Overview

In this lab, you use debug masks and private variables to protect sensitive data from being viewed in the debug tool.

Objectives

In this lab, you learn how to perform the following tasks:

• Use private variables in API proxies.
• Create debug masks using the Apigee API.

Setup

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
   There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts.
   If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

   

2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

• You can list the active account name with this command:

gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net

• You can list the project ID with this command:

gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

Task 1. Create a new proxy

In this task, you create a new API proxy.

Pin the Apigee console page

1. In the Google Cloud console, on the Navigation menu (), look for Apigee in the Pinned Products section.

   The Apigee console page will open.

2. If Apigee is not pinned, search for Apigee in the top search bar and navigate to the Apigee service.

3. Hover over the name, then click the pin icon ().

   The Apigee console page will now be pinned to the Navigation menu.

Create the proxy

1. On the left navigation menu, select Proxy development > API proxies.

2. To start the proxy wizard, click +Create.

3. Leave Proxy template unchanged.

4. Specify the following settings:

   Property	Value
   Proxy Name	lab6a-v1
   Base path	/lab6a/v1
   Target (Existing API)	https://httpbin.org/anything

   The httpbin.org/anything API returns detailed information about the API request it was sent.

   Note: Confirm that you are using "/lab6a/v1" for the base path, and not "/lab6a-v1".

5. Click Create.

6. Click the Develop tab.

Task 2. Use a private variable in the proxy to hide sensitive data

In this task, you test the difference between private variables and non-private variables when viewed in the debug tool.

Add an ExtractVariables policy

1. Click Proxy endpoints > default > PreFlow.

2. On the Request PreFlow, click Add Policy Step (+).

3. In the Add policy step pane, select Create new policy, and then select Mediation > Extract Variables.

4. Specify the following values:

   Property	Value
   Name	EV-QueryParamTest
   Display name	EV-QueryParamTest

5. Click Add.

6. Click Policies > EV-QueryParamTest.

7. Replace the policy's default configuration with:

   <ExtractVariables continueOnError="false" enabled="true" name="EV-QueryParamTest"> <QueryParam name="user"> <Pattern ignoreCase="true">{username}</Pattern> </QueryParam> <QueryParam name="pw"> <Pattern ignoreCase="true">{password}</Pattern> </QueryParam> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <Source clearPayload="false">request</Source> </ExtractVariables>

   This configuration tells the proxy to look for a query parameter named user and copy its value to a variable named username, and to look for a query parameter named pw and copy it to a variable named password.

   Note: You should not send sensitive data in the URL, because URLs are often logged in access logs. This example is being used for ease of testing.

8. Click Save.

9. Click Deploy.

10. To specify that you want the new revision deployed to the eval environment, select eval as the Environment, and then click Deploy.

11. Click Confirm.

Check deployment status

A proxy that is deployed and ready to take traffic will show a green status on the Overview tab.

When a proxy is marked as deployed but the runtime is not yet available and the environment is not yet attached, you may see a red warning sign. Hold the pointer over the Status icon to see the current status.

If the proxy is deployed and shows as green, your proxy is ready for API traffic. If your proxy is not deployed because there are no runtime pods, you can check the provisioning status.

Check provisioning status

• In Cloud Shell, to confirm that the runtime instance has been installed and the eval environment has been attached, run the following commands:

  export PROJECT_ID=$(gcloud config list --format 'value(core.project)'); echo "PROJECT_ID=${PROJECT_ID}"; export INSTANCE_NAME=eval-instance; export ENV_NAME=eval; export PREV_INSTANCE_STATE=; echo "waiting for runtime instance ${INSTANCE_NAME} to be active"; while : ; do export INSTANCE_STATE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${PROJECT_ID}/instances/${INSTANCE_NAME}" | jq "select(.state != null) | .state" --raw-output); [[ "${INSTANCE_STATE}" == "${PREV_INSTANCE_STATE}" ]] || (echo; echo "INSTANCE_STATE=${INSTANCE_STATE}"); export PREV_INSTANCE_STATE=${INSTANCE_STATE}; [[ "${INSTANCE_STATE}" != "ACTIVE" ]] || break; echo -n "."; sleep 5; done; echo; echo "instance created, waiting for environment ${ENV_NAME} to be attached to instance"; while : ; do export ATTACHMENT_DONE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${PROJECT_ID}/instances/${INSTANCE_NAME}/attachments" | jq "select(.attachments != null) | .attachments[] | select(.environment == \"${ENV_NAME}\") | .environment" --join-output); [[ "${ATTACHMENT_DONE}" != "${ENV_NAME}" ]] || break; echo -n "."; sleep 5; done; echo "***ORG IS READY TO USE***";

