LinkedIn
Twitter
Hey All,
Today I found out a pretty cool new feature in Apigee X that allows you to dynamically set the value of the "Audience" element when using the Google Authentication mechanism for Target Endpoints and Service Callout policies.
This is documented over at:
https://cloud.google.com/apigee/docs/api-platform/reference/policies/service-callout-policy#authenti...
https://cloud.google.com/apigee/docs/api-platform/reference/policies/service-callout-policy#audience
If you have not used the Google Authentication mechanism before, let me give you a little primer. With this approach, you can invoke pretty much any of the Google products REST APIs over at *.googleapis.com, and have Apigee X behind the scenes obtain an OAuth access token seamlessly, and pass it down in the Authorization header for you. Pretty neat!
Anyway, so back to the main topic, suppose you have two instances of a container running in Cloud Run in different regions (e.g. west, and central). You can use the Apigee X. 'LoadBalancer' mechanism to roun-robin between the two Cloud Run regions like this.
First, define target servers for each of the Cloud Run instances:
The example above is for a Target Endpoint, but it works also for a service callout. Hope this helps you out there!
https://cloud.google.com/apigee/docs/api-platform/reference/policies/service-callout-policy#audience
If you have not used the Google Authentication mechanism before, let me give you a little primer. With this approach, you can invoke pretty much any of the Google products REST APIs over at *.googleapis.com, and have Apigee X behind the scenes obtain an OAuth access token seamlessly, and pass it down in the Authorization header for you. Pretty neat!
Anyway, so back to the main topic, suppose you have two instances of a container running in Cloud Run in different regions (e.g. west, and central). You can use the Apigee X. 'LoadBalancer' mechanism to roun-robin between the two Cloud Run regions like this.
First, define target servers for each of the Cloud Run instances:
Then, in the Apigee X API Proxy, within your Target Endpoint, use the following configuration to load balance between these two target servers, and have Apigee X dynamically obtain the necessary access token for each of the servers behind the scenes.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<Flows/>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<HTTPTargetConnection>
<LoadBalancer>
<Server name="cloudrun-central"/>
<Server name="cloudrun-west"/>
</LoadBalancer>
<Path>/headers</Path>
<Authentication>
<GoogleIDToken>
<Audience useTargetUrl="true"/>
</GoogleIDToken>
</Authentication>
</HTTPTargetConnection>
</TargetEndpoint>The cool bit here is the attribute "useTargetUrl", this is telling Apigee X to dynamically build the access token using the URL of each of the target servers. So essentially, behind the scenes, each target server (i.e. Cloud Run) gets its own access token.
The example above is for a Target Endpoint, but it works also for a service callout. Hope this helps you out there!
Hi,
I have a question about this, I'm using PSC with an endpoint attachment when doing unauthenticated calls all work as expected, but I want to use this authentication method for my calls, so when I add Authentication to my API Proxy I get:
The URL must be ssl enabled if Authentication is present.
Request ID: 1075017758012059347
But my endpoint attachment is an IP and is defined in the TargetURL as http://7.0.8.6:80 as is documented here https://cloud.google.com/apigee/docs/api-platform/troubleshoot/playbooks/network-configuration/conne...
My question is, how to use authentication when PSC and endpoint attachment is used and endpoint attachment IP must be used in the TargetURL.
Please note my Apigee org and Target project are different.
