In order for the runtime plane and control plane to communicate, you must enable the required permissions for Synchronizer and analytics publisher access with the updateControlPlaneAccess API.
Get an authorization token
To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.
- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid
organization, be sure that your Google Cloud user account has the roles/apigee.admin (Apigee
Organization Admin) role. You can check the roles assigned to you with this command:
gcloud projects get-iam-policy ${PROJECT_ID} \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your_account_email"For example:
gcloud projects get-iam-policy my-project \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:myusername@example.com"
The output should include
roles/apigee.admin. - If you do not have
roles/apigee.admin, add the Apigee Organization Admin role to your user account. Use the following command to add the role to your user account:gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member user:your_account_email \ --role roles/apigee.adminFor example:
gcloud projects add-iam-policy-binding my-project \ --member user:myusername@example.com \ --role roles/apigee.admin
-
On the command line, get your
gcloudauthentication credentials using the following command:Linux / MacOS
export TOKEN=$(gcloud auth print-access-token)
To check that your token was populated, use
echo, as the following example shows:echo $TOKEN
This should display your token as an encoded string.
Windows
for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%aTo check that your token was populated, use
echo, as the following example shows:echo %TOKEN%
This should display your token as an encoded string.
Enable synchronizer access
To enable synchronizer access:
- Get the email address for the service account to which you are granting synchronizer access.
For non-production environments (as suggested in this tutorial) it should be
apigee-non-prod. For production environments, it should beapigee-synchronizer. Use the following command:gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee-synchronizer" - Call the
updateControlPlaneAccess
API to enable the required permissions for Synchronizer using the following command:
No data residency
curl -X POST -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}/controlPlaneAccess?update_mask=synchronizer_identities" \ -d '{ "synchronizer_identities": ["serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com"]}'Where:
${ORG_NAME}: The name of your hybrid organization.apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.
Data residency
curl -X POST -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}/controlPlaneAccess?update_mask=synchronizer_identities" \ -d '{ "synchronizer_identities": ["serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com"]}'Where:
CONTROL_PLANE_LOCATION: The location for your control plane data if your hybrid installation uses data residency. This is location where customer core content like proxy bundles are stored. For a list see Available Apigee API control plane regions.${ORG_NAME}: The name of your hybrid organization.apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.
- To verify that the service account was set, use the following command to call the API to get
a list of service accounts:
No data residency
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}/controlPlaneAccess"Data residency
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}/controlPlaneAccess"The output should look similar to the following:
{ "synchronizerIdentities": [ "serviceAccount:apigee-synchronizer@YOUR_ORG_NAME.iam.gserviceaccount.com" ] }
Enable analytics publisher access
Several Apigee hybrid runtime components publish analytics and debug records to provide information for reporting and debugging. To enable publishing this data, you need to grant additional permissions to the service accounts that run these apigee components to publish data directly to the control plane.
To enable analytics publisher access:
- Set permissions for the runtime service account to publish data to the control plane with the following command:
No data residency
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \ -d '{ "analytics_publisher_identities": ["serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com"]}'Data residency
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \ -d '{ "analytics_publisher_identities": ["serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com"]}'The response should look similar to the following:
{ "name": "organizations/YOUR_ORG_NAME/operations/8316aa78-c137-4733-92ec-cc0d2d92fd29", "metadata": { "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata", "operationType": "UPDATE", "targetResourceName": "organizations/YOUR_ORG_NAME/controlPlaneAccess", "state": "IN_PROGRESS" } } - Verify state of the operation using the name parameter from the update response:
No data residency
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/operations/8316aa78-c137-4733-92ec-cc0d2d92fd29"
Data residency
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/operations/8316aa78-c137-4733-92ec-cc0d2d92fd29"
The response should look like the following:
{ "name": "organizations/YOUR_ORG_NAME/operations/8316aa78-c137-4733-92ec-cc0d2d92fd29", "metadata": { "@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata", "operationType": "UPDATE", "targetResourceName": "organizations/YOUR_ORG_NAME/controlPlaneAccess", "state": "FINISHED" }, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.apigee.v1.ControlPlaneAccess", "name": "organizations/YOUR_ORG_NAME/controlPlaneAccess" } } - Verify the organization's ControlPlaneAccess configuration:
No data residency
curl "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess" \ -H "Authorization: Bearer $(gcloud auth print-access-token)"
Data residency
curl "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess" \ -H "Authorization: Bearer $(gcloud auth print-access-token)"
The response should look like the following:
{ "synchronizerIdentities": [ "serviceAccount:apigee-synchronizer@YOUR_ORG_NAME.iam.gserviceaccount.com" ], "analyticsPublisherIdentities": [ "serviceAccount:apigee-runtime@YOUR_ORG_NAME.iam.gserviceaccount.com" ] }
You have now enabled your Apigee hybrid runtime and management planes to communicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage certificates.