This step explains how to create the Google Cloud service accounts and TLS credentials
that are required for Apigee hybrid to operate.
Create the service accounts
Apigee hybrid uses Google Cloudservice accountsto
allow hybrid components to communicate by making authorized API calls.
In this step, you use an Apigee hybrid command-line tool to create a set of service accounts
and download the service account private key files.
Apigee provides a tool,create-service-account, that creates the service accounts,
assigns the roles to the service accounts, and creates and downloads the key files for the service
account in a single command.
Make sure yourPROJECT_IDenvironment variable is set to your Google cloud project ID.
Thecreate-service-accounttool reads thePROJECT_IDenvironment variable to
create the service accounts in the correct project.
echo $PROJECT_ID
Execute the following command from inside thehybrid-filesdirectory. This command creates a single service account namedapigee-non-prodfor use in non-production environments and
places the downloaded key file in the./service-accountsdirectory.
Verify that the service account key was created using the following command. You are responsible for storing these
private keys securely. The key filenames are prefixed with the name of your Google Cloud project.
ls ./service-accounts
The result should look something like the following:
project_id-apigee-non-prod.json
You now have created service accounts and assigned the roles needed by the Apigee hybrid
components. Next, the TLS certificates required by the hybrid ingress gateway..
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis documentation pertains to Apigee hybrid version 1.7, which is now end-of-life and requires an upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eApigee hybrid utilizes Google Cloud service accounts to authorize communication between its components through API calls.\u003c/p\u003e\n"],["\u003cp\u003eA command-line tool, \u003ccode\u003ecreate-service-account\u003c/code\u003e, is provided to simplify the creation of service accounts, the assigning of roles, and the downloading of key files.\u003c/p\u003e\n"],["\u003cp\u003eFor non-production environments, a single service account named "apigee-non-prod" can be used for all components, while production environments are recommended to use a separate account for each component.\u003c/p\u003e\n"],["\u003cp\u003eThe service account key files, which are crucial for security, should be stored securely, and are validated by the Apigee hybrid runtime components.\u003c/p\u003e\n"]]],[],null,["# Step 5: Create service accounts and credentials\n\n| You are currently viewing version 1.7 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to create the Google Cloud service accounts and TLS credentials\nthat are required for Apigee hybrid to operate.\n\nCreate the service accounts\n---------------------------\n\n\nApigee hybrid uses Google Cloud [service accounts](/iam/docs/service-accounts) to\nallow hybrid components to communicate by making authorized API calls.\n\n\nIn this step, you use an Apigee hybrid command-line tool to create a set of service accounts\nand download the service account private key files.\n| **Note:** In a production hybrid environment Apigee recommends using a separate service account for each component. For the purposes of this tutorial, you can create a single service account named \"apigee-non-prod\" that you can use for all components.\n|\n|\n| To learn more about service accounts and read the full list of service accounts recommended for\n| production environments, see the following:\n|\n| - [About service accounts](/apigee/docs/hybrid/v1.7/sa-about)\n| - [Service accounts and roles used by hybrid components](/apigee/docs/hybrid/v1.7/sa-about#recommended-sas)\n\n\nApigee provides a tool, `create-service-account`, that creates the service accounts,\nassigns the roles to the service accounts, and creates and downloads the key files for the service\naccount in a single command.\n\n- To learn more about `create-service-account` and all its options see [`create-service-account`](/apigee/docs/hybrid/v1.7/create-service-account)\n- To learn about the related Google Cloud concepts, see [Creating\n and managing service accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [Creating\n and managing service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).\n\n1. Be sure that you are in the \u003cvar translate=\"no\"\u003ebase_directory\u003c/var\u003e`/hybrid-files` directory you configured in [Set up the project directory structure](#setup-directory).\n2. Make sure your **PROJECT_ID** environment variable is set to your Google cloud project ID. The `create-service-account` tool reads the **PROJECT_ID** environment variable to create the service accounts in the correct project. \n\n ```\n echo $PROJECT_ID\n ```\n3. Execute the following command from inside the `hybrid-files` directory. This command creates a single service account named `apigee-non-prod` for use in non-production environments and places the downloaded key file in the `./service-accounts` directory. \n\n ```\n ./tools/create-service-account --env non-prod --dir ./service-accounts\n ```\n | **Note:** If you would prefer to create all the individual service accounts for a production environment, use the following command: \n |\n | ```\n | ./tools/create-service-account --env prod --dir ./service-accounts\n | ```\n\n\n If you see the following prompt, enter \u003ckbd\u003ey\u003c/kbd\u003e: \n\n ```transact-sql\n [INFO]: gcloud configured project ID is project_id.\n Enter: y to proceed with creating service account in project: project_id\n Enter: n to abort.\n ```\n\n\n If this is the first time you are creating an SA with a particular name assigned, then the\n tool creates it without further prompts.\n\n\n If, however, you see the following message and prompt, enter \u003ckbd\u003ey\u003c/kbd\u003e to generate\n new keys: \n\n ```transact-sql\n [INFO]: Service account apigee-non-prod@\u003cvar translate=\"no\"\u003eproject_id\u003c/var\u003e.iam.gserviceaccount.com already exists.\n ...\n [INFO]: The service account might have keys associated with it. It is recommended to use existing keys.\n Press: y to generate new keys.(this does not deactivate existing keys)\n Press: n to skip generating new keys.\n ```\n | **Note:** The Cloud Pub/Sub API must be enabled in the Google Cloud project that owns the service account for Synchronizer. See [Enable APIs](/apigee/docs/hybrid/v1.7/precog-enableapi).\n4. Verify that the service account key was created using the following command. You are responsible for storing these private keys securely. The key filenames are prefixed with the name of your Google Cloud project. \n\n ```\n ls ./service-accounts\n ```\n\n\n The result should look something like the following: \n\n ```scdoc\n project_id-apigee-non-prod.json\n ```\n\n| **Tip:** Apigee hybrid includes a validator that checks your service accounts' key files and permissions when [apigeectl](/apigee/docs/hybrid/v1.7/cli-reference) applies the Apigee hybrid runtime components to your cluster. This validation is enabled by default. For more information, see [Service account\n| validation](/apigee/docs/hybrid/v1.7/sa-validation).\n\n\nYou now have created service accounts and assigned the roles needed by the Apigee hybrid\ncomponents. Next, the TLS certificates required by the hybrid ingress gateway..\n[1](/apigee/docs/hybrid/v1.7/install-create-cluster) [2](/apigee/docs/hybrid/v1.7/install-cert-manager) [3](/apigee/docs/hybrid/v1.7/install-asm) [4](/apigee/docs/hybrid/v1.7/install-apigeectl) [5](/apigee/docs/hybrid/v1.7/install-service-accounts) [(NEXT) Step 6: Create TLS certificates](/apigee/docs/hybrid/v1.7/install-create-tls-certificates) [7](/apigee/docs/hybrid/v1.7/install-configure-cluster) [8](/apigee/docs/hybrid/v1.7/install-enable-synchronizer-access) [9](/apigee/docs/hybrid/v1.7/install-hybrid-runtime)\n\n\u003cbr /\u003e"]]
