URL for Generating Token to do Management API call...

chaitanya_VSK · 09-25-2023 10:04 PM

Hello,

My requirement is to obtain token which i can use in calling management APIs, i have gone through many blogs and posts especially from @ dchiesa1 , but i was not able to come up with proper understanding,

This might be because of the way i used in Apigee SaaS , EDGE is a 1 step process by directly calling 1 URL we can get edge API token. For that obviously the is a one time activity we do.

But here in Hybrid, is the same not possible, please help me understand. and please share me blog which has step by step process if its already there.

If the self signed JWT is the only process, i have doubt of what i need to use in private key, and additional claim , subj, issuer, aud.

This process i wanted because i need to automate in postman itself as a one stop.

Thanks

dchiesa1

You are correct - both Apigee Edge and Apigee hybrid use OAuth for "management calls". In other words, you have to obtain a token (as 1-time thing), and then you can then USE the token with subsequent calls to the management API, until the token expires. There are some differences, but those things - obtain the token, and then repeatedly use the token - are consistent.

The way you obtain the token for Edge is different than the way you obtain the token for Apigee hybrid.

For Apigee hybrid, as with any other Google cloud service, there are multiple different options for obtaining tokens.

for human users, you can use the gcloud command line tool. Two commands: gcloud auth login + gcloud auth print-access-token. The first will result in an interactive (browser based) login to Google cloud, and the second command will print out an OAuth token for the authenticated user.
For service accounts, using a service account key, you can get a token by formulating a special request to a /token endpoint. And you can also use gcloud to do the same thing.
For client systems that are running in Google cloud (on a VM managed by Google), you can send a quick GET message to a special endpoint running on the internal google network.

And then regardless of which option you choose, you can use the returned token as a bearer token.

In fact none of this is special to Apigee, or Apigee hybrid. This is all Google Cloud foundational stuff. So you can use these approaches to get a token to use for administering or Managing Apigee X or hybrid, or Cloud Storage, or Big Query, or Document AI, Cloud Run, Logging, Compute, Secret Manager, Cloud SQL, Artifact Registry, Cloud Pubsub,.... you get the idea. The main thing is that the principal (user or service account) needs the right permissions on the thing you're trying to administer. For example, consider Apigee. For Apigee, there are a number of builtin roles. To administer a hybrid org, the principal might need to have the Apigee API Admin role, which grants the right permissions to create + deploy APIs.

I have described the options for getting a token in more detail in the README for this github repo, including some sample code.

chaitanya_VSK

Hey Dino,

From the above mentioned options for obtaining token, second one suits best for working in Postman, could you please send me the link for following that process please.

As I need to include that /token call in postman or in automation script to get token and store in variable for use.

Thanks

dchiesa1

Yes, the details are in the Github repo.

you can do it with

gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM \
  --key-file=/path/key.json

gcloud auth print-access-token

Or, that repo contains nodejs code and dotnet code for doing the equivalent.

I believe Postman has some scripting capability, and it might be possible for you to write a postman script that reads a Service account keyfile, then signs a JWT and obtains a token... just as the nodejs and dotnet code does. but I am not an expert in postman script, I don't know if it can read a local file, and I don't know if it can create a signed JWT from a local RSA private key. Or maybe postman script can invoke a command on the host computer. If those things are possible, then you should be able to do it in postman. But I don't know postman script, so I will leave that to you, to figure out.

If it is possible, then it is likely that someone else has already figured out how to do this in postman. The obtaining of tokens is not specific to Apigee. It's the same for all Google Cloud API endpoints. So if there are other people using postman to connect to ... bigquery.googleapis.com, or to documentai.googleapis.com, etc..... then it is possible that they have written the script to get postman to do what is necessary. And maybe they have shared it elsewhere, on stackoverflow or etc.

EDIT: I found this suggestion on SO, for creating a JWT in a postman pre-request script. Using that, you could do what you want (Case #2 from my prior email - create an access token for a service account). You'd need to:

create and download a Service Account key in JSON format
embed the SA key JSON into your postman Script
extract the private key from that JSON object
use the code from SO to create a JWT signed with RS256, using the extracted private key
POST to the /token endpoint (https://oauth2.googleapis.com/token)
receive the response, and parse out the access_token
embed that token into the postman environment for use with subsequent requests

This should work , but you'd need to expand that sample code with some new Javascript code that you'd have to write.

Edit#2: see this, it works for me: https://gist.github.com/DinoChiesa/ef4296348ebab7f34801a162881af78a

URL for Generating Token to do Management API calls in Apigee Hybrid, from Postman or in automation