Hello,
My requirement is to obtain token which i can use in calling management APIs, i have gone through many blogs and posts especially from @ dchiesa1 , but i was not able to come up with proper understanding,
This might be because of the way i used in Apigee SaaS , EDGE is a 1 step process by directly calling 1 URL we can get edge API token. For that obviously the is a one time activity we do.
But here in Hybrid, is the same not possible, please help me understand. and please share me blog which has step by step process if its already there.
If the self signed JWT is the only process, i have doubt of what i need to use in private key, and additional claim , subj, issuer, aud.
This process i wanted because i need to automate in postman itself as a one stop.
Thanks
You are correct - both Apigee Edge and Apigee hybrid use OAuth for "management calls". In other words, you have to obtain a token (as 1-time thing), and then you can then USE the token with subsequent calls to the management API, until the token expires. There are some differences, but those things - obtain the token, and then repeatedly use the token - are consistent.
The way you obtain the token for Edge is different than the way you obtain the token for Apigee hybrid.
For Apigee hybrid, as with any other Google cloud service, there are multiple different options for obtaining tokens.
And then regardless of which option you choose, you can use the returned token as a bearer token.
In fact none of this is special to Apigee, or Apigee hybrid. This is all Google Cloud foundational stuff. So you can use these approaches to get a token to use for administering or Managing Apigee X or hybrid, or Cloud Storage, or Big Query, or Document AI, Cloud Run, Logging, Compute, Secret Manager, Cloud SQL, Artifact Registry, Cloud Pubsub,.... you get the idea. The main thing is that the principal (user or service account) needs the right permissions on the thing you're trying to administer. For example, consider Apigee. For Apigee, there are a number of builtin roles. To administer a hybrid org, the principal might need to have the Apigee API Admin role, which grants the right permissions to create + deploy APIs.
I have described the options for getting a token in more detail in the README for this github repo, including some sample code.
Hey Dino,
From the above mentioned options for obtaining token, second one suits best for working in Postman, could you please send me the link for following that process please.
As I need to include that /token call in postman or in automation script to get token and store in variable for use.
Thanks
Yes, the details are in the Github repo.
you can do it with
gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM \
--key-file=/path/key.json
gcloud auth print-access-token
Or, that repo contains nodejs code and dotnet code for doing the equivalent.
I believe Postman has some scripting capability, and it might be possible for you to write a postman script that reads a Service account keyfile, then signs a JWT and obtains a token... just as the nodejs and dotnet code does. but I am not an expert in postman script, I don't know if it can read a local file, and I don't know if it can create a signed JWT from a local RSA private key. Or maybe postman script can invoke a command on the host computer. If those things are possible, then you should be able to do it in postman. But I don't know postman script, so I will leave that to you, to figure out.
If it is possible, then it is likely that someone else has already figured out how to do this in postman. The obtaining of tokens is not specific to Apigee. It's the same for all Google Cloud API endpoints. So if there are other people using postman to connect to ... bigquery.googleapis.com, or to documentai.googleapis.com, etc..... then it is possible that they have written the script to get postman to do what is necessary. And maybe they have shared it elsewhere, on stackoverflow or etc.
EDIT: I found this suggestion on SO, for creating a JWT in a postman pre-request script. Using that, you could do what you want (Case #2 from my prior email - create an access token for a service account). You'd need to:
This should work , but you'd need to expand that sample code with some new Javascript code that you'd have to write.
Edit#2: see this, it works for me: https://gist.github.com/DinoChiesa/ef4296348ebab7f34801a162881af78a