Enable Synchronizer access

The Synchronizer must be granted permission to pull down Apigee artifacts, such as proxy bundles and resources from the management plane. The following steps explain how to grant that access.

  1. Locate the read-only service account key (a JSON file) that you downloaded as part of the GCP setup steps. This is the key for the service account called "Admin Reader Service Account". Note that the GCP setup documentation is only available to registered Apigee Hybrid Alpha customers. Contact your Apigee Sales representative for more information.
  2. Add the following properties to overrides.yaml with the path to the downloaded key file as the value of the properties:
    ...
    authz:
      serviceAccountPath: "path to service account key file"
    
    synchronizer:
      serviceAccountPath: "path to service account key file"
    ...
    

    For example:

    authz:
      serviceAccountPath: "path-to-file/my_read_only_service_account_key.json"
    
    synchronizer:
      serviceAccountPath: "path-to-file/my_read_only_service_account_key.json"
    
  3. Ensure that you have enabled the Apigee API as explained in the GCP setup steps.

    For details, see Enable the Apigee API service.

  4. Locate the read-write service account key (a JSON file) that you downloaded as part of the GCP setup steps. This is the key for the service account called "Admin Writer Service Account". Note that the GCP setup documentation is only available to registered Apigee Hybrid Alpha customers. Contact your Apigee Sales representative for more information.
  5. Use the Apigee Organization Admin service account key to generate an OAuth 2.0 access token using one of the following methods. This token is required to authenticate Hybrid APIs

    gcloud

    Use gcloud to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded in step 1 using GOOGLE_APPLICATION_CREDENTIALS environment variable:

    export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.json
    gcloud auth application-default print-access-token

    An OAuth2.0 token is returned.

    For more information, see gcloud beta auth application-default print-access-token.

    oauth2l utility

    Use oauth2l to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded in step 1.

    oauth2l fetch --json your_sa_credentials_file.json cloud-platform
  6. Copy the OAuth 2.0 token returned and store it in a variable, such as TOKEN. For example:
    export TOKEN=ya29....Ts13inj3LrqMJlztwygtM
  7. Call the following API to enable the required permissions for Synchronizer:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:full_read_only_service_account_name"]}'
    

    Where:

    Property Description
    your_auth_token The token you generated from your service account key.
    your_org_name The name of the Hybrid organization that was provisioned for you by Apigee.
    full_service_account_name The name of a service account with the Apigee Read-only Admin role. The name is formed like an email address. For example: my_read_only_service_account@my_project_id.iam.gserviceaccount.com.

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:my_read_only_service_account@my_project_id.iam.gserviceaccount.com"]}'
    
  8. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:getSyncAuthorization" \
       -d ''
    

    The output looks similar to the following if two service accounts were added to the org:

    {
      "identities": [
        "serviceAccount:my_read_only_service_account@my_project_id.iam.gserviceaccount.com"],
        "etag": "BwWJgyS8I4w="
    }
        
  9. Go to the next step, Add node selectors.

Next Step

1 2 3 4 5 NEXT: 6: NODE SELECTORS 7 8 9 10 11