  When the script returns ORG IS READY TO USE, you can proceed to the next steps.

While you are waiting

• Reference for the Apigee API: Apigee API reference
• Documentation on how to use private variables and debug masks: Masking and hiding data

Task 3. Test the API proxy without private variables

In this task, you will use the debug tool to verify that sensitive variables are visible.

Start a debug session

1. Click the Debug tab, and then click Start Debug Session.
2. In the Start debug session pane, on the Environment dropdown, select eval.
3. Click Start.

Test the API proxy using private DNS

The eval environment in the Apigee organization can be called using the hostname eval.example.com. The DNS entry for this hostname has been created within your project, and it resolves to the IP address of the Apigee runtime instance. This DNS entry has been created in a private zone, which means it is only visible on the internal network.

Cloud Shell does not reside on the internal network, so Cloud Shell commands cannot resolve this DNS entry. A virtual machine (VM) within your project can access the private zone DNS. A virtual machine named apigeex-test-vm was automatically created for this purpose. You can make API proxy calls from this machine.

The curl command will be used to send API requests to an API proxy. The -k option for curl tells it to skip verification of the TLS certificate. For this lab, the Apigee runtime uses a self-signed certificate. For a production environment, you should use certificates that have been created by a trusted certificate authority (CA).

1. In Cloud Shell, open a new tab, and then open an SSH connection to your test VM:

   TEST_VM_ZONE=$(gcloud compute instances list --filter="name=('apigeex-test-vm')" --format "value(zone)") gcloud compute ssh apigeex-test-vm --zone=${TEST_VM_ZONE} --force-key-file-overwrite

   The first gcloud command retrieves the zone of the test VM, and the second opens the SSH connection to the VM.

2. If asked to authorize, click Authorize.

   For each question asked in the Cloud Shell, click Enter or Return to specify the default input.

   Your logged in identity is the owner of the project, so SSH to this machine is allowed.

   Your Cloud Shell session is now running inside the VM.

Test the API proxy

1. In the Cloud Shell SSH session, run this command:

   curl -i -k -X GET "https://eval.example.com/lab6a/v1?user=joe&pw=abc123"

   In the Debug tab, you should see the API request. It may take a short time to become visible.

2. In Debug, click on the GET request, and then click the EV-QueryParamTest step.

   In the EV-QueryParamTest details pane, click on the Variables tab to see that the variable username has been set to joe, and the variable password has been set to abc123.

   

   If this had been a real password, you probably would not want it to be visible users of the Debug tool.

Task 4. Update the policy to use a private variable

In this task, you update the ExtractVariables policy to use a private variable so the value is not visible while tracing.

1. Return to the Develop tab and select Policies > EV-QueryParamTest.

2. Change the policy configuration to the following:

   <ExtractVariables continueOnError="false" enabled="true" name="EV-QueryParamTest"> <QueryParam name="user"> <Pattern ignoreCase="true">{username}</Pattern> </QueryParam> <QueryParam name="pw"> <Pattern ignoreCase="true">{private.password}</Pattern> </QueryParam> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <Source clearPayload="false">request</Source> </ExtractVariables>

   Instead of password, the variable name for the pw query parameter is now private.password. The username variable has remained unchanged.

   This will change the resulting variable for the pw query parameter to private.password. No variable that starts with "private." will be shown in the debug tool.

3. Click Save, and then click Save as New Revision.

4. Click Deploy.

5. To specify that you want the new revision deployed to the eval environment, click Deploy.

6. Click Confirm.

   Wait for the deployment to complete.

