Get an authorization token
To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.
- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid
organization, be sure that your Google Cloud user account has the roles/apigee.admin (Apigee
Organization Admin) role. You can check the roles assigned to you with this command:
gcloud projects get-iam-policy ${PROJECT_ID} \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your_account_email"
For example:
gcloud projects get-iam-policy my-project \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:myusername@example.com"
The output should include
roles/apigee.admin
. - If you do not have
roles/apigee.admin
, add the Apigee Organization Admin role to your user account. Use the following command to add the role to your user account:gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member user:your_account_email \ --role roles/apigee.admin
For example:
gcloud projects add-iam-policy-binding my-project \ --member user:myusername@example.com \ --role roles/apigee.admin
-
On the command line, get your
gcloud
authentication credentials using the following command:Linux / MacOS
export TOKEN=$(gcloud auth print-access-token)
To check that your token was populated, use
echo
, as the following example shows:echo $TOKEN
This should display your token as an encoded string.
Windows
for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%a
To check that your token was populated, use
echo
, as the following example shows:echo %TOKEN%
This should display your token as an encoded string.
Enable synchronizer access
To enable synchronizer access:
- Get the email address for the service account to which you are granting synchronizer access.
For non-production environments (as suggested in this tutorial) it should be
apigee-non-prod
. For production environments, it should beapigee-synchronizer
. Use the following command:gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee-synchronizer"
- Call the
setSyncAuthorization
API to enable the required permissions for Synchronizer using the following command:
curl -X POST -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \ -d '{"identities":["'"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com"'"]}'
Where:
${ORG_NAME}
: The name of your hybrid organization.apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com
: The email address of the service account.
- To verify that the service account was set, use the following command to call the API to get
a list of service accounts:
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization"
The output looks similar to the following:
{ "identities":[ "serviceAccount:apigee-synchronizer@my_project_id.iam.gserviceaccount.com" ], "etag":"BwWJgyS8I4w=" }
You have now enabled your Apigee hybrid runtime and management planes to communicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage certificates.
1 2 3 4 5 6 7 (NEXT) Step 8: Install cert-manager 9 10 11 12