Service account validation

Apigee hybrid provides validation that ensures the location of your service accounts' keys are correct and that the accounts have the proper permissions in your Google Cloud project. This validation is enabled by default.

This section describes how to enable or disable service account validation. In addition, this step ensures that you have the proper APIs enabled for your Google Cloud project so that validation works.

Enable service account permission validation

To enable permission validation:

  1. Be sure the Cloud Resource Manager API is enabled for your Google Cloud project:
    1. Open the Google Cloud console and log in with the account you created in Step 1: Create a Google Cloud account.
    2. Select the project that you created in Step 2: Create a Google Cloud project.
    3. Select APIs & Services > Library.
    4. Search for "Cloud Resource Manager".
    5. Locate the Cloud Resource Manager API service and click on it.
    6. If it is not enabled, click Enable.

    You can also enable the API using gcloud:

    gcloud services enable cloudresourcemanager.googleapis.com --project GCP_PROJECT_ID
  2. In your overrides file, add the validateServiceAccounts property and set it to true. For example:
    ...
    # Enables strict validation of service account permissions.
    validateServiceAccounts: true
    ...

When validation is enabled, any time you apply configuration changes to the Apigee hybrid runtime components to your cluster, the Helm chart validates the service account keys that are included in your overrides file.

Troubleshooting validation errors

If validation fails, the runtime deployment stops, and helm upgrade or helm install exits. To troubleshoot service account failure, it's helpful to know that validation checks permissions in this order:

  1. Permission on the project ID.
  2. (For UDCA and Synchronizer only) If the permission check on the project fails, validation proceeds to check permission against the Apigee environment's IAM policy. These SAs are environment scoped and environments support finer-grained permissions.

    To update the IAM policy for a specific environment, go to the hybrid UI. Go to Admin > Environments > Access

For example, the following is an error message for a failed permission check:

Invalid Metrics Service Account. Service Account
"apigee-metrics@hybrid-project.iam.gserviceaccount.com" is missing 1 or more required
permissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create].
Visit Service accounts and roles used by
hybrid components for more details on setting up Apigee hybrid service account permissions.

To address this error, add the required roles to the service account. For information on creating and modifying service accounts, see Create the service accounts. To check the required permissions for each Apigee hybrid component, see Service accounts and roles used by hybrid components.

Disable permission validation

To disable service account permission validation, set the validationServiceAccounts property in your overrides file to false, as the following example shows:

...
# Enables strict validation of service account permissions.
validateServiceAccounts: false
...