This page provides information intended for existing Apigee customers who want to use both Apigee Integration and Application Integration with the same Google Cloud project.
Overview
All Apigee subscription users who have enabled the Apigee Integrations add-on, can now use Application Integration at no additional cost. Application Integration is set up for you, and all your existing integrations in Apigee are automatically synchronized and available to use. This means that you can continue to use your existing Google Cloud project for both Apigee Integration and Application Integration without any additional configurations.
To know more about Application Integration, See Application Integration overview.
The following notification message appears in the Integrations page to indicate that Application Integration is available in your Google Cloud project:
What's changing?
The following table provides a summary of the expected differences or changes in your Google Cloud project:
| Apigee resource/feature | Expected difference/change |
|---|---|
| IAM permissions | Integrations will use the predefined Application Integration IAM roles. |
| Service account | A new default service account is created that will be used for all integrations. |
| REST APIs | Apigee Integration REST APIs have Application Integration REST API equivalents. See REST API changes. |
| Send Email task and Approval task | The sender email address is changed for all outgoing emails. |
IAM permission changes
All existing user accounts or principals with assigned Apigee Integration IAM roles are granted with equivalent Predefined Application Integration IAM permissions.
Application Integration IAM permissions have the following format:
Format
integrations.integrationRESOURCE.ACTION
Example
integrations.integrationVersions.get
Custom IAM role limitations
The following limitations apply if you have defined custom IAM roles in your Google Cloud project:
- Apigee proxies using a service account with custom IAM roles containing Apigee Integration permissions may fail. We recommend that you update your custom IAM roles with the Application Integration IAM permissions.
For information about IAM roles and permissions, see Access control overview.
Service account changes
A new default service account with the Application Integration Service Agent (roles/integrations.serviceAgent) IAM role is created in your Google Cloud project.
The new Application Integration default service account is used for the following integration operations:
- To run an integration.
- To invoke a Cloud Function using the Cloud Function task.
- To call an Integration Connector using the Connectors task.
- To create service account tokens for Service account type authentication profiles.
- To encrypt and decrypt Cloud KMS keys for authentication profiles.
Application Integration default service account has the following email address:
Format
service-PROJECT_NUMBER@gcp-sa-integrations.iam.gserviceaccount.com
Example
service-46733320069@gcp-sa-integrations.iam.gserviceaccount.com
For information about service accounts, see Access control overview.
REST API changes
In general, most of the Apigee Integration APIs have their respective Application Integration API equivalents.
The following table describes the key change in the REST APIs of Apigee Integration when compared to Application Integration:
| Apigee Integrations (including Apigee proxy) | Application Integration | |
|---|---|---|
| REST Resource | projects/PROJECT_ID/locations/REGION/products/apigee/integration/INTEGRATION_NAME
|
projects/PROJECT_ID/locations/REGION/integration/INTEGRATION_NAME
|
For information about Application Integration APIs, see Application Integration REST API.
Integration task changes
The Send Email task and the Approval task will use noreply-application-integration@google.com to send email notifications. In addition, all the approval request emails sent using the Approval task will link to Application Integration.