This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Using TargetEndpoint with a Service Account

Posted on 03-30-2022 10:37 AM
christofano
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have a HTTPTargetConnection

<HTTPTargetConnection>
<URL>https://us-central1-my.project.cloudfunctions.net/myfunction/?param1=123&amp;param2=abc
</URL>
<Authentication/>
</HTTPTargetConnection>

To ensure the URL is called only thought the Apigee proxy Api, I'd like add a service account in this called.

I'm following this article, but without successful: https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview

Service Account input field bellow isn't showed for me .

 

Someone has an example to share with me??

Solved Solved
1 7 996
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

To ensure the URL is called only thought the Apigee proxy Api, I'd like add a service account in this called.

The technique of using a Service Account in the Apigee proxy does not "ensure the URL is called only thought the Apigee proxy Api". It insures that Apigee calls the URL and sends a token along with that call. It's up to you to configure that endpoint to validate the inbound authentication. The service account token or whatever it is. That is enforcement you must do at the messaging or application layer. Keep in mind: that enforcement doesn't prevent the URL from being invoked by other systems. But if other systems invoke it and they don't present the right authentication, then the cloudfunctions endpoint can reject the request, via that enforcement.  It's an application-layer enforcement, not network-layer access control. 

Separately there are ways to apply network-layer access restrictions for inbound connections to a cloud function. (Search results here ) You may want to look into that as well.

Service Account input field bellow isn't showed for me .

Can you confirm that you are using Apigee X ? The feature you're talking about is not present in Apigee Edge.  If you are using Apigee Edge, that would explain why you do not see the input field you had expected to see.  And in case it is helpful, here is how you can determine if you are using Apigee Edge or Apigee X:

  • If you use the domain apigee.google.com to reach the administrative UI, then it's probably Apigee X. (It could also be Apigee hybrid)
  • If you use the domain apigee.com to reach the administrative UI, then it's Apigee Edge.

The network-level restrictions I mentioned above for cloud functions would be useful only if you are using Apigee X. If you are using Apigee Edge, then the cloudfunction needs to be accessible to the public internet. In that case you will need to design your API Proxy to explicitly obtain an access token for that service account and attach it to the outbound message request.  There are examples of how to obtain and cache a token from within an Apigee proxy.  Here's a good example. It works with GCP logging but the same pattern applies to other Google Cloud systems. 

 

View solution in original post

Jump to Solution
7 REPLIES 7
Top Solution Authors
View all