Configure the Synchronizer

This section describes the Synchronizer.

Synchronizer overview

In Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts which are supplied by the management plane. Information communicated by contract includes API proxies, API products, caches, and virtual hosts.

Synchronizer instances running in the runtime-plane are expected to poll the management plane on a regular basis, download the contracts and make the same available to local runtime instances.

One Synchronizer can support many Message Processors deployed in the same pod.

Enable Synchronizer access

You must grant the Synchronizer permission to pull down Apigee artifacts, such as proxy bundles and resources from the management plane. You must call an Apigee API to authorize the Synchronizer to pull artifacts down from the management plane to the runtime plane.

  1. Ensure that you have enabled the Apigee API as explained in the GCP setup steps. For details, see Step 3: Enable APIs.
  2. Locate the write-enabled GCP service account key (a JSON file) that you downloaded as part of Create service accounts. The service account has the Apigee Org Admin role and is the one named "apigee-org-admin". If you did not previously create this service account, you must do so before continuing.
  3. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path where the service account key is located:

    export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.json
  4. Call the setSyncAuthorization API to enable the required permissions for Synchronizer:
    curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:synchronizer-manager-service-account-name"]}'
    

    Where:

    • your_org_name: The name of the hybrid organization.
    • synchronizer-manager-service-account-name: The name of a service account with the Apigee Synchronizer Manager role. The name is formed like an email address. For example: my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'
    

    For more information on this API, see SyncAuthorization API.

  5. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \
       -d ''

    The output looks similar to the following:

    {
       "identities":[
          "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"
       ],
       "etag":"BwWJgyS8I4w="
    }