Solved: Re: How to attach a Service Account with CI/CD Pip...

marc · 03-08-2022 02:46 PM

I am having difficulty in figuring out how to include a service account with a proxy deployment to ApigeeX with the Deploy Maven Plugin and Cloudbuild. The proxy requires the service account as it includes a service callout policy with a <Authentication> element. The service account already exist.

I get the following error message when I try to run the deployment.

"Proxy Deployment": {
Step #1 - "Proxy Deployment":   "error": {
Step #1 - "Proxy Deployment":     "code": 400,
Step #1 - "Proxy Deployment":     "message": "deployment validations failed",
Step #1 - "Proxy Deployment":     "status": "FAILED_PRECONDITION",
Step #1 - "Proxy Deployment":     "details": [
Step #1 - "Proxy Deployment":       {
Step #1 - "Proxy Deployment":         "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
Step #1 - "Proxy Deployment":         "violations": [
Step #1 - "Proxy Deployment":           {
Step #1 - "Proxy Deployment":             "type": "MISSING_SERVICE_ACCOUNT",
Step #1 - "Proxy Deployment":             "subject": "organizations/xxxxxx/apis/apigee-admin-api/revisions/6",
Step #1 - "Proxy Deployment":             "description": "Deployment of \"organizations/xxxxxx/apis/apigee-admin-api/revisions/6\" requires a service account identity, but one was not provided with the request."
Step #1 - "Proxy Deployment":           }
Step #1 - "Proxy Deployment":         ]
Step #1 - "Proxy Deployment":       },
Step #1 - "Proxy Deployment":       {
Step #1 - "Proxy Deployment":         "@type": "type.googleapis.com/google.rpc.RequestInfo",
Step #1 - "Proxy Deployment":         "requestId": "1408945760741xxxx"
Step #1 - "Proxy Deployment":       }
Step #1 - "Proxy Deployment":     ]
Step #1 - "Proxy Deployment":   }
Step #1 - "Proxy Deployment": }

I initiate the build process with the following command:

gcloud builds submit --config='./ci-config/cloudbuild/cloudbuild.yaml' \
  --substitutions="_API_VERSION=google,_DEPLOYMENT_ORG=$PROJECT_ID,_APIGEE_TEST_ENV=$APIGEE_ENV,BRANCH_NAME=main"

And the error occurs in this step of the cloudbuild.yaml:

source env.txt && \
          mvn clean install -ntp \
            -P"googleapi" \
            -Denv="$${APIGEE_ENV}" \
            -Dtoken="$${APIGEE_BUILD_TOKEN}" \
            -Dorg="$_DEPLOYMENT_ORG" \
            -Ddeployment.suffix="$${APIGEE_DEPLOYMENT_SUFFIX}" \
            -Ddeployment.description="CloudRun Build: $BUILD_ID"

Can anyone point me in the right direction of how to include the necessary service account during the deployment process? Thanks.

ssvaidyanathan

@marc - Can you please share more logs? Especially the call that was made to deploy the proxy? and can you confirm that the error message is still the same, involving

"MISSING_SERVICE_ACCOUNT"

Also please confirm the Maven profile in your pom that you are invoking (in your case "googleapi") has

<apigee.googletoken.email>${googleTokenEmail}</apigee.googletoken.email>

like the sample here

View solution in original post

dchiesa1

Have you looked here:

https://github.com/apigee/apigee-deploy-maven-plugin/tree/hybrid#to-deploy-a-proxy-that-makes-requir...

I think you want something like this:

source env.txt && \
          mvn clean install -ntp \
            -P"googleapi" \
            -Denv="$${APIGEE_ENV}" \
            -Dtoken="$${APIGEE_BUILD_TOKEN}" \
            -Dorg="$_DEPLOYMENT_ORG" \
            -Ddeployment.suffix="$${APIGEE_DEPLOYMENT_SUFFIX}" \
            -Ddeployment.description="CloudRun Build: $BUILD_ID" \
            -DgoogleTokenEmail=$${SVC_ACCOUNT_ID}@$${PROJECT}.iam.gserviceaccount.com

marc

Thanks for the suggestion. That is exactly what I was looking for. Unfortunately I still seem to be getting the same error. The service account email will work if I attach it through the console, but doesn't seem to deploy properly. The service account has Apigee Service Agent and Service Account User roles. Could it be permissions related?

