This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

The ExternalCallout policy enables you to send gRPC requests to your gRPC server to implement custom behavior that isn't supported by Apigee policies. In your server's code, you can easily access and modify flow variables within a proxy's flow.

Apigee communicates with a gRPC server through an ExternalCallout policy via an API. Apigee uses the API to sendflow variables to the gRPC server. Within your gRPC server, you can read—and depending on the variable, modify— the flow variables listed in theFlow variables reference page, as well as additional variables you specify within the policy's XML.

If you configure the gRPC server with Apigee and include this policy in a proxy, Apigee will handle API requests as follows:

1. Apigee sends a message containing the flow variables to your gRPC server.
2. Your gRPC server code executes, accessing and modifying variables as defined in the code. The gRPC server then sends a response containing all the flow variables back to Apigee.
3. Apigee reads the response from your gRPC server. If any variables are added or modifiable flow variables are modified, they are updated in Apigee.

This policy is aStandard policy and can be deployed to any environment type. For information on policy types and availability with each environment type, seePolicy types.

To learn more about sending gRPC requests, see the following links:

• gRPC
• Protocol Buffers

<ExternalCallout>

Defines an ExternalCallout policy.

<ExternalCallout async="true" continueOnError="true" enabled="true" name="EC">

This element has the following attributes that are common to all policies:

The following table describes the child elements of<ExternalCallout>.

Example 1

Working examples of ExternalCallout are available atExternal Callout Samples on GitHub.

The following example illustrates an ExternalCallout policy configuration.

<ExternalCalloutenabled="true"continueOnError="false"name="ExternalCallout-1"><DisplayName>ExternalCallout1</DisplayName><TimeoutMs>5000</TimeoutMs><GrpcConnection><Servername="external-target-server"/></GrpcConnection><Configurations><Propertyname="with.request.content">true</Property><Propertyname="with.request.headers">false</Property><Propertyname="with.response.content">true</Property><Propertyname="with.response.headers">false</Property><FlowVariable>example1.flow.variable</FlowVariable><FlowVariable>example2.flow.variable</FlowVariable></Configurations><ExternalCallout>

The example sends a request to an external gRPC server represented by the TargetServer namedexternal-target-server, with the following configurations:

• <Property>: Include request and response content, but not the request and response headers, in the request sent to the gRPC server.
• <FlowVariable>: Include additionalflow variablesexample1.flow.variable andexample2.flow.variable, specified by theFlowVariable elements, in the request sent to the gRPC server.

Example 2

In the following example, theuseTargetUrl attribute of theAudience element is set totrue. WhenuseTargetUrl istrue, the hostname of the gRPC target server is used as the audience. Forexample, if the host of the server ismy-grpc-server-java.a.run.app, then the audienceused will behttps://my-grpc-server-java.a.run.app.

<ExternalCalloutcontinueOnError="false"enabled="true"name="External-Callout-1"><DisplayName>External-Callout-1</DisplayName><GrpcConnection><Servername="cloud_run_server_name"/><Authentication><GoogleIDToken><AudienceuseTargetUrl="true"/></GoogleIDToken></Authentication></GrpcConnection><TimeoutMs>5000</TimeoutMs><Configurations><Propertyname="with.request.content">true</Property><Propertyname="with.request.headers">true</Property><Propertyname="with.response.content">true</Property><Propertyname="with.response.headers">true</Property><FlowVariable>example.flow.variable</FlowVariable><FlowVariable>another.flow.variable</FlowVariable></Configurations></ExternalCallout>

The<GrpcConnection> element sets the gRPC server to be an existingTargetServer, specified by thename attribute. See theTargetServer resource reference page.

Note: The protocol for theTargetServer must beGRPC.

For example, the following code

<GrpcConnection>  <Server name="external-target-server"/></GrpcConnection>

specifies the gRPC server to be an existingTargetServer namedexternal-target-server.

Use the<Authentication> element (described later in this section) to generate a Google-issuedOpenID Connect token to make authenticated calls to gRPC-based services, such as custom services hosted inCloud Run.

The following table describes the child elements of<GrpcConnection>.

<Server> element

Specifies the gRPC server.

The following table describes the attributes of the<Server> element.

<Authentication> element

Generates a Google-issuedOpenID Connect token to make authenticated calls to gRPC-based services, such as custom services hosted inCloud Run. Use of this element requires setup and deployment steps described inUsing Google authentication. Withproper setup, the policy creates an authentication token for you and adds it to the service request.

This element has one required child element:GoogleIDToken.

