I am having difficulty in figuring out how to include a service account with a proxy deployment to ApigeeX with the Deploy Maven Plugin and Cloudbuild. The proxy requires the service account as it includes a service callout policy with a <Authentication> element. The service account already exist.
I get the following error message when I try to run the deployment.
"Proxy Deployment": {
Step #1 - "Proxy Deployment": "error": {
Step #1 - "Proxy Deployment": "code": 400,
Step #1 - "Proxy Deployment": "message": "deployment validations failed",
Step #1 - "Proxy Deployment": "status": "FAILED_PRECONDITION",
Step #1 - "Proxy Deployment": "details": [
Step #1 - "Proxy Deployment": {
Step #1 - "Proxy Deployment": "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
Step #1 - "Proxy Deployment": "violations": [
Step #1 - "Proxy Deployment": {
Step #1 - "Proxy Deployment": "type": "MISSING_SERVICE_ACCOUNT",
Step #1 - "Proxy Deployment": "subject": "organizations/xxxxxx/apis/apigee-admin-api/revisions/6",
Step #1 - "Proxy Deployment": "description": "Deployment of \"organizations/xxxxxx/apis/apigee-admin-api/revisions/6\" requires a service account identity, but one was not provided with the request."
Step #1 - "Proxy Deployment": }
Step #1 - "Proxy Deployment": ]
Step #1 - "Proxy Deployment": },
Step #1 - "Proxy Deployment": {
Step #1 - "Proxy Deployment": "@type": "type.googleapis.com/google.rpc.RequestInfo",
Step #1 - "Proxy Deployment": "requestId": "1408945760741xxxx"
Step #1 - "Proxy Deployment": }
Step #1 - "Proxy Deployment": ]
Step #1 - "Proxy Deployment": }
Step #1 - "Proxy Deployment": }
I initiate the build process with the following command:
gcloud builds submit --config='./ci-config/cloudbuild/cloudbuild.yaml' \
--substitutions="_API_VERSION=google,_DEPLOYMENT_ORG=$PROJECT_ID,_APIGEE_TEST_ENV=$APIGEE_ENV,BRANCH_NAME=main"
And the error occurs in this step of the cloudbuild.yaml:
source env.txt && \
mvn clean install -ntp \
-P"googleapi" \
-Denv="$${APIGEE_ENV}" \
-Dtoken="$${APIGEE_BUILD_TOKEN}" \
-Dorg="$_DEPLOYMENT_ORG" \
-Ddeployment.suffix="$${APIGEE_DEPLOYMENT_SUFFIX}" \
-Ddeployment.description="CloudRun Build: $BUILD_ID"
Can anyone point me in the right direction of how to include the necessary service account during the deployment process? Thanks.
Solved! Go to Solution.
@marc - Can you please share more logs? Especially the call that was made to deploy the proxy? and can you confirm that the error message is still the same, involving
"MISSING_SERVICE_ACCOUNT"
Also please confirm the Maven profile in your pom that you are invoking (in your case "googleapi") has
<apigee.googletoken.email>${googleTokenEmail}</apigee.googletoken.email>
like the sample here
Have you looked here:
I think you want something like this:
source env.txt && \
mvn clean install -ntp \
-P"googleapi" \
-Denv="$${APIGEE_ENV}" \
-Dtoken="$${APIGEE_BUILD_TOKEN}" \
-Dorg="$_DEPLOYMENT_ORG" \
-Ddeployment.suffix="$${APIGEE_DEPLOYMENT_SUFFIX}" \
-Ddeployment.description="CloudRun Build: $BUILD_ID" \
-DgoogleTokenEmail=$${SVC_ACCOUNT_ID}@$${PROJECT}.iam.gserviceaccount.com
Thanks for the suggestion. That is exactly what I was looking for. Unfortunately I still seem to be getting the same error. The service account email will work if I attach it through the console, but doesn't seem to deploy properly. The service account has Apigee Service Agent and Service Account User roles. Could it be permissions related?