Step #1 - "Proxy Deployment": [INFO] --- apigee-edge-maven-plugin:2.2.2:deploy (deploy-bundle-step) @ apigee-admin-api ---
Step #1 - "Proxy Deployment": 00:05:20.315 [main] ERROR io.apigee.buildTools.enterprise4g.rest.RestUtil - 400 Bad Request

ssvaidyanathan

@marc - Can you please share more logs? Especially the call that was made to deploy the proxy? and can you confirm that the error message is still the same, involving

"MISSING_SERVICE_ACCOUNT"

Also please confirm the Maven profile in your pom that you are invoking (in your case "googleapi") has

<apigee.googletoken.email>${googleTokenEmail}</apigee.googletoken.email>

like the sample here

marc

Thanks, I was missing the ${googleTokenEmail} variable from the POM file. I feel one step closer. Now it seems that it is a matter of setting proper permissions for the service account. Again, the service account that I am trying to attach in the build process has Apigee Service Agent and Service Account User roles. It works as intended if I manually apply it to the proxy in the console. I am getting this error:

Step #1 - "Proxy Deployment": [ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.2.2:deploy (deploy-bundle-step) on project apigee-admin-api: : MojoExecutionException: com.google.api.client.http.HttpResponseException: 403 Forbidden
Step #1 - "Proxy Deployment": [ERROR] {
Step #1 - "Proxy Deployment": [ERROR]   "error": {
Step #1 - "Proxy Deployment": [ERROR]     "code": 403,
Step #1 - "Proxy Deployment": [ERROR]     "message": "permission 'iam.serviceAccounts.actAs' denied on resource 'projects/-/serviceAccounts/manage-apigee-api@XXXXXX.iam.gserviceaccount.com' (or it may not exist in the project for Apigee org \"XXXXXX\")",
Step #1 - "Proxy Deployment": [ERROR]     "status": "PERMISSION_DENIED",
Step #1 - "Proxy Deployment": [ERROR]     "details": [
Step #1 - "Proxy Deployment": [ERROR]       {
Step #1 - "Proxy Deployment": [ERROR]         "@type": "type.googleapis.com/google.rpc.RequestInfo",
Step #1 - "Proxy Deployment": [ERROR]         "requestId": "12700304949344003839"
Step #1 - "Proxy Deployment": [ERROR]       }
Step #1 - "Proxy Deployment": [ERROR]     ]
Step #1 - "Proxy Deployment": [ERROR]   }
Step #1 - "Proxy Deployment": [ERROR] }

The deploy script in the cloudbuild.yaml file is :

mvn clean install -ntp \
            -P"googleapi" \
            -Denv="$${APIGEE_ENV}" \
            -Dtoken="$${APIGEE_BUILD_TOKEN}" \
            -Dorg="$_DEPLOYMENT_ORG" \
            -Ddeployment.suffix="$${APIGEE_DEPLOYMENT_SUFFIX}" \
            -Ddeployment.description="CloudRun Build: $BUILD_ID"\
            -DgoogleTokenEmail="manage-apigee-api@$_DEPLOYMENT_ORG.iam.gserviceaccount.com"

and the call to deploy the proxy is:

gcloud builds submit --config='./ci-config/cloudbuild/cloudbuild.yaml' \
  --substitutions="_API_VERSION=google,_DEPLOYMENT_ORG=$PROJECT_ID,_APIGEE_TEST_ENV=$APIGEE_ENV,BRANCH_NAME=main"

Thank you for your assistance.

ssvaidyanathan

@marc - did you try deploying the proxy by passing "manage-apigee-api@$_DEPLOYMENT_ORG.iam.gserviceaccount.com" in the UI and that worked?

One more tip - Try running the mvn command with "-X" to print the debug logs. Probably the value you are passing is not getting substituted correctly. With the -X option, it should show the different args, etc.

marc

Hello, sorry for the delay in getting back to you. I am still having issues with configuring the service account with the proper permissions, but I think that is outside of the scope of my initial question. The service account is indeed getting included in the build pipeline. Thank you for your help with this.

How to attach a Service Account with CI/CD Pipeline (Apigee X, Maven, Cloudbuild)