This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee get OAuth token

Posted on 12-07-2023 07:58 AM
MathieuB
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

I need to get metrics from an Apigee project (https://apigee.google.com/organizations/XXXXX) from command line.
I have a Google account and the admin grant me access to view metrics on the UI.

I follow the get_token docs, but i don't get a token, instead I get a strange error message :

 

$ echo $SSO_LOGIN_URL
https://login.apigee.com
$ get_token -u email@company
{"signupX":"https://apigee.google.com/welcome","passwd":"https://login.apigee.com/reset","signup":"https://login.apigee.com/sign_up"}

 

 

 

 

Solved Solved
0 4 444
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to MathieuB
Reply posted on --/--/---- --:-- AM

Yes, of course. You can use service account credentials.

Apigee X/hybrid is a Google Cloud service, and the programmatic interface to the control plane for Apigee X - the API - behaves like all the other Google Cloud services. BigQuery, Cloud Storage, Cloud Logging, Cloud Run... and on and on. Across all of them, for the control plane, there's great deal of consistency in the API - the shape of the request and response payloads, the use of return status, the URL patterns, the api endpoint (always something.googleapis.com), and of course the authentication. For this last part, all of them require an OAuth token. And there are different options for how you obtain that token.

I wrote up a README on this a while ago, with some sample code for obtaining a token programmatically, via various means.

In short, maybe the easiest way to do what you want is to create a service account, generate and download a JSON-format key for that service account, and then authenticate this way:

 

gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM \
   --key-file=/path/to/sa/key.json 
gcloud auth print-access-token

 

This is easy, but it may not be the best way. It should be obvious that service account key file is a secret, and you would need to protect that secret from leaking. Some people view the risk of credential leak as too high for their standards; and in fact, because of that risk Google directly recommends that organizations AVOID creating and downloading service account keys, and provides clear guidance on what you should do instead.

Google has published an article on best practices around managing service accounts. One of the ways to use Service Accounts while avoiding the use of downloaded service account KEYS,  is to run your code from Google cloud infrastructure - via Google Cloud build, or running your logic on Cloud Run, or directly on GCE, etc. In that case your code can get a token "automatically" from the Google Cloud metadata endpoint, based on the identity of the workload. Pretty slick. 

When you DO use Service Accounts (with downloaded keys or not), you still have to deal with the permissions.  You'll want to apply the principle of least privilege, and grant permissions to that service account that limit what it can do.  Do this with the builtin roles in Google Cloud IAM, or create your own custom roles and use those. 

 

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The get_token utility is for Apigee Edge.

But you refer to "an Apigee project (https://apigee.google.com/organizations/XXXXX)". That tells me you are using Apigee X or hybrid. The get_token utility does not apply. Instead you should use something like "gcloud auth print-access-token". See this answer for more details.

In general, Apigee Edge and Apigee X are very similar - the code base is the same. But there are differences in the management/admin/control interfaces, and particularly in how you authenticate, get a token, etc.

Regarding all the differences,

  • If you are using Apigee Edge, you should use the documentation published at docs.apigee.com/... .
  • If you are using X or hybrid, you should refer to the documentation published at cloud.google.com/apigee/docs/... 

 

Jump to Solution

Posted on --/--/---- --:-- AM
MathieuB
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks a lot @dchiesa1 .

I try to use gcloud commands but it seems we need a manual action on a browser to authenticate :
https://issuetracker.google.com/issues/224754679?pli=1

This is a big issue for me because I have to setup an automatic process to get metrics from Apigee. If I have to perform a manual action on a browser, it will be impossible.

Do you know a way to authenticate without manual action ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to MathieuB
Reply posted on --/--/---- --:-- AM

Yes, of course. You can use service account credentials.

Apigee X/hybrid is a Google Cloud service, and the programmatic interface to the control plane for Apigee X - the API - behaves like all the other Google Cloud services. BigQuery, Cloud Storage, Cloud Logging, Cloud Run... and on and on. Across all of them, for the control plane, there's great deal of consistency in the API - the shape of the request and response payloads, the use of return status, the URL patterns, the api endpoint (always something.googleapis.com), and of course the authentication. For this last part, all of them require an OAuth token. And there are different options for how you obtain that token.

I wrote up a README on this a while ago, with some sample code for obtaining a token programmatically, via various means.

In short, maybe the easiest way to do what you want is to create a service account, generate and download a JSON-format key for that service account, and then authenticate this way:

 

gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM \
   --key-file=/path/to/sa/key.json 
gcloud auth print-access-token

 

This is easy, but it may not be the best way. It should be obvious that service account key file is a secret, and you would need to protect that secret from leaking. Some people view the risk of credential leak as too high for their standards; and in fact, because of that risk Google directly recommends that organizations AVOID creating and downloading service account keys, and provides clear guidance on what you should do instead.

Google has published an article on best practices around managing service accounts. One of the ways to use Service Accounts while avoiding the use of downloaded service account KEYS,  is to run your code from Google cloud infrastructure - via Google Cloud build, or running your logic on Cloud Run, or directly on GCE, etc. In that case your code can get a token "automatically" from the Google Cloud metadata endpoint, based on the identity of the workload. Pretty slick. 

When you DO use Service Accounts (with downloaded keys or not), you still have to deal with the permissions.  You'll want to apply the principle of least privilege, and grant permissions to that service account that limit what it can do.  Do this with the builtin roles in Google Cloud IAM, or create your own custom roles and use those. 

 

Jump to Solution

Posted on --/--/---- --:-- AM
MathieuB
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thanks again @dchiesa1 , this is exactly what I need.

Jump to Solution
Top Solution Authors
View all