Creates Google Cloud Platform service accounts with roles that allow individual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can use the service account key files generated by this command in your configuration overrides file.
create-service-account tool is located in
create-service-account tool requires that the
gcloud CLI be
installed. Users invoking the utility should have the role
Service Account Admin.
To get started, be sure your
configuration is set to the project you created in Step 2: Create a Google Cloud project:
gcloud config list project
If you need to change the current project ID, use the following command:
gcloud config set project GC_PROJECT_ID
Where GC_PROJECT_ID is the project created in Step 2: Create a Google Cloud project.
create-service-account tool uses the following syntax:
create-service-account HYBRID_SERVICE OUTPUT_DIR [GC_PROJECT_ID]
- HYBRID_SERVICE: Specifies the hybrid service that uses the service account. Valid
Note that the
create-service-accounttool cannot create the
apigee-org-adminservice account. You must create that either with
gcloudAPIs, as described in Create service accounts.
- OUTPUT_DIR: The output directory in which to store the downloaded service account key.
- GCP_PROJECT_ID: (Optional) Specifies the Google Cloud project ID of the project
that is bound to your hybrid-enabled organization. If the Google Cloud project ID is not
provided, the tool attempts to retrieve it from the current
- Creates Google Cloud service accounts used by hybrid components. The created service account is granted the role required by the specific component to operate.
- Downloads the service account key to your system. You place the service account keys in your hybrid configuration overrides file, as explained in the hybrid installation instructions.
The tool creates service accounts for the following components:
|Component*||Role||Required for basic install?||Description|
||Storage Object Admin
||Allows Cassandra backups to Cloud Storage, as described in Backup and recovery.|
||Cloud Trace Agent
||Allows the hybrid runtime plane to participate in distributed request tracing in a format compatible with systems like Google Cloud Trace and Jaeger.|
||Allows logging data collection, as described in Logging. Only required for non-GKE cluster installations.|
||Apigee Connect Agent
||Allows MART service authentication. The Apigee Connect Agent role allows it to communicate securely with the Apigee Connect process, as described in Using Apigee Connect.|
||Monitoring Metric Writer
||Allows metrics data collection, as described in Metrics collection overview.|
||Apigee Synchronizer Manager
||Allows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature.|
||Apigee Analytics Agent
||Allows the transfer of trace, analytics and deployment status data to the management plane.|
||Apigee Runtime Agent
||Apigee Watcher pulls virtual hosts related changes for an org from synchronizer and makes necessary changes to configure istio ingress.|
|* This name is used in the downloaded service account key's filename.|
You can also create service accounts in the Google Cloud Console. See also Creating and managing service accounts.
The following example creates a new service account for the
service and places the downloaded key in the
./my-hybrid-root/tools/create-service-account apigee-logger ./service-accounts