*SyncAuthorization APIs

This topic describes the setSyncAuthorization and getSyncAuthorization APIs. These APIs are used to set and get GCP service account(s) that are required for Synchronizer to operate. These APIs are used during the Apigee hybrid installation procedure to enable the Synchronizer to retrieve environment data from the management plane.

setSyncAuthorization

Sets required permissions that allow Synchronizer to download environment data from the control plane. You must call this API to enable proper functioning of hybrid. This API is used during the hybrid installation procedure.

Resource URL

https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization

Verb

POST

Header parameters

Name Values Description
Authorization:Bearer A valid OAuth token. (Required) For information on getting a token, see Step 5: Enable Synchronizer.
Content-Type application/json (Required) The HTTP Content Type

Request body

{"identities":["serviceAccount:service-account-name"], ...}
Name Description Default Required?
identities An array of serviceAccount:service-account-name elements. You might specify multiple service accounts, for example, if you have multiple environments and wish to assign a unique SA to each one. The SA(s) must have Apigee Synchronizer Manager role. The name is formed like an email address. For example: my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com N/A Yes

Sample API calls

Sets one SA:

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
   -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'

Sets two SAs. You might specify multiple service accounts, for example, if you have multiple environments and wish to assign a unique SA to each one.

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
   -d '{"identities":["serviceAccount:my-synchronizer-sa_1@my_project_id.iam.gserviceaccount.com",
   "serviceAccount:my-synchronizer-sa_2@my_project_id.iam.gserviceaccount.com"]}'

getSyncAuthorization

To verify that one or more service accounts were set with setSyncAuthorization, use getSyncAuthorization.

https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization

Verb

POST

Header parameters

Name Values Description
Authorization:Bearer A valid OAuth token. (Required) For information on getting a token, see Step 5: Enable Synchronizer.
Content-Type application/json (Required) The HTTP Content Type

Request body

You must specify an empty request body.

{}

Sample API call

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/myorg:getSyncAuthorization" \
   -d ''

The output looks similar to the following:

{
  "identities": [
    "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"],
    "etag": "BwWJgyS8I4w="
}