google-auth-sidecar

README

google-auth-sidecar

This service is meant to run as a sidecar to the Apigee Runtime (also known as Message Processor). The service takes a Google Cloud Service Account as a parameter and obtains an OAuth Access Token.

Use Case

This service is meant to be used with the Apigee hybrid API Runtime. When developing API Proxies on Apigee, a developer may want to interact with Google Cloud Services. Google Cloud Services are available on *.googleapis.com and require an OAuth access token to access the services through APIs.

A typical pattern/example would be:

• Instantiate the google-auth-sidecar services as a service or as a sidecar to the Message Processor
• Use a Service Callout policy to invoke the google-auth-sidecar service. The response contains an access token
• Use the access token to make a subsequent API call to any of the Google APIs
• For performance optimization, use the Apigee cache policy and cache the token for a few seconds less than the token expiry

Samples

A shared flow that generates and cache the token.

Three samples that makes use of the shared flow:

• Query data from Cloud Datastore
• Mask sensitive data using Cloud DLP
• Publish to a topic using Cloud PubSub

Install the Google Auth Sidecar

Modify the kubernetes manifest and deploy it to Kubernetes. For example:

kubectl create secret -n {namespace} generic google-auth-sidecar-svc-account --from-file client_secret.json
kubectl apply -n namespace -f google-auth-sidecar.yaml

NOTE: Be sure to name the service account file as client_secret.json if you are using the kubernetes yaml as-is

Usage

Input:

curl 0.0.0.0:8080/token

Output:

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /token HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
< Date: xx, 00 Xxx 20xx 00:00:00 GMT
< Content-Length: 195
<
{"access_token":"xxx","expires_in":3600,"token_type":"Bearer"}