By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to set up EventBridge Api Destination/Connection to Google Cloud?

0

I am setting up a project which will publish events to EventBridge. One of the targets of these events will be an HTTP Api in Google Cloud. I know EventBridge supports Api Destinations and I am trying to set that up to send these events. I have been unable to get the connection working to the Google Api and could use some suggestions. I am trying to use OAuth credentials from the Google account to create an Api Destination/Connection. So far, the Connection is always marked as "Deauthorized". I have not been able to find any details or debug information about the connection attempt that fails. I created credentials in the Google account and downloaded the credentials json file. Setting up the connection in AWS console, I used the "client_id" property from the json file as the "Client ID" field for the connection. I think one issue may be the "Client secret" value. I was surprised that the "private_key" property in the Google json file looks like:

"private_key": "-----BEGIN PRIVATE KEY-----\n<lots of Base64 and several newlines>\n-----END PRIVATE KEY-----\n"

I tried using the value between the BEGIN PRIVATE KEY and END PRIVATE KEY tags but AWS rejected that saying it was too long. I tried a single value from between newlines, which I was allowed to save, but doesn't work. I have also tried setting this value to the "private_key_id" which also doesn't work (I didn't really expect it to, but worth a shot).

There are also options to send OAuth Http Parameters and Invocation Http Parameters. I've tried adding key="scopes" and value="https://www.googleapis.com/auth/cloud-platform" for both Parameters.

Has anyone had luck setting up a Connection like this to a Google account?

I've also looked at Google's Workload Identity Federation, but it appears there isn't a way to use that in a no-code case like the EventBridge Api Destinations.

Topics
ServerlessApplication Integration
Tags
Amazon EventBridge
Language
English
ScottD
asked 2 years ago1498 views
1 Answer
1

Hello!

While I'm unable to speak authoritatively regarding the Google Cloud side of this configuration, it does seem like the Client Secret value may be an issue here. Setting up an API Destination Connection utilizing Oauth authorization does require the use of a client ID and a client secret. Looking through the Google Cloud documentation and doing some testing in the Google Cloud console (which again, I am unfamiliar with), I was only able to find that setting up an Oauth 2.0 Client ID as a Web Application type provided me with credentials that included both a client ID and client secret. However, when specifying these as in my API Destination Connection and specifying the Oauth HTTP Parameters found in the Oauth JSON file from Google Cloud, and utilizing "https://oauth2.googleapis.com/token" as the Authorization endpoint, the Connection still indicates a Deauthorized error with message "The partner authorization grant type is not supported by the partner authorization server."

It may be necessary to reach out to Google Cloud support for more information on how best to configure the API Authorization Endpoint and Client Credentials in Google Cloud to then be used when setting up the connection in EventBridge API Destinations.

AWS
SUPPORT ENGINEER
Justin_B
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content