Invoking Apigee Management API Service from Cloud ...

K_V_Rao · 07-30-2024 09:55 AM

have deployed my Node.js service in Cloud Run within Project 1. For this service, I need to invoke the Apigee management API service, which is in Project 2, without using a service account key. Could anyone please provide guidance on how to achieve this?

DamianS

Hello @K_V_Rao ,Welcome on Google Cloud Community.

Did you've tried Workload Identity Federation?

"Using Workload Identity Federation, you can provide on-premises or multicloud workloads with access to Google Cloud resources by using federated identities instead of a service account key." More info here: https://cloud.google.com/iam/docs/workload-identity-federation

What you should to do :

1. Enable WIF APIN on Project2
2. Create WIF Provider in Project2 ( OIDC provider )
3. Create SA in Project2
4. Add Policy Binding to SA ( APIGEE management Admin) Project2
5. Allow WIF to impersonate SA ( IAM Role WorkloadIdentityUser) Project2
6. Allow Cloud Run SA use WIF ( IAM Role WorkloadIdentityUser) Project1
7. Use auth library depends on your programming language to obtain credentials.

PS: I wrote this from top of my head, so It might be possibile that some of step should be changed / improved, but in general should work.
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

K_V_Rao

Hi @DamianS ,
Do you have any specific documentation on how we can create a Workload Identity Pool for a Cloud Run service running in Google Cloud?

i got stuck while creating the WIF

DamianS

Check this doc: https://cloud.google.com/iam/docs/tutorial-cloud-run-workload-id-federation

For issuer try to use : https://accounts.google.com

Invoking Apigee Management API Service from Cloud Run without Service Account Key