Console
    Contact Us Start free

    create-service-account

    Creates Google Cloud Platform service accounts with roles that allow individual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can use the service account key files generated by this command in your configuration overrides file.

    The create-service-account tool is located in HYBRID_ROOT_DIR /tools directory.

    Prerequisites

    The create-service-account tool requires that the gcloud CLI be installed. Users invoking the utility should have the role Service Account Admin .

    To get started, be sure your gcloud project configuration is set to the project you created in Step 2: Create a Google Cloud project :

    gcloud config list project

    If you need to change the current project ID, use the following command:

    gcloud config set project GC_PROJECT_ID

    Where GC_PROJECT_ID is the project created in Step 2: Create a Google Cloud project .

    create-service-account syntax

    The create-service-account tool uses the following syntax:

    create-service-account HYBRID_SERVICE 
 OUTPUT_DIR 
[ GC_PROJECT_ID 
]

    Where:

    • HYBRID_SERVICE : Specifies the hybrid service that uses the service account. Valid values are:
      • apigee-cassandra
      • apigee-distributed-trace
      • apigee-logger
      • apigee-mart
      • apigee-metrics
      • apigee-synchronizer
      • apigee-udca
      • apigee-watcher

      Note that the create-service-account tool cannot create the apigee-org-admin service account. You must create that either with gcloud APIs, as described in Create service accounts .

    • OUTPUT_DIR : The output directory in which to store the downloaded service account key.
    • GCP_PROJECT_ID : (Optional) Specifies the Google Cloud project ID of the project that is bound to your hybrid-enabled organization. If the Google Cloud project ID is not provided, the tool attempts to retrieve it from the current gcloud configuration.

    Detailed description

    The create-service-account tool:

    • Creates Google Cloud service accounts used by hybrid components. The created service account is granted the role required by the specific component to operate.
    • Downloads the service account key to your system. You place the service account keys in your hybrid configuration overrides file, as explained in the hybrid installation instructions .

    The tool creates service accounts for the following components:

    Component *
    Role
    Required for basic install?
    Description
    apigee-cassandra
    Storage Object Admin
    roles/storage.objectAdmin
    Allows Cassandra backups to Cloud Storage, as described in Backup and recovery .
    apigee-distributed-trace
    Cloud Trace Agent
    roles/cloudtrace.agent
    Allows the hybrid runtime plane to participate in distributed request tracing in a format compatible with systems like Google Cloud Trace and Jaeger .
    apigee-logger
    Logs Writer
    roles/logging.logWriter
    Allows logging data collection, as described in Logging . Only required for non-GKE cluster installations.
    apigee-mart
    Apigee Connect Agent
    roles/apigeeconnect.Agent
    Allows MART service authentication. The Apigee Connect Agent role allows it to communicate securely with the Apigee Connect process, as described in Using Apigee Connect .
    apigee-metrics
    Monitoring Metric Writer
    roles/monitoring.metricWriter
    Allows metrics data collection, as described in Metrics collection overview .
    apigee-synchronizer
    Apigee Synchronizer Manager
    roles/apigee.synchronizerManager
    Allows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature.
    apigee-udca
    Apigee Analytics Agent
    roles/apigee.analyticsAgent
    Allows the transfer of trace, analytics and deployment status data to the management plane.
    apigee-watcher
    Apigee Runtime Agent
    roles/apigee.runtimeAgent
    Apigee Watcher pulls virtual hosts related changes for an org from synchronizer and makes necessary changes to configure istio ingress.
    * This name is used in the downloaded service account key's filename.

    You can also create service accounts in the Google Cloud console. See also Creating and managing service accounts .

    Example

    The following example creates a new service account for the apigee-logger service and places the downloaded key in the ./service-accounts directory.

    ./my-hybrid-root/tools/create-service-account apigee-logger ./service-accounts
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: