Configure the Synchronizer

This section describes the Synchronizer.

In Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts which are supplied by the management plane. Information communicated by contract includes API proxies, API products, caches, and virtual hosts. Synchronizer by default stores environment configuration data in the Cassandra database.

Synchronizer instances running in the runtime-plane are expected to poll the management plane on a regular basis, download the contracts and make the same available to local runtime instances.

One Synchronizer can support many Message Processors deployed in the same pod.

You must grant the Synchronizer permission to pull down Apigee artifacts, such as proxy bundles and resources from the management plane. You must call an Apigee API to authorize the Synchronizer to pull artifacts down from the management plane to the runtime plane.

  1. Ensure that you have enabled the Apigee API as explained in the Google Cloud setup steps. For details, see Enable APIs.
  2. Locate the write-enabled Google Cloud service account key (a JSON file) that you downloaded as part of Create service accounts and credentials. The service account has the Apigee Org Admin role and is the one named "apigee-org-admin". If you did not previously create this service account, you must do so before continuing.
  3. Use the Apigee Org Admin service account key to generate an OAuth 2.0 access token. This token is required to authenticate the Apigee APIs.

    Use gcloud to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded using GOOGLE_APPLICATION_CREDENTIALS environment variable:

    export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.json
    gcloud auth application-default print-access-token

    An OAuth2.0 token is returned.

    For more information, see gcloud beta auth application-default print-access-token.

  4. Copy the OAuth 2.0 token returned and store it in a variable, such as TOKEN. For example:
    export TOKEN=ya29....Ts13inj3LrqMJlztwygtM
  5. Call the setSyncAuthorization API to enable the required permissions for Synchronizer:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME"]}'
    

    Where:

    • YOUR_ORG_NAME: The name of the hybrid organization.
    • SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME: The name of a service account with the Apigee Synchronizer Manager role. The name is formed like an email address. For example: my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'
    
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME"]}'
    

    Where:

    • YOUR_ORG_NAME: The name of the hybrid organization.
    • CONTROL_PLANE_LOCATION: The location for your control plane data if your hybrid installation uses data residency. This is location where customer core content like proxy bundles are stored. For a list see Available Apigee API control plane regions.
    • SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME: The name of a service account with the Apigee Synchronizer Manager role. The name is formed like an email address. For example: my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://us-apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'
    

    For more information on this API, see setSyncAuthorization API.

  6. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \
       -d ''
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \
       -d ''

    The output looks similar to the following:

    {
       "identities":[
          "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"
       ],
       "etag":"BwWJgyS8I4w="
    }