RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/api-gateway/docs/configure-dev-env below:

Configuring the development environment | API Gateway Documentation

Stay organized with collections Save and categorize content based on your preferences.

Configuring the development environment

This document describes how to configure your API Gateway development environment.

Prerequisites

Before you can create an API on API Gateway, ensure that you have:

Created a Google Cloud project in which you have the Editor or Owner role. After the initial deployment, you can grant the more restrictive Service Config Editor role to a user, group, or service account.
Prepared the Google Cloud CLI as described below.
Enabled the required Google services as described below.
Configure the service account used to create API configs as described below.

Preparing the Google Cloud CLI for deployment

To prepare gcloud for the deployment:

Install and initialize the gcloud CLI.
Update gcloud CLI:
```
gcloud components update
```
Make sure that gcloud CLI is authorized to access your data and services:
```
gcloud auth login
```
A new browser tab opens and you are prompted to choose an account.
Set the default project. Replace PROJECT_ID with your Google Cloud project ID:
```
gcloud config set project PROJECT_ID 
```

Enabling required services

API Gateway requires that you enable the following Google services:

Name Title apigateway.googleapis.com API Gateway API servicemanagement.googleapis.com Service Management API servicecontrol.googleapis.com Service Control API

To confirm that the required services are enabled:

gcloud services list

If you do not see the required services listed, enable them:

gcloud services enable apigateway.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com

For more information about the gcloud services, see gcloud services.

Configuring a service account

An API config deployed on a gateway executes with the permissions associated with the gateway service account.

As a best practice, create a separate service account in the same project you are using for API Gateway. Then, assign the service account only the permissions necessary to access the backend service. In that way, you limit the permissions associated with the API config.

For API Gateway, the user creating or updating an API config or gateway requires the iam.serviceAccounts.actAs permission on the service account object. This permission is included in the Service Account User role.

The role and permission can be added to the service account for the user with the following command:

gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
  --member user:USER_EMAIL \
  --role roles/iam.serviceAccountUser

where:

SERVICE_ACCOUNT_EMAIL is the email of the service account, in the format SA_NAME@PROJECT_ID.iam.gserviceaccount.com.
USER_EMAIL is the email address of the user.

For example:

gcloud iam service-accounts add-iam-policy-binding my-service-account@my-project.iam.gserviceaccount.com \
  --member user:myemail@email.com \
  --role roles/iam.serviceAccountUser

In addition, the gateway service account requires the permissions necessary to access your backend service. For example:

For a Cloud Function backend, the service account must be assigned the role of Cloud Functions Invoker.
For a Cloud Run backend, the service account must be assigned the role of Cloud Run Invoker.
For an App Engine backend, you must follow the steps in Setting up IAP access to grant the service account associated with your gateway the IAP-secured Web App User role.

By limiting the permissions associated with the API config, you can better secure your backend systems. For more information, see the Identity and Access Management (IAM) documentation.

After you create the service account, use the --backend-auth-service-account option to specify the email address of that service account when creating an API config:

gcloud api-gateway api-configs create CONFIG_ID \
  --api=API_ID --openapi-spec=API_DEFINITION --project=PROJECT_ID \
  --backend-auth-service-account=SERVICE_ACCOUNT_EMAIL

See Creating an API for more on creating API configs.

Using a default service account

Some Google Cloud products define a default service account. For example, if you are using Compute Engine and have enabled the Compute Engine API for your project, a default Compute Engine service account is created for you. The default service account is identifiable by its email address:

PROJECT_NUMBER-compute@developer.gserviceaccount.com

If you assign the necessary permissions to the default service account, you can omit the --backend-auth-service-account option when creating an API config:

gcloud api-gateway api-configs create CONFIG_ID \
  --api=API_ID --openapi-spec=API_DEFINITION --project=PROJECT_ID

See Using the Compute Engine Default Service Account for more.

Using OpenID Connect

Requests from API Gateway to backend services may use authentication. These requests are secured using OpenID Connect (OIDC) tokens signed by the gateway's service account. You should confirm that your backend service is correctly configured to accept OIDC tokens for authentication and authorization. Cloud Run functions, Cloud Run, and the Identity Aware Proxy (IAP) provide this option.

What's next

Creating an API

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Before creating an API on API Gateway, you need a Google Cloud project with the appropriate roles, the Google Cloud CLI installed and configured, and the required Google services enabled."],["Setting up the Google Cloud CLI for deployment involves installing, updating, authorizing, and setting the default project ID with the `gcloud` commands."],["API Gateway requires enabling `apigateway.googleapis.com`, `servicemanagement.googleapis.com`, and `servicecontrol.googleapis.com` services, which can be done through the `gcloud services enable` command."],["It is recommended to create a separate service account with limited permissions for API Gateway, and the user creating or updating an API config must have the `iam.serviceAccounts.actAs` permission on that service account."],["API Gateway requests to backend services can be secured using OpenID Connect (OIDC) tokens signed by the gateway's service account, which requires proper backend service configuration."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4