This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee X Southbound

Posted on 03-05-2024 02:18 AM
sohamchatterjee
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi All, 

I have already implemented Southbound infrastructure for Apigee and able to make unauthenticated requests to the Cloud Run. However, when trying to make authenticated requests via Google ID Token we encounter a 401 unauthorized error.

Current State

This is what our infrastructure is based on 

https://cloud.google.com/blog/products/serverless/connecting-to-cloud-run-from-apigee-x-using-psc

Attached is an XML file of our proxy for the target endpoint (with the Cloud Run URL removed but we know the one we're using is correct). We believe this should be working for authenticated requests - is there any change config we need to do on cloud run side or addition to be made for the proxy?

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
  <Description/>
  <FaultRules/>
  <PreFlow name="PreFlow">
    <Response/>
  </PreFlow>
  <PostFlow name="PostFlow">
    <Request/>
    <Response/>
  </PostFlow>
  <Flows/>
  <HTTPTargetConnection>
    <Properties/>
    <LoadBalancer>
      <Server name="server-name"/>
    </LoadBalancer>
    <Authentication>
      <HeaderName>X-Serverless-Authorization</HeaderName>
      <GoogleIDToken>
        <Audience>Cloud Run URL</Audience>
      </GoogleIDToken>
    </Authentication>
  </HTTPTargetConnection>
</TargetEndpoint>

 

What we want to do

Since there are multiple Cloud Run we want to be able to send authenticated requests via a single API Proxy instead of creating one for each cloud run in the backend which is not scalable or sustainable. 

  • We make reference to the server where the URL is placed in the proxy which I believe is correct
  • In the article above I can see reference to an AssignMessage Policy within which there is $CLOUDRUN_APP_SUFFIX, where is this defined?

 Our Endpoints all follow the structure - https://domain/base-path/name-of-cloud-run-service 

Thanks,

Soham

3 1 92
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
ktan_08
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

On the cloud run side you should grant and add cloud run invoker to the Service Account that you created and used on Apigee side when you deploy the apiproxy.

gcloud functions add-invoker-policy-binding "$CLOUD_FUNCTION_NAME" \
  --member="serviceAccount:${SA_EMAIL}" \
  --region="$CLOUD_FUNCTIONS_REGION" \
  --project="$CLOUD_FUNCTIONS_PROJECT"

 You can refer to this community post.

https://www.googlecloudcommunity.com/gc/Apigee/Apigee-To-Cloud-function-Auth/m-p/718705#M78728