloud SDK - Apigee API Deployment.

The documentation does not mention the necessity of specifying service accounts for deployment. However, when I follow the steps, the process requests a service account (SA).

 

$ gcloud apigee apis deploy --environment=dev-5585344 --api=apiproxy
Using current latest revision `1`
ERROR: (gcloud.apigee.apis.deploy) Failed to deploy API proxy (Bad Request):
APIProxy(organization='hephia-apis', environment='dev-5585344', api='apiproxy', revision='1')
Details: deployment validations failed
- Deployment of "organizations/hephia-apis/apis/apiproxy/revisions/1" requires a service
  account identity, but one was not provided with the request.

deployment validations failed

 

Looking at the command help, I didn't find a param to define the service account

 

    gcloud apigee apis deploy
        [[REVISION]
          --api=API --environment=ENVIRONMENT --organization=ORGANIZATION]
        [--override] [GCLOUD_WIDE_FLAG ...]

 

I tried with the GCLOUD_WIDE_FLAGthe: --impersonate-service-account and --account, but nothing of them worked.

P.S: I can list existing APIs(deploy on Console) even if I am unable to deploy new ones. I'm seeking a solution to deploy my proxies without using Maven, preferring to utilize GCP utilities and eventually pulumi or terraform.

Could anyone provide guidance on what I might be missing or any additional steps required for successful deployment using the Google Cloud SDK?

Thank you for your assistance.

Solved Solved
2 1 285
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

hmmmm, I understand the situation, thanks for the clear explanation. 

An API Proxy will require a Service Account during deployment If you use the Authentication tag, with either the GoogleIDToken or the GoogleAccessToken child, in a TargetEndpoint or ServiceCallout.  This tells Apigee to automatically add either an ID token or an access token to outbound calls. And for that Apigee needs a service account to associate to the API proxy.  So that is why you see the message  "Deployment of "organizations/hephia-apis/apis/apiproxy/revisions/1" requires a service account identity, but one was not provided with the request."  Maybe you already knew that!

Looking in the gcloud sdk Python sources, It seems that option is not currently supported within the gcloud sdk deploy command. 

I've opened a bug (internal ref b/313658636) asking that the team implement this capability. 

In the meantime, your workaround is to use the apigeecli tool , or the REST API.  For apigeecli, you can do this:

 

apigeecli apis deploy --wait --name "$PROXY_NAME" --ovr \
  --rev "$REV" --org "$PROJECT" --env "$APIGEE_ENV" \
  --token "$TOKEN" --sa "$SA_EMAIL"

 

 For the REST API, it's like this:

 

POST :apigee/v1/organizations/:org/environments/:env/apis/:api/revisions/:rev/deployments?override=true&serviceAccount=:sa_email
Authorization: Bearer :token

I think when the feature is implemented in the gcloud command, it will probably look like this:

gcloud apigee apis deploy --environment=dev-5585344 --api=apiproxy \
   --service-account=my-svc-acct@project.iam.gserviceaccount.com

THIS IS NOT YET IMPLEMENTED! 

 

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

hmmmm, I understand the situation, thanks for the clear explanation. 

An API Proxy will require a Service Account during deployment If you use the Authentication tag, with either the GoogleIDToken or the GoogleAccessToken child, in a TargetEndpoint or ServiceCallout.  This tells Apigee to automatically add either an ID token or an access token to outbound calls. And for that Apigee needs a service account to associate to the API proxy.  So that is why you see the message  "Deployment of "organizations/hephia-apis/apis/apiproxy/revisions/1" requires a service account identity, but one was not provided with the request."  Maybe you already knew that!

Looking in the gcloud sdk Python sources, It seems that option is not currently supported within the gcloud sdk deploy command. 

I've opened a bug (internal ref b/313658636) asking that the team implement this capability. 

In the meantime, your workaround is to use the apigeecli tool , or the REST API.  For apigeecli, you can do this:

 

apigeecli apis deploy --wait --name "$PROXY_NAME" --ovr \
  --rev "$REV" --org "$PROJECT" --env "$APIGEE_ENV" \
  --token "$TOKEN" --sa "$SA_EMAIL"

 

 For the REST API, it's like this:

 

POST :apigee/v1/organizations/:org/environments/:env/apis/:api/revisions/:rev/deployments?override=true&serviceAccount=:sa_email
Authorization: Bearer :token

I think when the feature is implemented in the gcloud command, it will probably look like this:

gcloud apigee apis deploy --environment=dev-5585344 --api=apiproxy \
   --service-account=my-svc-acct@project.iam.gserviceaccount.com

THIS IS NOT YET IMPLEMENTED! 

 

Jump to Solution
0 Likes
Top Solution Authors
View all