Get an authorization token
To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.
- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid
organization, be sure that your Google Cloud user account has the roles/apigee.admin(Apigee
Organization Admin) role. You can check the roles assigned to you with this command:
gcloud projects get-iam-policy ${PROJECT_ID} \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members: your_account_email "
For example:
gcloud projects get - iam - policy my - project \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:myusername@example.com"
The output should include
roles/apigee.admin. - If you do not have
roles/apigee.admin, add the Apigee Organization Adminrole to your user account. Use the following command to add the role to your user account:gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member user: your_account_email \ --role roles/apigee.admin
For example:
gcloud projects add-iam-policy-binding my-project \ --member user:myusername@example.com \ --role roles/apigee.admin
-
On the command line, get your
gcloudauthentication credentials using the following command:Linux / MacOS
export TOKEN=$(gcloud auth print-access-token)
To check that your token was populated, use
echo, as the following example shows:echo $TOKEN
This should display your token as an encoded string.
Windows
for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%aTo check that your token was populated, use
echo, as the following example shows:echo %TOKEN%
This should display your token as an encoded string.
Enable synchronizer access
To enable synchronizer access:
- Get the email address for the service account to which you are granting synchronizer access.
For non-production environments (as suggested in this tutorial) it should be
apigee-non-prod. For production environments, it should beapigee-synchronizer. Use the following command:gcloud iam service-accounts list --project ${PROJECT_ID} --filter " apigee-synchronizer "
- Call the setSyncAuthorization
API to enable the required permissions for Synchronizer using the following command:
curl -X POST -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/ ${ORG_NAME} :setSyncAuthorization" \ -d '{"identities":["'"serviceAccount: apigee-synchronizer @ ${ORG_NAME} .iam.gserviceaccount.com"'"]}'
Where:
-
${ORG_NAME}: The name of your hybrid organization. -
apigee-synchronizer ${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.
-
- To verify that the service account was set, use the following command to call the API to get
a list of service accounts:
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/ ${ORG_NAME} :getSyncAuthorization"
The output looks similar to the following:
{ "identities" : [ "serviceAccount:apigee-synchronizer@ my_project_id .iam.gserviceaccount.com" ] , "etag" : "BwWJgyS8I4w=" }
You have now enabled your Apigee hybrid runtime and management planes to communicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage certificates.
1 2 3 4 5 6 7 (NEXT) Step 8: Install cert-manager 9 10 11 12