Apigee hybrid provides validation that ensures the location of your service accounts' keys are correct and that the accounts have the proper permissions in your Google Cloud project. This validation is enabled by default.
This section describes how to enable or disable service account validation. In addition, this step ensures that you have the proper APIs enabled for your Google Cloud project so that validation works.
Enable service account permission validation
To enable permission validation:
- Be sure the
Cloud Resource Manager API is enabled for your Google Cloud project:
- Open the Google Cloud console and log in with the account you created in Step 1: Create a Google Cloud account.
- Select the project that you created in Step 2: Create a Google Cloud project.
- Select APIs & Services > Library.
- Search for "Cloud Resource Manager".
- Locate the Cloud Resource Manager API service and click on it.
- If it is not enabled, click Enable.
You can also enable the API using gcloud:
gcloud services enable cloudresourcemanager.googleapis.com --project GCP_PROJECT_ID
- In your overrides file, add the
validateServiceAccounts
property and set it totrue
. For example:... # Enables strict validation of service account permissions. validateServiceAccounts: true ...
When validation is enabled, any time you apply configuration changes to the
Apigee hybrid runtime components to your cluster, the Helm chart or apigeectl
validates the service account keys that are included in your
overrides file.
Troubleshooting validation errors
If validation fails, the runtime deployment stops, and helm upgrade
/
helm install
or apigeectl init
/ apigeectl apply
exits. To troubleshoot service account failure, it's helpful to know that validation checks
permissions in this order:
- Permission on the project ID.
- (For UDCA and Synchronizer only) If the permission check on the project fails, validation
proceeds to check permission against the Apigee environment's
IAM policy. These SAs are
environment scoped and environments support finer-grained permissions.
To update the IAM policy for a specific environment, go to the hybrid UI. Go to Admin > Environments > Access
For example, the following is an error message for a failed permission check:
Invalid Metrics Service Account. Service Account "apigee-metrics@hybrid-project.iam.gserviceaccount.com" is missing 1 or more required permissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create]. Visit Service accounts and roles used by hybrid components for more details on setting up Apigee hybrid service account permissions.
To address this error, add the required roles to the service account. For information on creating and modifying service accounts, see Create the service accounts. To check the required permissions for each Apigee hybrid component, see Service accounts and roles used by hybrid components.
Disable permission validation
To disable service account permission validation, set the validationServiceAccounts
property in your overrides file to false
, as the following example shows:
... # Enables strict validation of service account permissions. validateServiceAccounts: false ...