create-service-account reference

The create-service-account tool creates Google Cloud Project (GCP) service accounts and assigns the permissions and roles required by the Apigee hybrid services to the newly created account.

You can use create-service-account to create the following service accounts:

  • apigee-logger: Permits logging data collection, as described in Logging.
  • apigee-metrics: Permits metrics data collection, as described in Metrics collection.
  • apigee-cassandra: Permits Cassandra backups to Google Cloud Storage (GCS), as described in Backup and recovery.

There are two ways you can create GCP service accounts:


The create-service-account tool requires that the gcloud CLI be installed. Users invoking the utility should have the role Service Account Admin.

To get started, update your gCloud project configuration by executing the following command:

gcloud config set project GCP_project

Where GCP_project is the project created in the Hybrid prerequisites.

create-service-account syntax

The create-service-account tool is located in hybrid_root_dir/tools/create-service-account.

The syntax for the create-service-account tool is as follows:

create-service-account service_account_name hybrid_service [gcp_project_id]


  • service_account_name: Specifies the name of the service account.
  • hybrid_service: Specifies the Hybrid service that uses the service account. This can be one of the following:
    • apigee-logger
    • apigee-metrics
    • apigee-cassandra
  • gcp_project_id: Specifies the GCP project ID of the project that is bound to your Hybrid-enabled organization. If the GCP project ID is not provided, the tool attempts to retrieve it from the current gCloud configuration.


Create a new service account and create a role

The following example creates a new service account for the apigee-logger Hybrid service and assigns the role logging.logWriter to the account:

create-service-account my-logger-svc-account apigee-logger

This role is required by the apigee-logger service. The utility then downloads the JSON keys for the service account into the current working directory.

Add new roles to an existing service account

You can assign new roles to existing service accounts by calling create-service-account with a different service as a command line argument.

create-service-account my-metrics-svc-account apigee-metrics