Before you begin
To generate the necessary Google Cloud access token, you need to operate within a Google Cloud project. We recommend using the same project where you have enabled Cloud Network Insights.
The user or service account requesting the token must have one of the following roles in the Google Cloud project:
- If you want the account to have read-only access to Cloud Network Insights resources,
grant it one of the following roles in your project:
- Cloud Network Insights Viewer
(
roles/networkmanagement.cloudNetworkInsightsViewer) - Network Management Viewer (
networkmanagement.viewer) - The basic Viewer role
- Cloud Network Insights Viewer
(
- If you want the account to have full access to Cloud Network Insights resources, grant
it one of the following roles in your project:
- Cloud Network Insights Editor
(
roles/networkmanagement.cloudNetworkInsightsEditor) - Network Management Admin (
networkmanagement.admin)
- Cloud Network Insights Editor
(
Create an AppNeta API token
You can create an AppNeta API token by generating a Google Cloud access token to exchange for a provider-specific token that is used with the AppNeta API.
Generate a Google Cloud access token
Generate a Google Cloud access token for the user or service account that makes the API calls. There are several ways to obtain a Google Cloud access token, depending on your environment and how you are authenticated to Google Cloud.
- Service Accounts: If you're running applications on Google Cloud infrastructure (for example, Compute Engine, Google Kubernetes Engine) or using service account keys, you can use the Cloud Client Libraries or the metadata server to fetch tokens.
- Other Environments: Google Cloud provides various authentication mechanisms.
See Authentication token types for a comprehensive guide on choosing the best method for your situation.
If you have the Google Cloud CLI installed and configured, you can generate a token to copy using gcloud CLI commands.
gcloud auth print-access-token
If you want application default credentials, use the following gcloud CLI command.
gcloud auth application-default print-access-token
Exchange tokens
Use the copied Google Cloud access token to call the Network Management API to generate a provider-specific access token for AppNeta.
The AppNeta token expires when the
Google Cloud token used to generate it expires. Google Cloud access
tokens are typically valid for one hour. We recommend using a fresh
Google Cloud access token each time you perform the
generateProviderAccessTokencall to ensure the AppNeta
token has the maximum possible lifespan.
gcloud
gcloud alpha network-management network-monitoring-providers
generate-provider-access-token PROVIDER_NAME
--project=PROJECT_ID
--location=global
--gcp-access-token=GCP_ACCESS_TOKEN
Replace the following:
PROVIDER_NAME: the provider name,externalby default.PROJECT_ID: the project where Cloud Network Insights is enabled.GCP_ACCESS_TOKEN: the token you generated in Google Cloud.
curl
curl -H "Authorization: Bearer GCP_ACCESS_TOKEN"
"https://networkmanagement.googleapis.com/v1alpha1/projects/PROJECT_ID/locations/global/networkMonitoringProviders/external:generateProviderAccessToken?gcp_access_token=GCP_ACCESS_TOKEN"
Replace the following:
GCP_ACCESS_TOKEN: the token you generated in Google Cloud.PROJECT_ID: the project where Cloud Network Insights is enabled.
The response from this call contains the providerAccessToken, which you
use to authenticate requests directly against the AppNeta API endpoints.
Use the AppNeta Token
Use the providerAccessToken as a bearer token in the authorization header
when making calls to the AppNeta API. Refer to the
AppNeta API documentation
for details on available endpoints and request formats.