Hi @dchiesa1
Hope you are doing well!
Explanation of current process - In our enterprise we are deploying the proxies with a Service Account (Apigee SA) attached to it. These proxies are interacting with Authenticated cloud run services in the backend, which needs access tokens minted by Google IAM token service.
The Apigee SA has been provided the Service Account OpenID Connect Identity Token Creator role in the target project.
In order to make a call to Google IAM token service we are making a Service Callout to this API, and pass the Service Account (Target SA) and Cloud Run URL (Target URL) as show in the code excerpt.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-GCPCredentialsAPI">
<DisplayName>SC-GCPCredentialsAPI</DisplayName>
<Properties/>
<Request clearPayload="true" variable="gcpTokenRequest">
<Set>
<Headers>
<Header name="Accept">application/json</Header>
</Headers>
<Verb>POST</Verb>
<Payload contentType="application/json">{"audience":"{Target URL}"}</Payload>
</Set>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</Request>
<Response>gcpTokenResponse</Response>
<HTTPTargetConnection>
<Properties/>
<Authentication>
<!-- IAM Credentials API requires GCP access token-->
<GoogleAccessToken>
<Scopes>
<!-- required for minting GCP access token for iamcredentials API-->
<Scope>https://www.googleapis.com/auth/cloud-platform</Scope>
</Scopes>
</GoogleAccessToken>
</Authentication>
<URL>https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{Target SA}:generateIdToken</URL>
</HTTPTargetConnection>
</ServiceCallout>
Question - Is there a way we can print/or know the steps how the Google Access Token is obtained at runtime and passed over to the IAM Credentials API?
Is there any REST/Management API which is available to obtain this token and if yes how would it work from a Postman?
Thanks,
Debjit
I understand, and also I don't understand.
In our enterprise we are deploying the proxies with a Service Account (Apigee SA) attached to it. These proxies are interacting with Authenticated cloud run services in the backend, which needs access tokens minted by Google IAM token service.
When you use <Authentication>/<GoogleAccessToken> or <Authentication>/<GoogleIdToken> , internally, I believe Apigee is using the Google metadata URLs. This isn't described in the Apigee documentation, but if you know something about Google Cloud, you can infer that. The Apigee MP runs with a specific identity; when you specify the SA at the time of proxy deployment, you give the identity to that particular proxy.
Normally, if a Cloud Run service were your target, you would so something like this :
<TargetEndpoint name="cloud-run-target">
...
<Flows>
...
</Flows>
<HTTPTargetConnection>
<Authentication>
<GoogleIDToken>
<Audience>https://my-cloud-run-service-awy2scuauz-uw.a.run.app</Audience>
</GoogleIDToken>
</Authentication>
<SSLInfo>
<Enabled>true</Enabled>
</SSLInfo>
<URL>https://my-cloud-run-service-awy2scuauz-uw.a.run.app</URL>
</HTTPTargetConnection>
</TargetEndpoint>
(and here is a full working example)
With this configuration, Apigee obtains the ID token of the SA, then calls the Cloud Run service, passing that ID token.
What you showed is something different. You're using .... the service account to call iamcredentials. I think that is not necessary. That's what you would do if you did not have the Authentication element for your TargetEndpoint.
Is there a way we can print/or know the steps how the Google Access Token is obtained at runtime and passed over to the IAM Credentials API?
This internal stuff is not documented. Why would you need to know this?
Is there any REST/Management API which is available to obtain this token and if yes how would it work from a Postman?
You can use the iamcredentials API to request a token. I presume you have the documentation for that.