Task 5. Verify that the private variable's value cannot be seen

In this task, you verify that the value of the variable private.password cannot be seen in the debug tool.

Start a debug session

1. Click the Debug tab, and then click Start Debug Session.
2. In the Start debug session pane, on the Environment dropdown, select eval.
3. Click Start.

Test the API proxy

1. In the Cloud Shell SSH session, send the following curl command:

   curl -i -k -X GET "https://eval.example.com/lab6a/v1?user=joe&pw=abc123"

2. In Debug, click on the GET request, and then click EV-QueryParamTest.

   In the EV-QueryParamTest details pane, click on the Variables tab to verify that the variable username has been set to joe, and the variable password is not visible.

   

   Note: If you copy the private variable into another non-private variable, that new variable would be visible in the debug tool.

Task 6. Create a debug mask configuration for a proxy

In this task, you create a debug mask to mask a variable in the debug tool.

This task will use the Apigee API to create a debug mask. There is a single debug mask associated with an environment.

1. Open a new browser tab in the same window and navigate to the Apigee API documentation page for updating a debug mask.

   This page shows how the updateDebugMask operation for an environment is called. You can use this page to make the API call to update the debug mask. You can also find the other Apigee API calls that are available.

   You will be using curl to make the API calls.

2. In the Cloud Shell SSH session, make the following call:

   gcloud auth print-access-token

   gcloud auth print-access-token is a gcloud command that prints the access token for the logged-in user. You logged in as the Qwiklabs user, so the token that is printed uses the permissions of the Qwiklabs user. Because the Qwiklabs user has the role of Owner on the project, the Qwiklabs user has organization admin permissions on the Apigee organization.

3. Make the following curl call to retrieve the debug mask for the eval environment:

   export PROJECT_ID=$(gcloud config list --format 'value(core.project)'); echo "PROJECT_ID=${PROJECT_ID}" curl -i -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${PROJECT_ID}/environments/eval/debugmask"

   The token will be provided to the Apigee API in an Authorization header. The response should look similar to this:

   { "name": "organizations/qwiklabs-gcp-03-ffaa428b506d/environments/eval/debugmask" }

   The debug mask contains the name of the debug mask plus any variables or XPath or JSONPath paths that have been configured to be masked. When the environment is created, there are no masked items.

4. To update the debug mask, use the following curl call:

   export PROJECT_ID=$(gcloud config list --format 'value(core.project)'); echo "PROJECT_ID=${PROJECT_ID}" curl -i -H "Authorization: Bearer $(gcloud auth print-access-token)" -X PATCH "https://apigee.googleapis.com/v1/organizations/${PROJECT_ID}/environments/eval/debugmask" -H "Content-Type: application/json" -d '{ "variables": [ "request.header.securitycode" ], "requestJSONPaths": [ "$.ccnum" ] }'

   The response to the curl call should look similar to this:

   { "name": "organizations/qwiklabs-gcp-03-ffaa428b506d/environments/eval/debugmask", "requestJSONPaths": [ "$.ccnum" ], "variables": [ "request.header.securitycode" ] }

   This is the new debug mask. The PATCH command updated the debug mask with two items:

   • A variable named request.header.securitycode
   • A request JSONPath of $.ccnum

   A header named securitycode would be masked. The JSONPath indicates that any incoming JSON request payload with the variable ccnum at the top level will be masked.

5. Return to the Debug tab and start a new debug session.

6. In the Cloud Shell SSH session, send the following curl command:

   curl -i -k -X PATCH "https://eval.example.com/lab6a/v1?user=joe&pw=abc123" -H "Content-Type: application/json" -H "SecurityCode: secret" -d '{ "ccnum": "0123-4567-7654-3210" }' Note: Header names are case-insensitive. Any capitalization of "securitycode" would be masked. Fields within JSON are case-sensitive, so the case must match exactly for a JSON field to be masked.

7. In Debug, click the PATCH request, and then click Proxy Request Flow Started.

   In the Proxy Request Flow Started pane, you can see that the securitycode header and the ccnum JSON fields have been replaced with asterisks.

Congratulations!

In this lab, you used a private variable and a debug mask to hide data when debugging an API proxy.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2025 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.