This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Creating access token for Apigee X without using Service Account

Posted on 10-16-2022 11:19 PM
shubham_mishra
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We know that access tokens for admin calls on Apigee x can be created through service account, but I need an alternative for service account to do the same. 

0 3 599
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

We know that access tokens for admin calls on Apigee x can be created through service account, but I need an alternative for service account to do the same.

Hi - can you explain your requirements in more detail?

It sounds like you would like to make calls to apigee.googleapis.com . And you understand that for authenticating such calls, you need an OAuth2 access token.

You can set up your system to get a token on behalf of a user's authentication and consent, or you can set up your system to get a token based on a "machine identity" or service account.

From reading your short sentence, I understand you do not wish to use a service account. OK that leaves a human user. You need to obtain a token for the human. A specific person needs to login and consent.

There are different ways to do that, the easiest is to use gcloud, a command-line tool that lets you do lots of things associated to Google Cloud:

 

 

gcloud auth login

 

 

This will go through the login-and-then-consent experience for Google Cloud APIs, including Apigee apis (apigee.googleapis.com), launching a browser window for the user experience. The user will have to authenticate - type in the username and password, and maybe use 2FA if it is set up. Then you can get the access token this way:

 

 

gcloud auth print-access-token

 

 

And then you can use that token as a bearer token when invoking apigee.googleapis.com

If you do not wish to use gcloud to help you launch this experience and get the token, then you can write your own script or tool to do so.  It will have to behave roughly the way the gcloud cli command works - launch a browser tab that allows the user to login and then consent.  Get the authorization code, then exchange it for a token.  Here is an example in nodejs.

Does this help?

0 Likes

Posted on --/--/---- --:-- AM
shubham_mishra
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi,

You got my concern, but actually need the OAuth access token to hit the admin calls to apigeex and I need to do it using way other than service account and I say so because we have some security concerns with service account way.

Also, I put the command line way out of equation as it is a manual process and I need it with a process which can be automated.

So, do we really have some other automated way to create the access token other than service account.

I hope you get it.

Thanks in advance!!

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to shubham_mishra
Reply posted on --/--/---- --:-- AM

If you want to automate the administration of Apigee X, then you need to invoke googleapis.com . As far as I understand, There are three ways to authenticate to googleapis.com - these are not limited to apigee, but apply to all services hosted on googleapis.com :

  • as a human user. The easiest way to do this is with gcloud auth login, go through the Oauth2 3-legged dance. Result is: you get a token, with which you invoke the endpoint. You can also do this programmatically, with your own code. 
  • as a service account. Easy path: gcloud auth login SERVICE_ACCOUNT. See more here. Result is: you get a token, with which you invoke the endpoint. Again, you can also do this programmatically, with your own code.
  • implicitly.  For this your code  must run in a GCP context - within Google Compute Engine or Cloud Run or GKE or Cloud Build, etc.  This code runs with an identity. Simply grant that identity the proper roles on the Apigee project, and the code will authenticate implicitly.  In most cases this is not a suitable solution to the problem because people want to invoke the googleapis.com endpoint from OUTSIDE GCP.  

For more on these options, as well as an example of getting your own token in a nodejs program without relying on gcloud,  see this Github repo.

From what you describe, the most common mechanism to accomplish what you want is to use a service account.  I understand that you also said "we don't want to use a service account."   That  presents a decision for you, I guess:  Use a service account to accomplish your goal, or don't use a service account and don't accomplish your goal.   

Good luck!

0 Likes
Top Solution Authors
View all