Configure the Synchronizer

This section describes the Synchronizer.

Synchronizer overview

In Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts which are supplied by the management plane. Information communicated by contract includes API proxies, API products, caches, and virtual hosts.

Synchronizer instances running in the runtime-plane are expected to poll the management plane on a regular basis, download the contracts and make the same available to local runtime instances.

One Synchronizer can support many Message Processors deployed in the same pod.

Enable Synchronizer access

You must grant the Synchronizer permission to pull down Apigee artifacts, such as proxy bundles and resources from the management plane. You must call an Apigee API to authorize the Synchronizer to pull artifacts down from the management plane to the runtime plane.

  1. Ensure that you have enabled the Apigee API as explained in the GCP setup steps. For details, see Step 3: Enable APIs.
  2. Locate the write-enabled GCP service account key (a JSON file) that you downloaded as part of Create service accounts. The service account has the Apigee Org Admin role and is the one named "apigee-org-admin". If you did not previously create this service account, you must do so before continuing.
  3. Use the Apigee Org Admin service account key to generate an OAuth 2.0 access token using one of the following methods. This token is required to authenticate the Apigee APIs.

    gcloud

    Use gcloud to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded using GOOGLE_APPLICATION_CREDENTIALS environment variable:

    export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.json
            gcloud auth application-default print-access-token

    An OAuth2.0 token is returned.

    For more information, see gcloud beta auth application-default print-access-token.

    oauth2l utility

    Use oauth2l to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded in step 1.

    oauth2l fetch --json your_sa_credentials_file.json cloud-platform
  4. Copy the OAuth 2.0 token returned and store it in a variable, such as TOKEN. For example:
    export TOKEN=ya29....Ts13inj3LrqMJlztwygtM
  5. Call the setSyncAuthorization API to enable the required permissions for Synchronizer:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:synchronizer-manager-service-account-name"]}'
    

    Where:

    • your_org_name: The name of the hybrid organization.
    • synchronizer-manager-service-account-name: The name of a service account with the Apigee Synchronizer Manager role. The name is formed like an email address. For example: my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'
    

    For more information on this API, see SyncAuthorization API.

  6. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \
       -d ''

    The output looks similar to the following:

    {
       "identities":[
          "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"
       ],
       "etag":"BwWJgyS8I4w="
    }