TheAuthentication element uses the following syntax:

<ExternalCallout>...<GrpcConnection><Servername="cloud_run_server_name"/><Authentication><HeaderNameref="FLOW_VARIABLE">STRING</HeaderName><GoogleIDToken><Audienceref="variable-1">STRING</Audience><IncludeEmailref="variable-2">BOOLEAN</IncludeEmail></GoogleIDToken></Authentication></GrpcConnection></ExternalCallout>

<ExternalCalloutcontinueOnError="false"enabled="true"name="External-Callout-1"><DisplayName>External-Callout-1</DisplayName><GrpcConnection><Servername="cloud_run_server_name"/><Authentication><HeaderNameref='my-variable'>X-Serverless-Authorization</HeaderName><GoogleIDToken><Audience>https://cloudrun-hostname.a.run.app</Audience></GoogleIDToken></Authentication></GrpcConnection><TimeoutMs>5000</TimeoutMs><Configurations><Propertyname="with.request.content">true</Property><Propertyname="with.request.headers">true</Property><Propertyname="with.response.content">true</Property><Propertyname="with.response.headers">true</Property><FlowVariable>example.flow.variable</FlowVariable><FlowVariable>another.flow.variable</FlowVariable></Configurations></ExternalCallout>

Attributes

None.

<HeaderName> child element

By default, when an Authentication configuration is present, Apigee generates a bearer token and injects it into theAuthorization header in the message sent to the target system. TheHeaderName element allows you to specify the name of a different header to hold that bearer token. This feature is particularly useful when the target is a Cloud Run service that uses theX-Serverless-Authorization header. TheAuthorization header, if present, is left unmodified and also sent in the request.

TheHeaderName element uses the following syntax:

<ExternalCallout>...  <Authentication>    <HeaderName ref="FLOW_VARIABLE">STRING</HeaderName>    <GoogleIDToken>    ...    </GoogleIDToken>  </Authentication>  ...</ExternalCallout>

<Authentication>  <HeaderName>X-Serverless-Authorization</HeaderName>  <GoogleIDToken>    <Audience>https://cloudrun-hostname.a.run.app</Audience>  </GoogleIDToken></Authentication>

<Authentication><HeaderNameref='my-variable'>X-Serverless-Authorization</HeaderName><GoogleIDToken><Audience>https://cloudrun-hostname.a.run.app</Audience></GoogleIDToken></Authentication>

<GoogleIDToken> child element

Generates Google-issued OpenID Connect tokens to make authenticated calls to Google services, such as custom services hosted inCloud Run.

TheGoogleIDToken element uses the following syntax:

<ExternalCallout>...<GrpcConnection><Servername="cloud_run_server_name"/><Authentication><GoogleIDToken><Audienceref="context-variable"useTargetUrl='BOOLEAN'>STRING</Audience><IncludeEmailref="context-variable">BOOLEAN</IncludeEmail></GoogleIDToken></Authentication></GrpcConnection></ExternalCallout>

<Authentication>  <GoogleIDToken>      <Audience>https://httpserver0-bar.run.app</Audience>      <IncludeEmail>true</IncludeEmail>  </GoogleIDToken></Authentication>

<Audience> child element

The audience for the generated authentication token, such as the API or account that the token grants access to.

If the value ofAudience is empty, theref is empty or resolves to an empty value, anduseTargetUrl istrue, then "https://" + (hostname of the gRPC target server) is used as the audience. For example, if the host of the server ismy-grpc-server-java.a.run.app, then the audience used will behttps://my-grpc-server-java.a.run.app.

By default,useTargetUrl isfalse.

<Audience>explicit-audience-value-here</Audience>or:<Audienceref='variable-name-here'/>or:<Audienceref='variable-name-here'useTargetUrl='true'/>or:<AudienceuseTargetUrl='true'/>

<Configurations>  <FlowVariable>a.b.c</FlowVariable>  <FlowVariable>d.e.f</FlowVariable></Configurations>

Deployment of \"organizations/foo/apis/apiproxy/revisions/1\"requires a service account identity, but one was not providedwith the request.

{  "fault": {    "faultstring": "Encountered the following exception while sending the gRPC request or     processing the response: [io.grpc.StatusRuntimeException: UNAVAILABLE: Credentials failed     to obtain metadata].",    "detail": {      "errorcode": "steps.externalcallout.ExecutionError"    }  }}

The fault variables in the following table are set for all policies by default. See Variables specific to policy errors.

Related topics

• JavaCallout policy