Note: There is a newer version (1.0.2) of this package available. Click here to view docs for the latest version.
Module gcp_service_account_auth
kotsikau/gcp_service_account_auth
0.1.0
GCP Service Account Auth Policy
Overview
Request-flow custom mediation policy for WSO2 API Platform / Bijira.
This policy authenticates outbound calls to a downstream Google-protected endpoint by:
- accepting a Google service-account JSON key as a policy parameter
- minting a JWT assertion with the service-account private key
- exchanging the assertion at Google's OAuth2 token endpoint
- caching the resulting access token in memory per mediation application instance
- injecting
Authorization: Bearer <access-token>into the outbound request
Parameters
| Parameter | Type | Description |
|---|---|---|
serviceAccountJson | string | Minified Google service-account JSON key content. |
scope | string | OAuth scope to request from Google. |
authHeaderName | string | Header to populate. Defaults to Authorization when blank. |
refreshSkewSeconds | int | Refresh window before token expiry. Defaults to 300 when <= 0. |
Deployment notes
- Publish this package to Ballerina Central, then attach it from the API Platform Console.
- Set the
orgfield inBallerina.tomlto your actual Ballerina Central organization beforebal push. - In the console, prefer deploy-time variables such as
${GCP_SERVICE_ACCOUNT_JSON}and${GCP_SCOPE}instead of hardcoding secrets. - Each mediation application instance caches tokens independently. There is no cross-node cache.
- The policy uses
token_urifrom the service-account JSON when present, and otherwise falls back to Google's default token endpoint.
