Stay organized with collections Save and categorize content based on your preferences.

Creates Google Cloud Platform (GCP) service accounts with roles that allow individual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can use the service account key files generated by this command in your configuration overrides file.

The create-service-account tool is located in hybrid_root_dir/tools directory.


The create-service-account tool requires that the gcloud CLI be installed. Users invoking the utility should have the role Service Account Admin.

To get started, be sure your gcloud project configuration is set to the project you created in Step 2: Create a Google Cloud project:

gcloud config list project

If you need to change the current project ID, use this command:

gcloud config set project gcp_project_id

Where gcp_project_id is the project created in Step 2: Create a Google Cloud project.

create-service-account syntax

The create-service-account tool uses the following syntax:

create-service-account component_name output_dir [gcp_project_id]


  • component_name: Specifies the hybrid service that uses the service account. Valid values are:
    • apigee-cassandra
    • apigee-distributed-trace
    • apigee-logger
    • apigee-mart
    • apigee-metrics
    • apigee-synchronizer
    • apigee-udca
    • apigee-watcher

    Note that the create-service-account tool cannot create the apigee-org-admin service account. You must create that either with the GCP or gCloud APIs, as described in Create service accounts.

  • output_dir: The output directory in which to store the downloaded service account key.
  • gcp_project_id: (Optional) Specifies the GCP project ID of the project that is bound to your hybrid-enabled organization. If the GCP project ID is not provided, the tool attempts to retrieve it from the current gcloud configuration.

Detailed description

The create-service-account tool:

  • Creates GCP service accounts used by hybrid components. The created service account is granted the role required by the specific component to operate.
  • Downloads the service account key to your system. You place the service account keys in your hybrid configuration overrides file, as explained in the hybrid installation instructions.

The tool creates service accounts for the following components:

Component* Role Required for basic install? Description
apigee-cassandra Storage Object Admin Allows Cassandra backups to Cloud Storage, as described in Backup and recovery.
apigee-logger Logs Writer Allows logging data collection, as described in Logging. Only required for non-GKE cluster installations.
apigee-mart Apigee Connect Agent Allows MART service authentication. The Apigee Connect Agent role alows it to communicate securely with the Apigee Connect process, as described in Using Apigee Connect.
apigee-metrics Monitoring Metric Writer Allows metrics data collection, as described in Metrics collection overview.
apigee-synchronizer Apigee Synchronizer Manager Allows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature.
apigee-udca Apigee Analytics Agent Allows the transfer of trace, analytics and deployment status data to the management plane.
apigee-watcher Apigee Runtime Agent Apigee Watcher pulls virtual hosts related changes for an org from synchronizer and makes necessary changes to configure istio ingress.
* This name is used in the downloaded service account key's filename.

You can also create service accounts in the GCP Console. See also Creating and managing service accounts.


The following example creates a new service account for the apigee-logger service and places the downloaded key in the ./service-accounts directory.

./my-hybrid-root/tools/create-service-account apigee-logger ./service-accounts