This step explains how to create the Google Cloud service accounts and TLS credentials
that are required for Apigee hybrid to operate.
Create the service accounts
Apigee hybrid uses Google Cloud service accounts to
allow hybrid components to communicate by making authorized API calls.
In this step, you use an Apigee hybrid command-line tool to create a set of service accounts
and download the service account private key files.
Apigee provides a tool, create-service-account, that creates the service accounts,
assigns the roles to the service accounts, and creates and downloads the key files for the service
account in a single command. To learn about the related Google Cloud concepts, see
Creating
and managing service accounts and
Creating
and managing service account keys.
Execute the following command from inside the hybrid-files directory. This command
creates a single service account named apigee-non-prod for use in a non-production
environments and places the downloaded key file in the ./service-accounts directory.
Where PROJECT_ID is the Project ID of the Google Cloud project in which you are
creating the service accounts. See also create-service-account syntax.
When you see the following prompt, enter y:
[INFO]: gcloud configured project ID is project_id.
Enter: y to proceed with creating service account in project: project_id
Enter: n to abort.
If this is the first time an SA with the same name assigned by the tool was created, then
the tool just creates it, and you do not have to do anything further.
If, however, you see the following message and prompt, enter y to generate
new keys:
[INFO]: Service account apigee-non-prod@project_id.iam.gserviceaccount.com already exists.
...
[INFO]: The service account might have keys associated with it. It is recommended to use existing keys.
Press: y to generate new keys.(this does not de-activate existing keys)
Press: n to skip generating new keys.
Verify that the service account key was created using the following command. You are responsible for storing these
private keys securely. The key filenames are prefixed with the name of your Google Cloud project.
ls ./service-accounts
The result should look something like the following:
project_id-apigee-non-prod.json
You now have created service accounts and assigned the roles needed by the Apigee hybrid
components. Next, the TLS certificates required by the hybrid ingress gateway..
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-07 UTC."],[[["This documentation version (1.5) is end-of-life, and upgrading to a newer version is recommended for continued support and access to the latest features."],["Apigee hybrid utilizes Google Cloud service accounts to facilitate communication between hybrid components through authorized API calls, and this section provides guidance on creating them."],["The `create-service-account` tool provided by Apigee simplifies the process of creating service accounts, assigning roles, and downloading the associated key files, with options for non-production or production environments."],["For a non-production setup, a single service account named \"apigee-non-prod\" can be used, while separate service accounts for each component are recommended in a production setting."],["After creating the service accounts, it is important to securely store the downloaded private key files, which are essential for hybrid component communication and also to note that the next step involves creating the required TLS certificates for the hybrid ingress gateway."]]],[]]
