This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Authentication Issue while loading apigee data logs to cloud logging

Posted on 09-10-2024 11:14 PM
ahitankar
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Team,

We are currently trying to log Apigee data to Google Cloud Logging using the Message Logging policy, which involves service account authentication. Although the service account has been granted the necessary permissions (roles/iam.serviceAccountTokenCreator and roles/logging.logWriter)(Screenshot attached), we are encountering the below error.

ahitankar_0-1726035472149.png

ahitankar_1-1726035488206.png

ahitankar_2-1726035514700.png

The same setup is functioning as expected on our internal Apigee X instance. However, when attempting the same configuration on our client's Apigee Hybrid instance, it is failing to authenticate, preventing the logs from being uploaded.

Could you please assist us in troubleshooting this issue? Any help or guidance on resolving this discrepancy between Apigee X and Apigee Hybrid would be greatly appreciated.

ahitankar_0-1726034350776.png

 

Solved Solved
0 2 183
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
williamssean
Staff
Reply posted on --/--/---- --:-- AM

I wonder if this is because Apigee hybrid also has a runtime Service Account that must have the correct permissions.  If you look at this table it says the following for the Apigee hybrid runtime service account:

"Allows the Apigee runtime to generate tokens to authenticate on Google services requested by an API proxy. This service account "impersonates" the proxy-specific service account to make authenticated calls on its behalf."

Can you grant your Apigee hybrid runtime SA the roles/iam.serviceAccountTokenCreator role and see if that resolves it?

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
williamssean
Staff
Reply posted on --/--/---- --:-- AM

I wonder if this is because Apigee hybrid also has a runtime Service Account that must have the correct permissions.  If you look at this table it says the following for the Apigee hybrid runtime service account:

"Allows the Apigee runtime to generate tokens to authenticate on Google services requested by an API proxy. This service account "impersonates" the proxy-specific service account to make authenticated calls on its behalf."

Can you grant your Apigee hybrid runtime SA the roles/iam.serviceAccountTokenCreator role and see if that resolves it?

Jump to Solution

Posted on --/--/---- --:-- AM
ahitankar
Bronze 3
Bronze 3
In response to williamssean
Reply posted on --/--/---- --:-- AM

Thanks Williamssean. It solved the issue. 

Jump to Solution
0 Likes
Top Solution Authors
View all