Configurable service account email?

[ametelski]

ref: https://github.com/apigee/apigee-deploy-maven-plugin/tree/hybrid#to-deploy-a-proxy-that-makes-requires-apigee-to-generate-the-googleaccesstoken-or-googleidtoken-v212-or-later

I need to be able to set the service account email based on the environment. Is this configurable in the config.json or somewhere else?

[ssvaidyanathan]

@ametelski - You can set it in the pom profile. Check this from the sample. You can then use the Maven profile to configure different service account email based on the environment/profile. Hope that clarifies. Do note that the sample I have linked uses a variable you pass as an argument in the mvn command but you can hardcode this in your pom too if you want.

[ametelski]

@ssvaidyanathan, thank you for the quick response. I did see that I needed to add that element to my pom file, but the email is specific to one proxy and environment.

[ssvaidyanathan]

Do you have a shared-pom thats used across proxies? I am not sure what you mean by "but the email is specific to one proxy and environment". Can you elaborate?

[ametelski]

Yes, we have a shared parent-pom and each proxy has a child pom file. Here is the file structure. --> proxies ---> parent-pom ----> pom.xml ---> someProxy ----> apiproxy ----> pom.xml ----> config.json ---> fooProxy ----> apiproxy ----> pom.xml -- --> config.json

FooProxy requires a different service account email for each environment. Development --> sa-dev-@email.com..... UAT --> sa-uat@email.com.... Prod --> sa-prod@email.com...

We need to be able to store these values in source control and deploy proxy with the corresponding email using our CICD pipeline.

[ssvaidyanathan]

@ametelski - Thanks for the info You should be able to create Maven profiles within the child pom file. For example in your case, in your fooproxy-->apiproxy--> pom.xml, you can include the Maven profile. This will override the ones from the parent pom.

[danizen]

I do not see that the googleTokenEmail works for this. According to https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments.apis.revisions.deployments/deploy , the serviceAccount should be a query param to the deploy call. But at https://github.com/apigee/apigee-deploy-maven-plugin/blob/master/src/main/java/io/apigee/buildTools/enterprise4g/rest/RestClient.java#L636 , the URL encoded params do not include serviceAccount.

I also tried it concretely and combining -Dbearer= and -DgoogleTokenEmail= resulted in an authentication error. Note that this was not an authorization error - it attempted to combine the access token for my personal account and the account identified by googleTokenEmail.

You can see my discussion in the Google Cloud Community about this at https://www.googlecloudcommunity.com/gc/Apigee/Deploy-a-proxy-to-Apigee-X-to-operate-as-a-service-account/m-p/516134

[ssvaidyanathan]

@danizen - you are looking at the wrong branch. The main branch of this repo supports the 1.x version of the plugin which is for Apigee Edge. The hybrid branch supports 2.x version of the plugin for Apigee X/hybrid. The googleTokenEmail is part of 2.x. The code is available here --> https://github.com/apigee/apigee-deploy-maven-plugin/blob/hybrid/src/main/java/io/apigee/buildTools/enterprise4g/rest/RestUtil.java#L810

[danizen]

I had just come to that conclusion myself and returned to say so.

[ssvaidyanathan]

@danizen

I had just come to that conclusion myself and returned to say so.

Hope with the right plugin version, you got it to work

[danizen]

Hope with the right plugin version, you got it to work

I am not sure why it didn't work when I tried it the first time, but it did work this time. Google Cloud Skills Boost has a quest https://partner.cloudskillsboost.google/quests/194 and I decided to do the challenge lab using some form of CI/CD.

I need it to be easy for my developers to export (using the CLI tool), update their Git repository, and then test and commit to promote onwards to production. It looks like this works, although I still have to install the registry tool.

[ssvaidyanathan]

am closing this issue as it works @ametelski - pls reopen otherwise