Per effettuare le chiamate API Apigee descritte più avanti in questo argomento, devi ottenere un token di autorizzazione con il ruolo Amministratore organizzazione Apigee.
Se non sei il proprietario del progetto Google Cloud associato alla tua organizzazione Apigee ibrida, assicurati che il tuo account utente Google Cloud abbia il ruolo roles/apigee.admin (Amministratore dell'organizzazione Apigee). Puoi controllare i ruoli assegnati a te con questo comando:
Se non disponi di roles/apigee.admin, aggiungi il ruolo Amministratore dell'organizzazione Apigee al tuo account utente. Utilizza il seguente comando per aggiungere il ruolo al tuo account utente:
Recupera l'indirizzo email dell'account di servizio a cui stai concedendo l'accesso al sincronizzatore.
Per gli ambienti non di produzione (come suggerito in questo tutorial), deve essere
apigee-non-prod. Per gli ambienti di produzione, deve essere
apigee-synchronizer. Utilizza il seguente comando:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee-synchronizer"
Chiama l'API
setSyncAuthorization
per abilitare le autorizzazioni richieste per Synchronizer utilizzando il seguente comando:
Per verificare che l'account di servizio sia stato impostato, utilizza il seguente comando per chiamare l'API e ottenere un elenco di account di servizio:
Ora hai attivato la comunicazione tra i piani di gestione e di runtime di Apigee hybrid. Successivamente, installa cert-manager per consentire ad Apigee hybrid di interpretare e gestire i certificati.
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-05 UTC."],[[["\u003cp\u003eAn authorization token with the Apigee Organization Admin role is required to make Apigee API calls.\u003c/p\u003e\n"],["\u003cp\u003eVerify your Google Cloud user account has the \u003ccode\u003eroles/apigee.admin\u003c/code\u003e role using a command line tool, and if not, add it using a provided command.\u003c/p\u003e\n"],["\u003cp\u003eRetrieve your \u003ccode\u003egcloud\u003c/code\u003e authentication credentials and set them as an environment variable, either \u003ccode\u003eTOKEN\u003c/code\u003e for Linux/MacOS or \u003ccode\u003e%TOKEN%\u003c/code\u003e for Windows.\u003c/p\u003e\n"],["\u003cp\u003eEnable synchronizer access by retrieving the service account email and using a \u003ccode\u003esetSyncAuthorization\u003c/code\u003e API call, which the appropriate command is provided depending on if data residency is enabled or not.\u003c/p\u003e\n"],["\u003cp\u003eConfirm the synchronizer service account was successfully set by calling the \u003ccode\u003egetSyncAuthorization\u003c/code\u003e API and checking the returned data.\u003c/p\u003e\n"]]],[],null,["# Step 7: Enable Synchronizer access\n\n| You are currently viewing version 1.13 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nGet an authorization token\n--------------------------\n\n\nTo make the Apigee API calls described later in this topic, you need to get an authorization\ntoken that has the Apigee Organization Admin role.\n\n1. If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has the **roles/apigee.admin** (Apigee Organization Admin) role. You can check the roles assigned to you with this command: \n\n ```\n gcloud projects get-iam-policy ${PROJECT_ID} \\\n --flatten=\"bindings[].members\" \\\n --format='table(bindings.role)' \\\n --filter=\"bindings.members:your_account_email\"\n ```\n\n\n For example: \n\n ```transact-sql\n gcloud projects get-iam-policy my-project \\\n --flatten=\"bindings[].members\" \\\n --format='table(bindings.role)' \\\n --filter=\"bindings.members:myusername@example.com\"\n ```\n\n\n The output should include `roles/apigee.admin`.\n2. If you do not have `roles/apigee.admin`, add the **Apigee\n Organization Admin** role to your user account. Use the following command to add the role to your user account: \n\n ```\n gcloud projects add-iam-policy-binding ${PROJECT_ID} \\\n --member user:your_account_email \\\n --role roles/apigee.admin\n ```\n\n\n For example: \n\n ```\n gcloud projects add-iam-policy-binding my-project \\\n --member user:myusername@example.com \\\n --role roles/apigee.admin\n ```\n3. On the command line, get your `gcloud` authentication\n credentials using the following command:\n\n ### Linux / MacOS\n\n ```\n export TOKEN=$(gcloud auth print-access-token)\n ```\n\n To check that your token was populated, use `echo`, as the\n following example shows: \n\n ```\n echo $TOKEN\n ```\n\n This should display your token as an encoded string.