LinkedIn
Twitter
Hey All,
Today I found out a pretty cool new feature in Apigee X that allows you to dynamically set the value of the "Audience" element when using the Google Authentication mechanism for Target Endpoints and Service Callout policies.
This is documented over at:
https://cloud.google.com/apigee/docs/api-platform/reference/policies/service-callout-policy#authenti...
https://cloud.google.com/apigee/docs/api-platform/reference/policies/service-callout-policy#audience
If you have not used the Google Authentication mechanism before, let me give you a little primer. With this approach, you can invoke pretty much any of the Google products REST APIs over at *.googleapis.com, and have Apigee X behind the scenes obtain an OAuth access token seamlessly, and pass it down in the Authorization header for you. Pretty neat!
Anyway, so back to the main topic, suppose you have two instances of a container running in Cloud Run in different regions (e.g. west, and central). You can use the Apigee X. 'LoadBalancer' mechanism to roun-robin between the two Cloud Run regions like this.
First, define target servers for each of the Cloud Run instances:
The example above is for a Target Endpoint, but it works also for a service callout. Hope this helps you out there!
https://cloud.google.com/apigee/docs/api-platform/reference/policies/service-callout-policy#audience
If you have not used the Google Authentication mechanism before, let me give you a little primer. With this approach, you can invoke pretty much any of the Google products REST APIs over at *.googleapis.com, and have Apigee X behind the scenes obtain an OAuth access token seamlessly, and pass it down in the Authorization header for you. Pretty neat!
Anyway, so back to the main topic, suppose you have two instances of a container running in Cloud Run in different regions (e.g. west, and central). You can use the Apigee X. 'LoadBalancer' mechanism to roun-robin between the two Cloud Run regions like this.
First, define target servers for each of the Cloud Run instances:
Then, in the Apigee X API Proxy, within your Target Endpoint, use the following configuration to load balance between these two target servers, and have Apigee X dynamically obtain the necessary access token for each of the servers behind the scenes.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<Flows/>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<HTTPTargetConnection>
<LoadBalancer>
<Server name="cloudrun-central"/>
<Server name="cloudrun-west"/>
</LoadBalancer>
<Path>/headers</Path>
<Authentication>
<GoogleIDToken>
<Audience useTargetUrl="true"/>
</GoogleIDToken>
</Authentication>
</HTTPTargetConnection>
</TargetEndpoint>The cool bit here is the attribute "useTargetUrl", this is telling Apigee X to dynamically build the access token using the URL of each of the target servers. So essentially, behind the scenes, each target server (i.e. Cloud Run) gets its own access token.
The example above is for a Target Endpoint, but it works also for a service callout. Hope this helps you out there!
