This page applies to Apigee, but not to Apigee hybrid.
View Apigee Edge
documentation.
This document describes the Google Cloud IAM permissions that are required to successfully provision Apigee.
You can specify permissions using the following:
- Predefined roles: Provide sufficient permission to do the provisioning steps. Predefined roles may give the Apigee administrator more permissions than they need to complete provisioning.
- Custom roles: Provide the least-necessary privilege needed to do the provisioning steps.
Google Cloud project owner role
The owner of the Google Cloud project that is used for Apigee provisioning already has permission to perform all of the basic Apigee provisioning steps.
If the Apigee provisioner is not the project owner, then use this document to determine the permissions needed to perform each of the provisioning steps.
If you use Shared Virtual Private Cloud (VPC) networking, additional permissions in the Shared VPC project are required, and these cases are also noted in this document.
Predefined roles
If you just want to make sure the Apigee administrator has sufficient permission to complete the provisioning, give the Apigee administrator the following IAM predefined roles ; however, predefined roles may give the Apigee administrator more permissions than they need to complete provisioning. See Custom roles and permissions to provide least-necessary privileges.
How to specify a predefined role
To add users and roles:
-
In the Google Cloud console, go to IAM & Admin > IAM for your project.
- To add a new user:
- Click Grant access .
- Type a new Principal name.
- Click the Select a role
menu and then type the role
name in the Filter
field. For example,
Apigee Organization Admin. Click the role listed in the results. - Click Save .
- To edit an existing user:
- Click Edit .
- To change an existing role, click the Role menu and then select a different role.
- To add another role, click Add another role.
- Click the Select a role
menu and then type the role
name in the Filter
field. For example,
Apigee Organization Admin. Click the role listed in the results. - Click Save .
- Start Apigee provisioning
- Create an organization
- Create an environment
- Create an Apigee instance
- Enable APIs
- Create an organization
- Configure a runtime instance
- Create an organization
- Configure a runtime instance
- Configure service networking
- Configure access routing (to create the external HTTPS load balancer)
Custom roles and permissions
To provide least-necessary privileges, create an IAM custom role and assign permissions from the following sections.
How to specify a custom role
To add a custom role:
-
In the Google Cloud console, go to IAM & Admin > Roles for your project.
- To add a new role:
- Click Create role .
- Type a new Title .
- Type a Description (optional).
- Type an ID .
- Select a Role launch stage .
- Click Add permissions .
- Copy the desired permission text from the tables below and
paste it into the Filter
field. For example,
apigee.environments.create. - Press Enter or click an item from the results.
- Select the checkbox for the item just added.
- Click Add .
- Once you have added all the permissions for this role, click Create .
- To edit an existing custom role:
- Locate the custom role.
- Click More > Edit .
- Make any desired changes.
- Click Update .
UI-based Apigee management permissions
This permission is required for all users who will manage an organization through the Apigee UI in Cloud console . Include it in custom roles that involve management through that interface.
apigee.projectorganizations.get
- Perform any actions through the Apigee UI in Cloud console .
