Creates Google Cloud Platform (GCP) service accounts with roles that allow individual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can use the service account key files generated by this command in your configuration overrides file.
create-service-account tool is located in
create-service-account tool requires that the gcloud CLI be
installed. Users invoking the utility should have the role
Service Account Admin.
To get started, be sure your
configuration is set to the project you created in Step 2: Create a Google Cloud project:
gcloud config list project
If you need to change the current project ID, use this command:
gcloud config set project gcp_project_id
Where gcp_project_id is the project created in Step 2: Create a Google Cloud project.
create-service-account tool uses the following syntax:
create-service-account component-name output-dir [gcp_project_id]
- hybrid_service: Specifies the hybrid service that uses the service account. Valid
Note that the
create-service-accounttool cannot create the
apigee-org-adminservice account. You must create that either with the GCP or gCloud APIs, as described in Create service accounts.
- output_dir: The output directory in which to store the downloaded service account key.
- gcp_project_id: (Optional) Specifies the GCP project ID of the project that is bound to your hybrid-enabled organization. If the GCP project ID is not provided, the tool attempts to retrieve it from the current gcloud configuration.
- Creates GCP service accounts used by hybrid components. The created service account is granted the role required by the specific component to operate.
- Downloads the service account key to your system. You place the service account keys in your hybrid configuration overrides file, as explained in the hybrid installation instructions.
The tool creates service accounts for the following components:
|Component*||Role||Required for basic install?||Description|
||Storage Object Admin||Allows Cassandra backups to Cloud Storage (CS), as described in Backup and recovery.|
||Logs Writer||Allows logging data collection, as described in Logging. Only required for non-GKE cluster installations.|
||Apigee Connect Agent||Allows MART service authentication. The Apigee Connect Agent role alows it to communicate securely with the Apigee Connect process, as described in Using Apigee Connect.|
||Monitoring Metric Writer||Allows metrics data collection, as described in Metrics collection overview.|
||Apigee Organization Admin||Lets you call the getSyncAuthorization API and
setSyncAuthorization API. You cannot create this service account with the
||Apigee Synchronizer Manager||Allows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature.|
||Apigee Analytics Agent||Allows the transfer of trace, analytics and deployment status data to the management plane.|
||Apigee Runtime Agent||Apigee Watcher pulls virtual hosts related changes for an org from synchronizer and makes necessary changes to configure istio ingress.|
|* This name is used in the downloaded service account key's filename.|
You can also create service accounts in the GCP Console. See also Creating and managing service accounts.
The following example creates a new service account for the
service and places the downloaded key in the
./my-hybrid-root/tools/create-service-account apigee-logger ./service-accounts