This topic describes the authentication workflow and code configuration required for an agent to obtain an API key from Agent Identity. The agent can then use this key to access downstream services.
Workflow
-
Complete inbound authentication. The agent uses the Agent Identity SDK to call the
GetWorkloadAccessToken*operations of the Agent Identity service to obtain a Workload Access Token. A common inbound authentication method is to use a JSON Web Token (JWT) issued by an external identity provider. -
Obtain the API key. Using the obtained Workload Access Token, the Agent Identity SDK calls the
GetResourceAPIKeyoperation of the Agent Identity service on behalf of the Workload Identity (the associated RAM role) to obtain the API key. -
Access the resource. The agent uses the obtained API key to access the resource.
Usage
After you create an API key credential provider in Agent Identity, you can use the Agent Identity SDK in your agent to obtain an API key. Before calling a function of another service with the API key, add the @requires_api_key annotation and pass the following parameters. The Agent Identity SDK automatically obtains a Workload Access Token and uses it to request the API key.
-
API key credential provider name: The name of the API key credential provider that you configured in Agent Identity. For more information, see Create an API key credential provider.
-
User context information (optional): The agent's user information, such as the user ID and user token (ID Token). The Agent Identity SDK uses this information to determine how to obtain the Workload Access Token.
Sample code (Python):
from agent_identity_python_sdk.identity import requires_api_key
@requires_api_key(
provider_name="<your-api-key-provider-name>",
user_info_context=<your-user-identifier-context> # optional
)
async def weather_search(query: str, api_key: str):
print(f"query: {query}")
if not api_key:
raise Exception("Api key is required")
await call_weather_api(api_key)