This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Automating Access to the Apigee Management APIs using Machine User Credentials

on ‎02-13-2020 11:01 AM

miguelmendoza
Staff
2 11 1,471

Automating Access to the Apigee Management APIs using Machine User Credentials

Hey All,

In this video I explain how to create a service credential (machine user) in Apigee. I also show how to use the new machine user to get an OAuth Access token, which you can use to authenticate calls to the Apigee Management APIs.

Topic Labels
Comments
nandeeshakariy1
New Member
‎04-02-2020 03:27 AM

Thanks for the useful information with a detailed demo.

My single sign-on credential associated with the zone admin role. I have downloaded the service credential creation utility and worked out, but I am always getting invalid credentials.

Could you please throw some light on this issue.

capture.png

Thanks in Adavance

Nandeesha

miguelmendoza
Staff
‎04-02-2020 12:44 PM

@Nandeesha

For that step use the same username/password that you use when you visit login.apigee.com.

Also note that in order to be able to create the machine user you have to have the "Zone Admin" role within your organization. To become a zone-admin, you have to contact Apigee support and ask them to make you an zone admin for your organization.

dchiesa1
Staff
‎04-02-2020 06:41 PM

Miguel, nifty!

That usermgmt tool - it must be using APIs, right?

Which ones? Are they documented?

Could I build my own tool to create a machine user, without downloading and running a prebuilt binary?

nandeeshakariy1
New Member
‎04-02-2020 11:11 PM

Thanks Miguel for coming back. I am using same username and password and this credential has a role of "zone admin"

By using this credentials i am able to access zone admin page as well

https://apigee.com/sso

But still i am getting "Could not fetch token from Apigee, Invalid Credentials"

nandeeshakariy1
New Member
‎04-03-2020 07:13 AM

I have tried all the possible way,still i am getting same error even my credentials attached with zoneadmin role.

Thanks

miguelmendoza
Staff
‎04-03-2020 11:51 AM

I tried the same process myself again using my username & password. It seems to be working. However, there is something that is different from the screenshot you showed. For me it does not have the error at the top that says "Could not get public key from sso endpoint". I am thinking there might be some other issue with the outbound HTTP connectivity from the terminal where you are running the tool from (maybe firewall blocking, or a TLS issue). I would suggest as a troubleshooting step try running the tool from a different computer.

miguelmendoza
Staff
‎04-03-2020 11:54 AM

Hey Dino,

I believe the tool was developed, and is owned by the Apigee support team. I don't have access to the source code, so I do not know what APIs it is using.

Yes, it would be awesome to be able to do this purely with the APIs rather than a pre-built binary.

nandeeshakariy1
New Member
‎04-04-2020 12:40 AM

Thanks for your valuable suggestion,

yes its worked now after trying this tool in AWS instance.

The reason the tool is not working is because it can not get public key for sso endpoint due to network proxy.

In our identity zones the existing service/machine user credentials end with custom domain "@api.tesco.com" (xxxxxx_machineuser@api.tesco.com), but my zoneadmin credential email end with "@tesco.com", so i am not able to create new machine user with custom domain "@api.tesco.com", but i am able to create machine user with domain "@tesco.com"

Email provided does not match the domain of the zone admin's email. Please provide an email for the machine user that matches your email domain.


Invalid email address : xxxxx_machineuser@api.tesco.com. Please specify a valid email address

Username: xxxxxx_machineuser@tesco.com
Password:
Re-enter password:
Created machine user xxxxxx_machineuser@tesco.com

Could you please help me out to create service/machine user with custom domain "@api.tesco.com"

Thanks In Advance,

Nandeesha

nandeeshakariy1
New Member
‎04-07-2020 04:20 AM

we cannot create machine users with alternate domains, the CLI tool seems to not handle it well as I've experienced.

I have opened case with SSO team to fix the CLI issue, so that going forward hopefully we can create new machine users self-service via the CLI rather than always reaching out to Apigee Support.

openapidev
New Member
‎08-07-2020 11:37 AM

Thanks, Miguel. Very useful!

Is there a way to automate access to the management APIs without enabling SSO to our organization?

What we need is to have something like a machine user and use it for the Management API. But we don't whant to configure SAML and SSO for our organization.

Thanks

alistairnunes
Bronze 1
Bronze 1
‎09-24-2020 04:21 PM

Hi Miguel,

Logging in using the usermgmt tool works fine with my Apigee credentials. I would like to logout of the currently logged in session and authenticate as a different user. It seems like there is a token that gets generated somewhere on my machine which keeps the session valid for 24hours. Is there a way to reset this token to be able to login with a different account? At the moment the account that I tried to login with, was a machine user account and throws the following error for me

"Could not get zones for user. Got a non 200 response from Apigee. response code: 403SFOLA6NKLVDQ:usermgmt"

Any help/suggestions are appreciated.

Thanks,

Alistair

Version history
Last update:
‎02-13-2020 11:01 AM
Updated by: