I would like to expose a BigQuery stored procedure that returns data back to the caller based on parameters provided through an Apigee proxy. As I understand, an oAuth access token is required in order to call the Google BigQuery API.
I found an article that explains using a predefined service account to deploy the proxy with the necessary BigQuery permissions. Basically, it explained about using a ServiceCallOut policy to retrieve the access token but I am not sure how to properly setup the code in the policy to obtain the access token. Or is it the correct approach (I included the snippet in the ServiceCallOut policy below)
https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview
ServiceCallOut code
Solved! Go to Solution.
You're close, but not quite there. For service-to-service calls, you will use a service account. From an Apigee proxy, you need to POST to https://oauth2.googleapis.com/token , and the payload must include a JWT.
Here's a repo that shows how: https://github.com/DinoChiesa/Apigee-GCS-Get/tree/main/sharedflows/get-googleapis-token
That's a re-usable sharedflow. You can use that to get a token that is usable with BQ. The Service Account must have at least BQ Data Viewer role. or something with similar permissions.