Hi There!
We are trying to generate OAuth2 tokens to authenticate to custom GCP services. In the past we have used GCP OAuth Java library however, we need to achieve this through Apigee X now, we came across this page: https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview
However, it's not clear how to pass the necessary values/tokens/certs as needed within the authentication element and if there is an example that would help.
The built-in GCP Auth feature is awesome and it's pretty simple. In your HTTPTargetConnection you specify an Authentication element with the appropriate Scope. For example:
<HTTPTargetConnection>
<!-- bigquery-access@apigeex-my-project.iam.gserviceaccount.com -->
<URL>https://bigquery.googleapis.com/bigquery/v2/projects/apigeex-my-project/queries</URL>
<Authentication>
<GoogleAccessToken>
<Scopes>
<Scope>https://www.googleapis.com/auth/bigquery</Scope>
</Scopes>
</GoogleAccessToken>
</Authentication>
</HTTPTargetConnection>
Then in your project (e.g. apigeex-my-project) you create a Service Account with the proper permissions. For the above example of accessing BigQuery I use:
Since the HTTPTargetConnection uses Authentication, when you deploy you must specify the Service Account.
Deployment is the same if you are using a ServiceCallout in a proxy or shared flow.
Hope that's what you are asking for.
Hi @kurtkanaskie,
We were also wondering how this would also work if the service to invoke is in a different GCP account. We have the service account and key, however the GCP Cloud Run services reside in a different account to where Apigee is setup.
Thanks,
Tom
Hi @tomwilding72 ,
Using another GCP project besides the one where Apigee is setup, is just as easy.
<HTTPTargetConnection>
<!-- bigquery-access@apigeex-my-project.iam.gserviceaccount.com -->
<URL>https://bigquery.googleapis.com/bigquery/v2/projects/apigeex-my-other-project/queries</URL>
<Authentication>
<GoogleAccessToken>
<Scopes>
<Scope>https://www.googleapis.com/auth/bigquery</Scope>
</Scopes>
</GoogleAccessToken>
</Authentication>
</HTTPTargetConnection>
That's it!
Hi @kurtkanaskie Will this work with Apigee Edge? Edge is having a different implementation of service accounts. I am trying to call Apigee Hybrid Management from Apigee Edge Proxy using that GoogleAccessToken element. Thanks in advance.
No, the GoogleAccessToken element works in Apigee X. Not in Apigee Edge.
For Apigee Edge, you need to manually obtain the GCP access token. This sharedflow shows how. To use it you need a Service Account key file (json format).