Step 6: Add service accounts

After you enable the Apigee API service, you create service accounts to handle communications between services.

A service account is a special type of account in GCP that enables components and applications of a system to interact with each other and with other GCP APIs.

Hybrid uses GCP service accounts to perform a variety of tasks, including:

  • Send log and metrics data
  • Connect to API gateway for administrative API requests
  • Execute back ups
  • Download proxy bundles

While one service account could perform all of these operations, Apigee recommends that you create multiple service accounts, each assigned to a specific task and each with its own set of permissions. This enhances security by compartmentalizing access and limiting each service account’s scope and access privileges. As with user accounts, these permissions are applied by assigning one or more roles to the service account.

You can use an existing service account as one of the recommended service accounts, but this section describes how to create new ones for your new project.

The following table lists the service accounts that Apigee recommends you create when installing Hybrid:

Service Account Name* Service Account ID Description
Admin Writer Service Account* any Role: Apigee Organization Admin
Required

The service account with the highest level of permissions available. This service account authorizes API access within your Hyrid-enabled organization.

Admin Reader Service Account* any Role: Apigee Read-only Admin
Required

Used by the Synchronizer service in the runtime plane to download proxy bundles and other data and provide it to the Message Processors.

You use this service account’s key files in your Hybrid runtime configuration, as explained in the Runtime installation overview.

Logs Writer Service Account* apigee‑logger Role: Logs Writer (a non-Apigee role)
Required if logging is enabled

Sends log data from the runtime plane to Stackdriver. For more information, see Log file overview.

If you have already downloaded and expanded the Hybrid ZIP file, you can use the create-service-account tool to create the “apigee-logger” service account. For more information, see create-service-account reference.

Metrics Writer Service Account* apigee‑metrics Role: Monitoring Metrics Writer (a non-Apigee role)
Required if metrics is enabled

Sends metrics data from the runtime plane to Stackdriver. For more information, see Metrics collection overview.

If you have already downloaded and expanded the Hybrid ZIP file, you can use the create-service-account tool to create the “apigee-metrics” service account. For more information, see create-service-account reference.

Cassandra Backups Service Account* apigee‑cassandra Role: Storage Object Admin (a non-Apigee role)
Required if backup and recover is enabled

Configures backup and recovery for the Cassandra database in the runtime plane. For more information, see Cassandra backup and recovery.

If you have already downloaded and expanded the Hybrid ZIP file, you can use the create-service-account tool to create the “apigee-cassandra” service account. For more information, see create-service-account reference.

* The documentation refers to the service account by this name. When you define your service accounts, Apigee recommends that you set the Service account name field to this value because it will make debugging and support easier.

For more information about the service account roles, see the following:

In addition to creating the service accounts listed in the previous table, you also download their private keys. You later use these keys to generate access tokens so that you can access the Apigee APIs.

Create Hybrid service accounts


Role Requirements (to perform this step):
    GCP Service Account Admin (roles/iam.serviceAccountAdmin) or greater


To create Hybrid service accounts and download their private keys:

  1. Open the Google Cloud Platform (GCP) Console and log in with the user account you created in Step 1: Create a GCP account.
  2. Select the project that you created in Step 3: Create a GCP project.
  3. Select IAM & admin > Service accounts.

    The Service accounts view displays a list of the project’s service accounts. There might be default service accounts in the list, depending on how you created your project.

  4. To create a new service account, click +Create Service Account at the top of the view.

    The Service account details view displays.

  5. In the Service account name field, enter the name of the service account. Apigee recommends that you use the names listed in Recommended service accounts. For example, enter "Admin Writer Service Account".

    GCP generates a unique service account ID for you, which is structured like an email address, as the following example shows:

    You can optionally add a description in the Service account description field. Descriptions are helpful at reminding you what a particular service account is used for.

  6. Click Create.

    GCP creates a new service account and displays the Service account permissions view. Use this view to assign a role to your new service account.

  7. Click the Select a role drop-down list.
  8. Select the role for the service account, as described in Recommended service accounts. For example, for the Admin Writer Service Account, select the Apigee Organization Admin role.

    If necessary, enter text to filter by role name. For example, to list only the Apigee roles, enter “Apigee” in the filter field, as the following example shows:

    You can add more than one role to a service account, but Apigee recommends that you only add one role for each of the recommended service accounts. To change the roles of a service account after you have created it, use the IAM & admin panel in the GCP.

  9. Click Continue.

    GCP displays the Grant users access to this service account view:

  10. Under Create key (optional), click Create Key.

    GCP gives you the option to download a JSON or P12 key:

  11. Select JSON (the default) and click Create.

    GCP saves the key file in JSON format to your local machine and displays a confirmation when it is successful, as the following example shows:

    You will later use some of the service account keys to configure Hybrid runtime services. For example, when you configure the Hybrid runtime, you will specify the location of the service account keys using the service_name.serviceAccountPath properties.

    These keys are used by the service accounts to get access tokens, which the service account then uses to make requests against the Apigee APIs on your behalf. (But that’s not for a while yet; for now, just remember where you saved it.)

  12. Repeat steps 4 through 12 for each service account listed in Recommended service accounts.

    While only the Admin Writer Service Account and Admin Reader Service Account are required, Apigee recommends that you create all five service accounts.

    When you're finished, you should have the following service accounts (in addition to the defaults, if any):

    • Admin Writer Service Account (assigned to the Apigee Apigee Organization Admin role)
    • Admin Reader Service Account (Apigee Apigee Read-only Admin role)
    • Logs Writer Service Account (Log Writer role)
    • Metrics Writer Service Account (Monitoring Metrics Writer role)
    • Cassandra Backups Service Account (Storage Object Admin role)

    In the GCP Console, service accounts are indicated with a .

Next Step

1 2 3 4 5 6 NEXT: 7: Manage Access 8