Module gcp_service_account_auth
kotsikau/gcp_service_account_auth
GCP Service Account Auth Mediation Policy
Overview
Request-flow Ballerina mediation policy for Bijira/API Platform. The policy obtains a Google OAuth2 access token with the service-account JWT assertion flow, caches the token in memory per mediation app instance, and sets the outbound backend request header:
Authorization: Bearer <access-token>
Policy Parameters
Configure these parameters when attaching the policy:
| Parameter | Description |
|---|---|
clientEmail | Google service-account email. Use a deploy-time variable or secret such as ${GCP_CLIENT_EMAIL}. |
privateKey | PEM RSA private key content. Use a secret such as ${GCP_PRIVATE_KEY}. Escaped \n values are supported. |
tokenUri | Google OAuth2 token endpoint. Blank values default to https://oauth2.googleapis.com/token. |
scope | Space-delimited OAuth scopes. Use a deploy-time variable such as ${GCP_SCOPE}. |
refreshSkewSeconds | Number of seconds before expiry when the cached token should be refreshed. Non-positive values default to 300. |
No filesystem paths, service-account JSON files, Java mediator JAR, Redis, or shared cache are used.
Build And Publish
bal pack bal push
The published package is:
kotsikau/gcp_service_account_auth:1.0.1
API Platform Deployment
- Open the API proxy in Bijira/API Platform Console.
- Go to
Develop -> Policies. - Attach to the
kotsikau/gcp_service_account_auth:1.0.1Requestflow. - Configure the policy with deploy-time variables or secrets:
clientEmail = ${GCP_CLIENT_EMAIL} privateKey = ${GCP_PRIVATE_KEY} scope = ${GCP_SCOPE} tokenUri = ${GCP_TOKEN_URI} refreshSkewSeconds = 300
If no custom token endpoint is required, leave tokenUri blank when the console allows it.
Runtime Behavior
The policy logs cache hits, cache misses, token refresh starts, and token refresh completion. It never logs private keys, JWT assertions, or full access tokens. Token generation and exchange failures return clear mediation errors.
