Solved: Re: Maven plugin deploy to Apigee X with service a...

VAP · 04-05-2022 08:03 AM

Hi,

I'm trying to deploy to Apigee X with maven plugin with a service account (https://cloud.google.com/apigee/docs/hybrid/v1.3/sa-about😞

mvn clean install -Ptest -D${googleTokenEmail}=<integration account email> -Dorg=$ORG -Denv=$ENV

But I'm always getting the error

ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.3.1:deploy (deploy-bundle) on project HTTPBin: : MojoExecutionException: Service Account file or bearer token is missing -> [Help 1]

So I'm missing something clearly. Does anyone have some pointers on to configure the plugin to use a service account?

Regards

VP

dchiesa1

I think you are trying to authenticate to apigee.googleapis.com for the purposes of deploying a proxy. If that is the case, then...I think you want

 -Dfile=/path/to/service-account-key.json

I determined this by looking here in this example

https://github.com/apigee/apigee-deploy-maven-plugin/blob/hybrid/samples/mockapi-recommended/src/gat...

The way that works: the maven plugin uses the SA key file to obtain a token, then uses that token to authenticate to apigee.googleapis.com for the purposes of the admin calls to import and deploy a proxy.

Alternatively you could obtain the token from gcloud auth, before you run the maven plugin, and then specify the token like this:

-Dbearer=c912eu1201c

Either way, the maven deploy plugin will use the token to authenticate as it invokes apigee APIs.

The "googleTokenEmail" option lets you specify the SA account that is used by the proxy. For this feature. That is not used when the maven plugin authenticates to apigee.googleapis.com. That email is used by the proxy itself, if and when it connects to upstream systems within GCP.

View solution in original post

dchiesa1

I think you are trying to authenticate to apigee.googleapis.com for the purposes of deploying a proxy. If that is the case, then...I think you want

 -Dfile=/path/to/service-account-key.json

I determined this by looking here in this example

https://github.com/apigee/apigee-deploy-maven-plugin/blob/hybrid/samples/mockapi-recommended/src/gat...

The way that works: the maven plugin uses the SA key file to obtain a token, then uses that token to authenticate to apigee.googleapis.com for the purposes of the admin calls to import and deploy a proxy.

Alternatively you could obtain the token from gcloud auth, before you run the maven plugin, and then specify the token like this:

-Dbearer=c912eu1201c

Either way, the maven deploy plugin will use the token to authenticate as it invokes apigee APIs.

The "googleTokenEmail" option lets you specify the SA account that is used by the proxy. For this feature. That is not used when the maven plugin authenticates to apigee.googleapis.com. That email is used by the proxy itself, if and when it connects to upstream systems within GCP.

VAP

Hi @dchiesa1 that totally worked, thanks.

From a security point of view, I know that having the key file stored what our CI machine isn't the best option... What's your advice regarding a safer approach on this?

Regards

dchiesa1

This is obviously a general concern, something that applies to builds or CI/CD processes that touch any resource in Google Cloud.

There's an article that discusses this issue in some detail, "Best practices for managing service account keys", find it here.

Maven plugin deploy to Apigee X with service account