This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Community will be in read-only from July 16 - July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Query Regarding Google Access Token in Service Callout

Posted on 08-08-2024 11:56 PM
debjitd18
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @dchiesa1 

Hope you are doing well! 

Explanation of current process - In our enterprise we are deploying the proxies with a Service Account (Apigee SA) attached to it. These proxies are interacting with Authenticated cloud run services in the backend, which needs access tokens minted by Google IAM token service.
The Apigee SA has been provided the Service Account OpenID Connect Identity Token Creator role in the target project.
In order to make a call to Google IAM token service we are making a Service Callout to this API, and pass the Service Account (Target SA) and Cloud Run URL (Target URL) as show in the code excerpt. 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout continueOnError="false" enabled="true" name="SC-GCPCredentialsAPI">
  <DisplayName>SC-GCPCredentialsAPI</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="gcpTokenRequest">
    <Set>
      <Headers>
        <Header name="Accept">application/json</Header>
      </Headers>
      <Verb>POST</Verb>
      <Payload contentType="application/json">{"audience":"{Target URL}"}</Payload>
    </Set>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  </Request>
  <Response>gcpTokenResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <Authentication>
      <!-- IAM Credentials API requires GCP access token-->
      <GoogleAccessToken>
        <Scopes>
          <!-- required for minting GCP access token for iamcredentials API-->
          <Scope>https://www.googleapis.com/auth/cloud-platform</Scope>
        </Scopes>
      </GoogleAccessToken>
    </Authentication>
    <URL>https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{Target SA}:generateIdToken</URL>
  </HTTPTargetConnection>
</ServiceCallout>

 

Question - Is there a way we can print/or know the steps how the Google Access Token is obtained at runtime and passed over to the IAM Credentials API?
Is there any REST/Management API which is available to obtain this token and if yes how would it work from a Postman?

Thanks,

Debjit

3 1 239
Topic Labels
1 REPLY 1
Top Solution Authors
View all