Step #1 - "Proxy Deployment": [INFO] --- apigee-edge-maven-plugin:2.2.2:deploy (deploy-bundle-step) @ apigee-admin-api ---
Step #1 - "Proxy Deployment": 00:05:20.315 [main] ERROR io.apigee.buildTools.enterprise4g.rest.RestUtil - 400 Bad Request
@marc - Can you please share more logs? Especially the call that was made to deploy the proxy? and can you confirm that the error message is still the same, involving
"MISSING_SERVICE_ACCOUNT"
Also please confirm the Maven profile in your pom that you are invoking (in your case "googleapi") has
<apigee.googletoken.email>${googleTokenEmail}</apigee.googletoken.email>
like the sample here
Thanks, I was missing the ${googleTokenEmail} variable from the POM file. I feel one step closer. Now it seems that it is a matter of setting proper permissions for the service account. Again, the service account that I am trying to attach in the build process has Apigee Service Agent and Service Account User roles. It works as intended if I manually apply it to the proxy in the console. I am getting this error:
Step #1 - "Proxy Deployment": [ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.2.2:deploy (deploy-bundle-step) on project apigee-admin-api: : MojoExecutionException: com.google.api.client.http.HttpResponseException: 403 Forbidden
Step #1 - "Proxy Deployment": [ERROR] {
Step #1 - "Proxy Deployment": [ERROR] "error": {
Step #1 - "Proxy Deployment": [ERROR] "code": 403,
Step #1 - "Proxy Deployment": [ERROR] "message": "permission 'iam.serviceAccounts.actAs' denied on resource 'projects/-/serviceAccounts/manage-apigee-api@XXXXXX.iam.gserviceaccount.com' (or it may not exist in the project for Apigee org \"XXXXXX\")",
Step #1 - "Proxy Deployment": [ERROR] "status": "PERMISSION_DENIED",
Step #1 - "Proxy Deployment": [ERROR] "details": [
Step #1 - "Proxy Deployment": [ERROR] {
Step #1 - "Proxy Deployment": [ERROR] "@type": "type.googleapis.com/google.rpc.RequestInfo",
Step #1 - "Proxy Deployment": [ERROR] "requestId": "12700304949344003839"
Step #1 - "Proxy Deployment": [ERROR] }
Step #1 - "Proxy Deployment": [ERROR] ]
Step #1 - "Proxy Deployment": [ERROR] }
Step #1 - "Proxy Deployment": [ERROR] }
The deploy script in the cloudbuild.yaml file is :
mvn clean install -ntp \
-P"googleapi" \
-Denv="$${APIGEE_ENV}" \
-Dtoken="$${APIGEE_BUILD_TOKEN}" \
-Dorg="$_DEPLOYMENT_ORG" \
-Ddeployment.suffix="$${APIGEE_DEPLOYMENT_SUFFIX}" \
-Ddeployment.description="CloudRun Build: $BUILD_ID"\
-DgoogleTokenEmail="manage-apigee-api@$_DEPLOYMENT_ORG.iam.gserviceaccount.com"
and the call to deploy the proxy is:
gcloud builds submit --config='./ci-config/cloudbuild/cloudbuild.yaml' \
--substitutions="_API_VERSION=google,_DEPLOYMENT_ORG=$PROJECT_ID,_APIGEE_TEST_ENV=$APIGEE_ENV,BRANCH_NAME=main"
Thank you for your assistance.
@marc - did you try deploying the proxy by passing "manage-apigee-api@$_DEPLOYMENT_ORG.iam.gserviceaccount.com" in the UI and that worked?
One more tip - Try running the mvn command with "-X" to print the debug logs. Probably the value you are passing is not getting substituted correctly. With the -X option, it should show the different args, etc.
Hello, sorry for the delay in getting back to you. I am still having issues with configuring the service account with the proper permissions, but I think that is outside of the scope of my initial question. The service account is indeed getting included in the build pipeline. Thank you for your help with this.