This step explains how to create the Google Cloud service accounts that are required for Apigee hybrid to operate.
Create the service accounts
Apigee hybrid uses Google Cloud service accounts to allow hybrid components to communicate by making authorized API calls.
In this step, you use an Apigee hybrid command-line tool to create a set of service accounts and download the service account private key files.
In a production hybrid environment Apigee recommends using a separate service account for each component. For the purposes of this tutorial, you can create a single service account named "apigee-non-prod" that you can use for all components.
To learn more about service accounts and read the full list of service accounts recommended for production environments, see the following:
Apigee provides a tool, create-service-account
, that creates the service accounts,
assigns the roles to the service accounts, and creates and downloads the key files for the service
account in a single command.
- To learn more about
create-service-account
and all its options see,create-service-account
. - To learn about the related Google Cloud concepts, see Creating and managing service accounts and Creating and managing service account keys.
- Make sure your HYBRID_FILES and PROJECT_ID environment variables are set.
PROJECT_ID must be set to your Google cloud project ID, because the
create-service-account
tool reads the PROJECT_ID environment variable to create the service accounts in the correct project.echo $HYBRID_FILES
echo $PROJECT_ID
-
Create a non-prod service account with the following command. This command creates a
single service account named
apigee-non-prod
for use in non-production environments and places the downloaded key file in the$HYBRID_FILES/service-accounts
directory.$HYBRID_FILES/tools/create-service-account --env non-prod --dir $HYBRID_FILES/service-accounts
If you see the following prompt, enter y:
[INFO]: gcloud configured project ID is project_id. Enter: y to proceed with creating service account in project: project_id Enter: n to abort.
If this is the first time you are creating an SA with a particular name assigned, then the tool creates it without further prompts.
If, however, you see the following message and prompt, enter y to generate new keys:
[INFO]: Service account apigee-non-prod@project_id.iam.gserviceaccount.com already exists. ... [INFO]: The service account might have keys associated with it. It is recommended to use existing keys. Press: y to generate new keys.(this does not deactivate existing keys) Press: n to skip generating new keys.
-
Verify that the service account key was created using the following command. You are responsible for storing these
private keys securely. The key filenames are prefixed with the name of your Google Cloud project.
ls $HYBRID_FILES/service-accounts
The result should look something like the following:
project_id-apigee-non-prod.json
You now have created service accounts and assigned the roles needed by the Apigee hybrid components. Next, create the TLS certificates required by the hybrid ingress gateway.
1 2 3 4 (NEXT) Step 5: Create TLS certificates 6 7 8 9 10