\n\n ### Windows\n\n ```\n for /f \"tokens=*\" %a in ('gcloud auth print-access-token') do set TOKEN=%a\n ```\n\n To check that your token was populated, use `echo`, as the\n following example shows: \n\n ```\n echo %TOKEN%\n ```\n\n This should display your token as an encoded string.\n\nEnable synchronizer access\n--------------------------\n\n\nTo enable synchronizer access:\n\n1. Get the email address for the service account to which you are granting synchronizer access. For non-production environments (as suggested in this tutorial) it should be `apigee-non-prod`. For production environments, it should be `apigee-synchronizer`. Use the following command: \n\n ```\n gcloud iam service-accounts list --project ${PROJECT_ID} --filter \"apigee-synchronizer\"\n ```\n2. Call the [setSyncAuthorization](/apigee/docs/reference/apis/apigee/rest/v1/organizations/setSyncAuthorization) API to enable the required permissions for Synchronizer using the following command:\n\n ### No data residency\n\n ```\n curl -X POST -H \"Authorization: Bearer ${TOKEN}\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization\" \\\n -d \"{\\\"identities\\\":[\\\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\\\"]}\"\n ```\n\n\n Where:\n - **`${ORG_NAME}`**: The name of your hybrid organization.\n - **\u003cvar translate=\"no\"\u003eapigee-synchronizer\u003c/var\u003e`${ORG_NAME}.iam.gserviceaccount.com`**: The email address of the service account.\n\n ### Data residency\n\n ```\n curl -X POST -H \"Authorization: Bearer ${TOKEN}\" \\\n -H \"Content-Type:application/json\" \\\n \"https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization\" \\\n -d \"{\\\"identities\\\":[\\\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\\\"]}\"\n ```\n\n\n Where:\n - **`CONTROL_PLANE_LOCATION`** : The location for your control plane data if your hybrid installation uses [data residency](/apigee/docs/api-platform/get-started/drz-concepts). This is location where customer core content like proxy bundles are stored. For a list see [Available Apigee API control plane regions](/apigee/docs/locations#available-apigee-api-control-plane-regions).\n - **`${ORG_NAME}`**: The name of your hybrid organization.\n - **\u003cvar translate=\"no\"\u003eapigee-synchronizer\u003c/var\u003e`${ORG_NAME}.iam.gserviceaccount.com`**: The email address of the service account.\n3. To verify that the service account was set, use the following command to call the API to get a list of service accounts:\n\n ### No data residency\n\n ```\n curl -X GET -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization\"\n \n ```\n\n ### Data residency\n\n ```\n curl -X GET -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type:application/json\" \\\n \"https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization\"\n \n ```\n\n\n The output looks similar to the following: \n\n ```transact-sql\n {\n \"identities\":[\n \"serviceAccount:\u003cvar translate=\"no\"\u003eapigee-synchronizer\u003c/var\u003e@\u003cvar translate=\"no\"\u003emy_project_id\u003c/var\u003e.iam.gserviceaccount.com\"\n ],\n \"etag\":\"BwWJgyS8I4w=\"\n }\n ```\n | **Note:** The call to the Apigee API uses \u003cvar translate=\"no\"\u003e${ORG_NAME}\u003c/var\u003e, and the results from the IAM service account mappings use \u003cvar translate=\"no\"\u003emy_project_id\u003c/var\u003e. In most cases, the values are the same. One uncommon exception is when using a [multi-org cluster](/apigee/docs/hybrid/latest/multi-org), where there would be more than one org name, and the service accounts could be different per org.\n\nYou have now enabled your Apigee hybrid runtime and management planes to\ncommunicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage\ncertificates.\n\nNext step\n---------\n\n\u003cbr /\u003e\n\n[1](/apigee/docs/hybrid/v1.13/install-create-cluster) [2](/apigee/docs/hybrid/v1.13/install-download-charts) [3](/apigee/docs/hybrid/v1.13/install-create-namespace) [4](/apigee/docs/hybrid/v1.13/install-service-accounts) [5](/apigee/docs/hybrid/v1.13/install-create-tls-certificates) [6](/apigee/docs/hybrid/v1.13/install-create-overrides) [7](/apigee/docs/hybrid/v1.13/install-enable-synchronizer-access) [(NEXT) Step 8: Install cert-manager](/apigee/docs/hybrid/v1.13/install-cert-manager) [9](/apigee/docs/hybrid/v1.13/install-crds) [10](/apigee/docs/hybrid/v1.13/install-helm-charts) [11](/apigee/docs/hybrid/v1.13/install-workload-identity)\n\n\u003cbr /\u003e"]]