About Apigee provisioning permissions

You're viewing Apigee X documentation.
View Apigee Edge documentation.

This document describes the Google Cloud IAM permissions that are required to successfully provision Apigee X. You can use predefined roles to ensure sufficient permission to do the provisioning steps, or you can create finer-grained custom roles to give the Apigee administrator the least necessary priviledge needed to provision Apigee X.

Google Cloud project owner

The owner of the Google Cloud project that is used for Apigee provisioning has permission to perform all of the Apigee provisioning steps. If the Apigee provisioner is not the project owner, then use this document to determine the permissions needed to perform each of the provioning steps.

Predefined roles

If you just want to make sure the Apigee administrator has sufficient permission to complete the provisioning, give the Apigee administrator the following predefined roles:

Role	Required for steps	Account type	Purpose
Apigee Organization Admin `apigee.admin`	Start and using the Apigee provisioning UI Create an organization Create an environment Create an Apigee instance	Paid and eval	Grants full access to all Apigee resource features.
Service Usage Admin `serviceusage.serviceUsageAdmin`	Enable APIs	Paid and eval	Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
Cloud KMS Admin `cloudkms.admin`	Create an organization Configure a runtime instance	Paid only	Creating Cloud KMS keys and keyrings.
Compute Network Admin `compute.networkAdmin`	Create an organization Configure a runtime instance Configure service networking Configure access routing (to create the external HTTPS load balancer)	Paid and eval	Listing Compute regions, setting up service networking, and creating the external HTTPS load balancer.

Provisioning wizard permissions

These permissions are required to start and use the Apigee provisioning wizard:

Role	Account type	Purpose
`apigee.environments.create` `apigee.environments.get` `apigee.environments.list` `apigee.envgroups.create` `apigee.envgroups.get` `apigee.envgroups.list` `apigee.envgroupattachments.create` `apigee.envgroupattachments.list` `apigee.instances.create` `apigee.instances.get` `apigee.instances.list` `apigee.instanceattachments.create` `apigee.instanceattachments.get` `apigee.instanceattachments.list` `apigee.organizations.create` `apigee.organizations.get` `apigee.organizations.update` `apigee.projects.update`	Paid and eval	Start and using the Apigee provisioning UI Create an organization Create an environment Create an Apigee instance

API enablement permissions

These permissions are required to enable Google Cloud APIs:

Role	Account type	Purpose
`serviceusage.services.get` `serviceusage.services.enable`	Paid and eval	Enabling Google Cloud APIs

Organization creation permissions (paid org)

These permissions are needed to create an Apigee organization for paid accounts:

Permissions	Account type	Purpose
`compute.regions.list`	Paid only	Selecting an analytics hosting location
`cloudkms.cryptoKeys.list` `cloudkms.locations.list` `cloudkms.keyRings.list`	Paid only	Selecting a runtime database encryption key
`cloudkms.cryptoKeys.create` `cloudkms.keyRings.create`	Paid only	Creating a runtime database encryption key
`cloudkms.cryptoKeys.getIamPolicy` `cloudkms.cryptoKeys.setIamPolicy`	Paid only	Granting Apigee service account permission to use an encryption key

Organization creation permissions (eval org)

This permission is required for selecting analytics and runtime hosting regions for an eval organization:

Permissions	Account type	Purpose
`compute.regions.list`	Eval organizations only	Selecting analytics and runtime hosting regions

Service networking permissions

These permissions are needed in the service networking configuration steps. If you are using Shared VPC networking, see Service networking permissions with Shared VPC.

Permissions	Account type	Purpose
`compute.globalAddresses.createInternal` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.use` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.projects.get` `servicenetworking.operations.get` `servicenetworking.services.addPeering` `servicenetworking.services.get`	Paid and eval	These permissions are required to perform the tasks in the service networking configuration step. Note: If you are using Shared Virtual Private Cloud (VPC) networking, see Service networking permissions with Shared VPC.

Service networking permissions with Shared VPC

If you are using Shared Virtual Private Cloud (VPC) networking, a user with administrative privileges in the Shared VPC project must peer the Shared VPC project with Apigee, as described in Configuring Shared VPC with Apigee X. Peering must be completed before the Apigee admin can complete the service networking steps. See also Administrators and IAM.

When Shared VPC is properly set up, the Apigee admin needs these permissions to complete the service networking configuration steps:

Permissions	Account type	Purpose
`compute.projects.get`	Paid and eval	The Apigee admin must have this permission in the project where Apigee is installed. This permission allows the admin to view the Shared VPC host project ID.
Compute Network User role (`compute.networkUser`)	Paid and eval	The Apigee admin must be granted this role in the Shared VPC host project. This role allows the admin to view and select the Shared VPC network in the Apigee provisioning UI.

Runtime instance permissions

These permissions are needed to create runtime instance (paid accounts only):

Permissions	Account type	Purpose
`compute.regions.list`	Paid only	Selecting a runtime hosting location
`cloudkms.cryptoKeys.list` `cloudkms.locations.list` `cloudkms.keyRings.list`	Paid only	Selecting a runtime disk encryption key
`cloudkms.cryptoKeys.create` `cloudkms.keyRings.create`	Paid only	Creating a runtime disk encryption key
`cloudkms.cryptoKeys.getIamPolicy` `cloudkms.cryptoKeys.setIamPolicy`	Paid only	Granting Apigee service account permission to use an encryption key

Access routing permissions

These permissions are needed for the access routing steps:

Permissions	Account type	Purpose
`compute.autoscalers.create` `compute.backendServices.create` `compute.backendServices.use` `compute.disks.create` `compute.globalAddresses.create` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.use` `compute.globalForwardingRules.create` `compute.globalOperations.get` `compute.firewalls.create` `compute.firewalls.get` `compute.healthChecks.create` `compute.healthChecks.useReadOnly` `compute.images.get` `compute.images.useReadOnly` `compute.instances.create` `compute.instances.setMetadata` `compute.instanceGroups.use` `compute.instanceGroupManagers.create` `compute.instanceGroupManagers.use` `compute.instanceTemplates.get` `compute.instanceTemplates.create` `compute.instanceTemplates.useReadOnly` `compute.networks.get` `compute.networks.list` `compute.networks.updatePolicy` `compute.networks.use` `compute.regionOperations.get` `compute.sslCertificates.create` `compute.sslCertificates.get` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.setPrivateIpGoogleAccess` `compute.subnetworks.use` `compute.targetHttpsProxies.create` `compute.targetHttpsProxies.use` `compute.urlMaps.create` `compute.urlMaps.use`	Paid and eval	Configuring basic access routing Note: If you are using Shared Virtual Private Cloud (VPC) networking, see Access routing permissions with Shared VPC.

Access routing permissions with Shared VPC

If you are using Shared Virtual Private Cloud (VPC) networking, be aware that the Shared VPC configuration and peering must be completed before you can perform the access routing step.

After the Shared VPC is set up properly, the Apigee admin requires the compute.networkUser role in the Shared VPC project to complete the access routing steps. See also Required administrative roles for Shared VPC.