Stay organized with collections Save and categorize content based on your preferences.

Creates Google Cloud Platform service accounts with roles that allow individual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can use the service account key files generated by this command in your configuration overrides file.

The create-service-account tool is located in HYBRID_ROOT_DIR/tools directory.


The create-service-account tool requires that the gcloud CLI be installed. Users invoking the utility should have the role Service Account Admin.

To get started, be sure your gcloud project configuration is set to the project you created in Step 2: Create a Google Cloud project:

gcloud config list project

If you need to change the current project ID, use the following command:

gcloud config set project GC_PROJECT_ID

Where GC_PROJECT_ID is the project created in Step 2: Create a Google Cloud project.

create-service-account syntax

The create-service-account tool uses the following syntax:



  • HYBRID_SERVICE: Specifies the hybrid service that uses the service account. Valid values are:
    • apigee-cassandra
    • apigee-distributed-trace
    • apigee-logger
    • apigee-mart
    • apigee-metrics
    • apigee-synchronizer
    • apigee-udca
    • apigee-watcher

    Note that the create-service-account tool cannot create the apigee-org-admin service account. You must create that either with gcloud APIs, as described in Create service accounts.

  • OUTPUT_DIR: The output directory in which to store the downloaded service account key.
  • GCP_PROJECT_ID: (Optional) Specifies the Google Cloud project ID of the project that is bound to your hybrid-enabled organization. If the Google Cloud project ID is not provided, the tool attempts to retrieve it from the current gcloud configuration.

Detailed description

The create-service-account tool:

  • Creates Google Cloud service accounts used by hybrid components. The created service account is granted the role required by the specific component to operate.
  • Downloads the service account key to your system. You place the service account keys in your hybrid configuration overrides file, as explained in the hybrid installation instructions.

The tool creates service accounts for the following components:

Component* Role Required for basic install? Description
apigee-cassandra Storage Object Admin
Allows Cassandra backups to Cloud Storage, as described in Backup and recovery.
apigee-distributed-trace Cloud Trace Agent
Allows the hybrid runtime plane to participate in distributed request tracing in a format compatible with systems like Google Cloud Trace and Jaeger.
apigee-logger Logs Writer
Allows logging data collection, as described in Logging. Only required for non-GKE cluster installations.
apigee-mart Apigee Connect Agent
Allows MART service authentication. The Apigee Connect Agent role allows it to communicate securely with the Apigee Connect process, as described in Using Apigee Connect.
apigee-metrics Monitoring Metric Writer
Allows metrics data collection, as described in Metrics collection overview.
apigee-synchronizer Apigee Synchronizer Manager
Allows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature.
apigee-udca Apigee Analytics Agent
Allows the transfer of trace, analytics and deployment status data to the management plane.
apigee-watcher Apigee Runtime Agent
Apigee Watcher pulls virtual hosts related changes for an org from synchronizer and makes necessary changes to configure istio ingress.
* This name is used in the downloaded service account key's filename.

You can also create service accounts in the Google Cloud console. See also Creating and managing service accounts.


The following example creates a new service account for the apigee-logger service and places the downloaded key in the ./service-accounts directory.

./my-hybrid-root/tools/create-service-account apigee-logger ./service-accounts