This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Query Regarding Google Access Token in Service Callout

Posted on 08-08-2024 11:56 PM
debjitd18
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @dchiesa1 

Hope you are doing well! 

Explanation of current process - In our enterprise we are deploying the proxies with a Service Account (Apigee SA) attached to it. These proxies are interacting with Authenticated cloud run services in the backend, which needs access tokens minted by Google IAM token service.
The Apigee SA has been provided the Service Account OpenID Connect Identity Token Creator role in the target project.
In order to make a call to Google IAM token service we are making a Service Callout to this API, and pass the Service Account (Target SA) and Cloud Run URL (Target URL) as show in the code excerpt. 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-GCPCredentialsAPI">
  <DisplayName>SC-GCPCredentialsAPI</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="gcpTokenRequest">
    <Set>
      <Headers>
        <Header name="Accept">application/json</Header>
      </Headers>
      <Verb>POST</Verb>
      <Payload contentType="application/json">{"audience":"{Target URL}"}</Payload>
    </Set>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  </Request>
  <Response>gcpTokenResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <Authentication>
      <!-- IAM Credentials API requires GCP access token-->
      <GoogleAccessToken>
        <Scopes>
          <!-- required for minting GCP access token for iamcredentials API-->
          <Scope>https://www.googleapis.com/auth/cloud-platform</Scope>
        </Scopes>
      </GoogleAccessToken>
    </Authentication>
    <URL>https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{Target SA}:generateIdToken</URL>
  </HTTPTargetConnection>
</ServiceCallout>

 

Question - Is there a way we can print/or know the steps how the Google Access Token is obtained at runtime and passed over to the IAM Credentials API?
Is there any REST/Management API which is available to obtain this token and if yes how would it work from a Postman?

Thanks,

Debjit

3 1 224
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I understand, and also I don't understand.

In our enterprise we are deploying the proxies with a Service Account (Apigee SA) attached to it. These proxies are interacting with Authenticated cloud run services in the backend, which needs access tokens minted by Google IAM token service.

When you use <Authentication>/<GoogleAccessToken> or <Authentication>/<GoogleIdToken> , internally, I believe Apigee is using the Google metadata URLs. This isn't described in the Apigee documentation, but if you know something about Google Cloud, you can infer that. The Apigee MP runs with a specific identity; when you specify the SA at the time of proxy deployment, you give the identity to that particular proxy.

Normally, if a Cloud Run service were your target, you would so something like this :

 

<TargetEndpoint name="cloud-run-target">
  ...

  <Flows>
...
  </Flows>

  <HTTPTargetConnection>
    <Authentication>
      <GoogleIDToken>
        <Audience>https://my-cloud-run-service-awy2scuauz-uw.a.run.app</Audience>
      </GoogleIDToken>
    </Authentication>

    <SSLInfo>
      <Enabled>true</Enabled>
    </SSLInfo>

    <URL>https://my-cloud-run-service-awy2scuauz-uw.a.run.app</URL>
  </HTTPTargetConnection>
</TargetEndpoint>

 

(and here is a full working example)

With this configuration, Apigee obtains the ID token of the SA, then calls the Cloud Run service, passing that ID token.

What you showed is something different. You're using .... the service account to call iamcredentials. I think that is not necessary. That's what you would do if you did not have the Authentication element for your TargetEndpoint.

Is there a way we can print/or know the steps how the Google Access Token is obtained at runtime and passed over to the IAM Credentials API?

This internal stuff is not documented. Why would you need to know this?

Is there any REST/Management API which is available to obtain this token and if yes how would it work from a Postman?

You can use the iamcredentials API to request a token. I presume you have the documentation for that.

Top Solution Authors
View all