Note: Apigee X can now directly authenticate as a service account against Google APIs without the need to export service account keys. We recommend the built-in authentication mechanism over this shared flow because it is simpler and does not require you to handle service account keys.
This shared flow can be used obtain identity or access tokens for Google Cloud service accounts. Tokens are cached in a dedicated environment cache resource for 10min.
The simplest way to deploy this shared flow is to use the deploy.sh utility in
this repo.
It will:
- Create the GCP Service Account Token Shared Flow
- Initialize an environement Cache Resource
- Initialize a KVM (optional)
- Add a service account key to that kvm (optional)
-
Set your authentication environment variables: For Edge
export APIGEE_ORG=<your org> export APIGEE_ENV=<your environment> export APIGEE_USER=<username> export APIGEE_PASS=<password>
For X / hybrid
export APIGEE_X_ORG=<your org> export APIGEE_X_ENV=<your environment> export APIGEE_X_HOSTNAME=<hostname of your environment> # for optional KVM
-
(Optional) Create a service account in Google Cloud and assign it the necessary roles. See GCP docs.
-
(Optional) Create and download a json key for the service account. See GCP docs.
Provide path to service account to initialize the kvm value (recommended)
# for Apigee X/hybrid
deploy.sh --googleapi (path-to-sa-key.json)
# for Edge
deploy.sh --apigeeapi (path-to-sa-key.json )- In your Apigee flow, make sure you have the
private.gcp.service_account.keyvariable set. It should hold the full json key for the service account. The recommended approach is to store this value in an encrypted KVM and populate a private variable using KeyValueMapOperations policy at runtime.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations name="KV.Lookup-SA-Key" mapIdentifier="MAP_NAME_HERE">
<ExpiryTimeInSecs>300</ExpiryTimeInSecs>
<Get assignTo="private.gcp.service_account.key">
<Key>
<Parameter>MAP_ENTRY_KEY_HERE</Parameter>
</Key>
</Get>
</KeyValueMapOperations>- Set one of the following variables
gcp.scopesorgcp.target_audiencedepending on whether you need a GCP JWT or opaque access token.
gcp.scopesis used to retrieve an opaque OAuth token and holds the required scopes per the Google docs. This access token can be used e.g. to access Google services like the Google Translate API.gcp.target_audienceis used when retrieving a JWT token from Google. It holds the target audience claim which will be set as the audience claim on the issued JWT. This can be used e.g. to authenticate Apigee against Cloud Run backends.
<AssignMessage name="AM.GCPScopes">
<AssignVariable>
<Name>gcp.scopes</Name>
<Value>https://www.googleapis.com/auth/cloud-platform</Value>
</AssignVariable>
</AssignMessage>- After running this shared flow, the
private.gcp.access_tokenflow variable will be set with the value of the access token. You can now present this token in the Authorization header in your subsequent requests to other Google APIs.