Provisioning permissions
These permissions are required to start provisioning Apigee:
apigee.entitlements.get
apigee.environments.create
apigee.environments.get
apigee.environments.list
apigee.envgroups.create
apigee.envgroups.get
apigee.envgroups.list
apigee.envgroups.update
apigee.envgroupattachments.create
apigee.envgroupattachments.list
apigee.instances.create
apigee.instances.get
apigee.instances.list
apigee.instanceattachments.create
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.operations.get
apigee.operations.list
apigee.organizations.create
apigee.organizations.get
apigee.organizations.update
apigee.projectorganizations.get
apigee.projects.update
apigee.setupcontexts.get
apigee.setupcontexts.update
- Start Apigee provisioning
- Create an organization
- Create an environment
- Create an Apigee instance
API enablement permissions
These permissions are required to enable Google Cloud APIs:
| Role | Account type | Purpose |
|---|---|---|
serviceusage.services.get
serviceusage.services.enable
|
Paid and eval | Enabling Google Cloud APIs |
Organization creation permissions (paid org)
These permissions are needed to create an Apigee organization for paid accounts (Subscription or Pay-as-you-go):
| Permissions | Account type | Purpose |
|---|---|---|
compute.regions.list
|
Paid only | Selecting an analytics hosting location |
cloudkms.cryptoKeys.list
cloudkms.locations.list
cloudkms.keyRings.list
|
Paid only | Selecting a runtime database encryption key |
cloudkms.cryptoKeys.create
cloudkms.keyRings.create
|
Paid only | Creating a runtime database encryption key |
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.setIamPolicy
|
Paid only | Granting Apigee service account permission to use an encryption key |
Organization creation permissions (eval org)
This permission is required for selecting analytics and runtime hosting regions for an eval organization:
| Permissions | Account type | Purpose |
|---|---|---|
compute.regions.list
|
Eval organizations only | Selecting analytics and runtime hosting regions |
Service networking permissions
These permissions are needed in the service networking configuration steps. If you are using Shared VPC networking, see Service networking permissions with Shared VPC .
| Permissions | Account type | Purpose |
|---|---|---|
compute.globalAddresses.createInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
|
Paid and eval | These permissions are required to perform the tasks in the service networking configuration step. |
Service networking permissions with Shared VPC
If you are using Shared Virtual Private Cloud (VPC) networking, a user with administrative privileges in the Shared VPC project must peer the Shared VPC project with Apigee, as described in Using shared VPC networks . Peering must be completed before the Apigee admin can complete the service networking steps. See also Administrators and IAM .
When Shared VPC is properly set up, the Apigee admin needs these permissions to complete the service networking configuration steps:
| Permissions | Account type | Purpose |
|---|---|---|
compute.projects.get
|
Paid and eval | The Apigee admin must have this permission in the project where Apigee is installed . This permission allows the admin to view the Shared VPC host project ID. |
|
Compute Network User role
( compute.networkUser
) |
Paid and eval | The Apigee admin must be granted this role in the Shared VPC host project . This role allows the admin to view and select the Shared VPC network in the Apigee provisioning UI. |
Runtime instance permissions
These permissions are needed to create a runtime instance (Subscription and Pay-as-you-go accounts only):
| Permissions | Account type | Purpose |
|---|---|---|
compute.regions.list
|
Paid only | Selecting a runtime hosting location |
cloudkms.cryptoKeys.list
cloudkms.locations.list
cloudkms.keyRings.list
|
Paid only | Selecting a runtime disk encryption key |
cloudkms.cryptoKeys.create
cloudkms.keyRings.create
|
Paid only | Creating a runtime disk encryption key |
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.setIamPolicy
|
Paid only | Granting Apigee service account permission to use an encryption key |
Access routing permissions
These permissions are needed for the access routing steps:
| Permissions | Account type | Purpose |
|---|---|---|
compute.autoscalers.create
compute.backendServices.create
compute.backendServices.use
compute.disks.create
compute.globalAddresses.create
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalOperations.get
compute.firewalls.create
compute.firewalls.get
compute.healthChecks.create
compute.healthChecks.useReadOnly
compute.images.get
compute.images.useReadOnly
compute.instances.create
compute.instances.setMetadata
compute.instanceGroups.use
compute.instanceGroupManagers.create
compute.instanceGroupManagers.use
compute.instanceTemplates.get
compute.instanceTemplates.create
compute.instanceTemplates.useReadOnly
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.regionOperations.get
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.use
compute.sslCertificates.create
compute.sslCertificates.get
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.use
|
Paid and eval | Configuring basic access routing |
Access routing permissions with Shared VPC
If you are using Shared Virtual Private Cloud (VPC) networking , be aware that the Shared VPC configuration and peering must be completed before you can perform the access routing step.
After the Shared VPC is set up properly, the Apigee admin requires the compute.networkUser
role in the Shared VPC project
to complete the access routing steps. See also Required administrative roles
for Shared VPC.
