This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using TargetEndpoint with a Service Account

Posted on 03-30-2022 10:37 AM
christofano
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have a HTTPTargetConnection

<HTTPTargetConnection>
<URL>https://us-central1-my.project.cloudfunctions.net/myfunction/?param1=123&amp;param2=abc
</URL>
<Authentication/>
</HTTPTargetConnection>

To ensure the URL is called only thought the Apigee proxy Api, I'd like add a service account in this called.

I'm following this article, but without successful: https://cloud.google.com/apigee/docs/api-platform/security/google-auth/overview

Service Account input field bellow isn't showed for me .

 

Someone has an example to share with me??

Solved Solved
1 7 516
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

To ensure the URL is called only thought the Apigee proxy Api, I'd like add a service account in this called.

The technique of using a Service Account in the Apigee proxy does not "ensure the URL is called only thought the Apigee proxy Api". It insures that Apigee calls the URL and sends a token along with that call. It's up to you to configure that endpoint to validate the inbound authentication. The service account token or whatever it is. That is enforcement you must do at the messaging or application layer. Keep in mind: that enforcement doesn't prevent the URL from being invoked by other systems. But if other systems invoke it and they don't present the right authentication, then the cloudfunctions endpoint can reject the request, via that enforcement.  It's an application-layer enforcement, not network-layer access control. 

Separately there are ways to apply network-layer access restrictions for inbound connections to a cloud function. (Search results here ) You may want to look into that as well.

Service Account input field bellow isn't showed for me .

Can you confirm that you are using Apigee X ? The feature you're talking about is not present in Apigee Edge.  If you are using Apigee Edge, that would explain why you do not see the input field you had expected to see.  And in case it is helpful, here is how you can determine if you are using Apigee Edge or Apigee X:

  • If you use the domain apigee.google.com to reach the administrative UI, then it's probably Apigee X. (It could also be Apigee hybrid)
  • If you use the domain apigee.com to reach the administrative UI, then it's Apigee Edge.

The network-level restrictions I mentioned above for cloud functions would be useful only if you are using Apigee X. If you are using Apigee Edge, then the cloudfunction needs to be accessible to the public internet. In that case you will need to design your API Proxy to explicitly obtain an access token for that service account and attach it to the outbound message request.  There are examples of how to obtain and cache a token from within an Apigee proxy.  Here's a good example. It works with GCP logging but the same pattern applies to other Google Cloud systems. 

 

View solution in original post

Jump to Solution
7 REPLIES 7

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

To ensure the URL is called only thought the Apigee proxy Api, I'd like add a service account in this called.

The technique of using a Service Account in the Apigee proxy does not "ensure the URL is called only thought the Apigee proxy Api". It insures that Apigee calls the URL and sends a token along with that call. It's up to you to configure that endpoint to validate the inbound authentication. The service account token or whatever it is. That is enforcement you must do at the messaging or application layer. Keep in mind: that enforcement doesn't prevent the URL from being invoked by other systems. But if other systems invoke it and they don't present the right authentication, then the cloudfunctions endpoint can reject the request, via that enforcement.  It's an application-layer enforcement, not network-layer access control. 

Separately there are ways to apply network-layer access restrictions for inbound connections to a cloud function. (Search results here ) You may want to look into that as well.

Service Account input field bellow isn't showed for me .

Can you confirm that you are using Apigee X ? The feature you're talking about is not present in Apigee Edge.  If you are using Apigee Edge, that would explain why you do not see the input field you had expected to see.  And in case it is helpful, here is how you can determine if you are using Apigee Edge or Apigee X:

  • If you use the domain apigee.google.com to reach the administrative UI, then it's probably Apigee X. (It could also be Apigee hybrid)
  • If you use the domain apigee.com to reach the administrative UI, then it's Apigee Edge.

The network-level restrictions I mentioned above for cloud functions would be useful only if you are using Apigee X. If you are using Apigee Edge, then the cloudfunction needs to be accessible to the public internet. In that case you will need to design your API Proxy to explicitly obtain an access token for that service account and attach it to the outbound message request.  There are examples of how to obtain and cache a token from within an Apigee proxy.  Here's a good example. It works with GCP logging but the same pattern applies to other Google Cloud systems. 

 

Jump to Solution

Posted on --/--/---- --:-- AM
christofano
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thank you so much dchiesa1 by your quick answer.

You are right, I want to ensure that the invoke by function happen from an authentication. I've been expressed badly. Also I am using Apigee Edge. Thanks again for you explanation

Just for that was easy to realize that I am newbie in Apigee 😀.
I'll look the example you shared with me that use token from within an Apigee proxy.

have a great day

Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to christofano
Reply posted on --/--/---- --:-- AM

I'm glad to help out! 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gcorbetta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

What about APIGee X?

Is there any recommended way to set Service Account credentials in the outbound calls? Or do we need to use Google endpoints in a JS code to do so?

Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to gcorbetta
Reply posted on --/--/---- --:-- AM

Yes, the way to do that is to use the Authentication element in the TargetEndpoint/HTTPTargetConnection. just answered a Q about that, here.

Jump to Solution

Posted on --/--/---- --:-- AM
akash3664
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have similar question @dchiesa1

We have an apigee proxy calling cloud function. Apigee proxy is deployed using service account X and this service account has appropriate role to invoke the cloud function. I am wondering if by default apigee passes service account credentials when it calls cloud function or we need to configure our proxy to obtain the credentials and pass it to CF through proxy code

Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to akash3664
Reply posted on --/--/---- --:-- AM

I replied to your other question.

Jump to Solution