Re: GCP OAuth Token in Apigee X

shrenikkumar-s · 10-20-2022 08:55 AM

Hi There!

We are trying to generate OAuth2 tokens to authenticate to custom GCP services. In the past we have used GCP OAuth Java library however, we need to achieve this through Apigee X now, we came across this page: https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview

However, it's not clear how to pass the necessary values/tokens/certs as needed within the authentication element and if there is an example that would help.

kurtkanaskie

The built-in GCP Auth feature is awesome and it's pretty simple. In your HTTPTargetConnection you specify an Authentication element with the appropriate Scope. For example:

    <HTTPTargetConnection>
        <!-- bigquery-access@apigeex-my-project.iam.gserviceaccount.com -->
        <URL>https://bigquery.googleapis.com/bigquery/v2/projects/apigeex-my-project/queries</URL>
        <Authentication>
            <GoogleAccessToken>
                <Scopes>
                    <Scope>https://www.googleapis.com/auth/bigquery</Scope>
                </Scopes>
            </GoogleAccessToken>
        </Authentication>
    </HTTPTargetConnection>

Then in your project (e.g. apigeex-my-project) you create a Service Account with the proper permissions. For the above example of accessing BigQuery I use:

Since the HTTPTargetConnection uses Authentication, when you deploy you must specify the Service Account.

Deployment is the same if you are using a ServiceCallout in a proxy or shared flow.

Hope that's what you are asking for.

tomwilding72

Hi @kurtkanaskie,

We were also wondering how this would also work if the service to invoke is in a different GCP account. We have the service account and key, however the GCP Cloud Run services reside in a different account to where Apigee is setup.

Thanks,

Tom

kurtkanaskie

Hi @tomwilding72 ,

Using another GCP project besides the one where Apigee is setup, is just as easy.

Create a service account in the project where Apigee is deployed (e.g. apigeex-my-project).
Add that same service account (e.g. bigquery-access@apigeex-my-project.iam.gserviceaccount.com) as a principal in the other project (e.g. apigeex-my-other-project) with the appropriate roles (e.g. Big Query Data Editor, Big Query Job User).
Set the path in target URL to use the "apigeex-my-other-project" project.

<HTTPTargetConnection>
        <!-- bigquery-access@apigeex-my-project.iam.gserviceaccount.com -->
        <URL>https://bigquery.googleapis.com/bigquery/v2/projects/apigeex-my-other-project/queries</URL>
        <Authentication>
            <GoogleAccessToken>
                <Scopes>
                    <Scope>https://www.googleapis.com/auth/bigquery</Scope>
                </Scopes>
            </GoogleAccessToken>
        </Authentication>
    </HTTPTargetConnection>

That's it!

jaysvill

Hi @kurtkanaskie Will this work with Apigee Edge? Edge is having a different implementation of service accounts. I am trying to call Apigee Hybrid Management from Apigee Edge Proxy using that GoogleAccessToken element. Thanks in advance.

dchiesa1

No, the GoogleAccessToken element works in Apigee X. Not in Apigee Edge.

For Apigee Edge, you need to manually obtain the GCP access token. This sharedflow shows how. To use it you need a Service Account key file (json format).