Step 4: Create service accounts

Overview

This step explains how to create the Google Cloud service accounts that are required for Apigee hybrid to operate, and assign the appropriate IAM roles to them.

This procedure uses the following two environment variables defined in Step 2: Download the Apigee Helm charts. These variables are optional. If you did not define them, substitute the appropriate directory path for each variable in the code samples.

$APIGEE_HELM_CHARTS_HOME: The directory where you downloaded the Apigee Helm charts, defined in Step 2: Download the Apigee Helm charts.
$PROJECT_ID: Your Google Cloud project ID, defined in Part 1: Project and Org setup--Step 1: Enable APIs.

Production vs. non-production environments

This guide refers to Production ("Prod") and Non-production ("Non-prod") installations. A production installation is tuned for greater usage capacity, storage, and scalability. A non-production installation uses fewer resources and is mainly for learning and demonstration purposes.

When you create and configure service accounts for Apigee hybrid, it is important to be aware of the type of installation you are targeting.

For production installations, we recommend creating a separate service account for each Apigee hybrid component. For example, runtime, mart, metrics, udca, and so on each get their own service account.

For non-prod installations, you can create a single service account that applies to all the components.

To learn more about the service accounts used by Apigee and the roles they are assigned, see Service accounts and roles used by hybrid components.

Authenticating service accounts

Apigee hybrid supports three methods of authenticating Google service accounts:

Workload Identity on AKS, EKS, or GKE

For Apigee hybrid installations on GKE, Google Cloud offers an option called Workload Identity to authenticate hybrid runtime components. This option does not use downloaded certificate files to authenticate the service accounts, Instead, it associates the Google Cloud service accounts that you create in this step with Kubernetes service accounts in the Kubernetes cluster. See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS

Create the service accounts

Apigee hybrid uses the following service accounts:

Prod

Service account	IAM roles	Apigee Helm chart
`apigee-cassandra`	Storage Object Admin	`apigee-datastore`
`apigee-logger`	Logs Writer	`apigee-telemetry`
`apigee-mart`	Apigee Connect Agent	`apigee-org`
`apigee-metrics`	Monitoring Metric Writer	`apigee-telemetry`
`apigee-runtime`	No role required	`apigee-env`
`apigee-synchronizer`	Apigee Synchronizer Manager	`apigee-env`
`apigee-udca`	Apigee Analytics Agent	`apigee-org` `apigee-env`
`apigee-watcher`	Apigee Runtime Agent	`apigee-org`

Non-prod

Service account	IAM roles	Apigee Helm chart
`apigee-non-prod`	Storage Object Admin Logs Writer Apigee Connect Agent Monitoring Metric Writer Apigee Synchronizer Manager Apigee Analytics Agent Apigee Runtime Agent	`apigee-datastore` `apigee-telemetry` `apigee-org` `apigee-env`

The `create-service-account` tool

Apigee provides a tool, create-service-account, in the apigee-operator/etc/tools directory:

$APIGEE_HELM_CHARTS_HOME/
    └── apigee-operator/
        └── etc/
            └── tools/
                └── create-service-account

This tool creates the service accounts, assigns the IAM roles to each account, and downloads the certificate files in JSON format for each account.

Verify you can execute create-service-account. If you have just downloaded the charts the create-service-account file might not be in an executable mode. In your APIGEE_HELM_CHARTS_HOME directory run the following command:

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account --help

If your output says permission denied you need to make the file executable, for example with chmod in Linux, MacOS, or UNIX or in the Windows Explorer or with the icacls command in Windows. For example:

chmod +x $APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account

Create the service accounts

Because Helm does not support referencing files outside of the chart directory, you will create each service account certificate file in the chart directory for the corresponding hybrid component.

For the next steps choose whether you are configuring a Production or Non-production installation.

Prod

Make sure the PROJECT_ID environment variable is defined.
```
echo $PROJECT_ID
```
The create-service-account tool uses the value of thePROJECT_ID environment variable. If it is not defined, either define it with your ID of your Google Cloud Project ID or add the --project-id PROJECT_ID flag to the create-service-account commands.

Create the service accounts with the following commands, where $APIGEE_HELM_CHARTS_HOME is the path where you downloaded the Apigee Helm charts. You may be prompted to create each service account. Respond with y.

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-cassandra \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-datastore

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-logger \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-telemetry

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-mart \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-org

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-metrics \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-telemetry

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-runtime \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-env

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-synchronizer \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-env

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-udca \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-env

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-udca \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-org

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --profile apigee-watcher \
  --env prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-org

Copy the apigee-udca JSON file to the apigee-env chart directory. It is needed for both org-scope and env-scope operations.
```
cp $APIGEE_HELM_CHARTS_HOME/apigee-org/$PROJECT_ID-apigee-udca.json $APIGEE_HELM_CHARTS_HOME/apigee-env/
```

Verify that the service account files were created in the correct directories by checking the contents of each chart's directory. Your output should look like:

ls ./apigee-datastore
Chart.yaml  PROJECT_ID-apigee-cassandra.json  templates  values.yaml

ls ./apigee-telemetry
Chart.yaml  PROJECT_ID-apigee-logger.json  PROJECT_ID-apigee-metrics.json  templates  values.yaml

ls ./apigee-org
Chart.yaml                      PROJECT_ID-apigee-udca.json     templates
PROJECT_ID-apigee-mart.json  PROJECT_ID-apigee-watcher.json  values.yaml

ls ./apigee-env
Chart.yaml  PROJECT_ID-apigee-runtime.json  PROJECT_ID-apigee-synchronizer.json my_project_id-apigee-udca.json  templates  values.yaml

Tip: You can also verify the location of the service account files with the following tree command:

tree -P *.json

Non-prod

Make sure the PROJECT_ID environment variable is defined.
```
echo $PROJECT_ID
```
The create-service-account tool uses the value of thePROJECT_ID environment variable. If it is not defined, either define it with your ID of your Google Cloud Project ID or add the --project-id PROJECT_ID flag to the create-service-account commands.
Create the service account with the following command, where $APIGEE_HELM_CHARTS_HOME is the path where you downloaded the Apigee Helm charts. You may be prompted to create each service account. Respond with y.
```
$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \
  --env non-prod \
  --dir $APIGEE_HELM_CHARTS_HOME/apigee-datastore
```

Verify the name of the service account file created in the apigee-datastore directory:

ls $APIGEE_HELM_CHARTS_HOME/apigee-datastore

Chart.yaml  PROJECT_ID-apigee-non-prod.json  templates  values.yaml

Copy the service account file to the other chart directories that will need to refer to it:

cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/SA_FILE_NAME.json $APIGEE_HELM_CHARTS_HOME/apigee-telemetry/

cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/SA_FILE_NAME.json $APIGEE_HELM_CHARTS_HOME/apigee-org/

cp $APIGEE_HELM_CHARTS_HOME/apigee-datastore/SA_FILE_NAME.json $APIGEE_HELM_CHARTS_HOME/apigee-env/

For more information about service accounts and the create-service-account tool see:

You now have created service accounts and assigned the roles needed by the Apigee hybrid components. Next, create the TLS certificates required by the hybrid ingress gateway.

Next step

1 2 3 4 (NEXT) Step 5: Create TLS certificates 6 7 8 9 10 11

Step 4: Create service accounts

Overview

Production vs. non-production environments

Authenticating service accounts

Workload Identity on AKS, EKS, or GKE

Create the service accounts

Prod

Non-prod

The create-service-account tool

Create the service accounts

Prod

Non-prod

Next step

The `create-service-account` tool