This step explains how to create the Google Cloud service accounts that are required for Apigee hybrid to operate.
Overview
Apigee hybrid uses Google Cloud service accounts to allow hybrid components to communicate by making authorized API calls.
Production vs. non-production environments
This guide refers to Production ("Prod") and Non-production ("Non-prod") installations. A production installation is tuned for greater usage capacity, storage, and scalability. A non-production installation uses fewer resources and is mainly for learning and demonstration purposes.
When you create and configure service accounts for Apigee hybrid, it is important to be aware of the type of installation you are targeting.
For production installations, we recommend creating a separate service account for each Apigee hybrid component. For example, runtime, mart, metrics, udca, and so on each get their own service account.
For non-prod installations, you can create a single service account that applies to all the components.
To learn more about the service accounts used by Apigee and the roles they are assigned, see Service accounts and roles used by hybrid components.
Workload identity on GKE
For Apigee hybrid installations on GKE, Google Cloud offers an option called workload identity to authenticate hybrid runtime components. This option does not use downloaded certificate files to authenticate the service accounts, Instead, it associates the Google Cloud service accounts that you create in this step with Kubernetes service accounts in the Kubernetes cluster.
Workload identity is only available on GKE installations.
Create the service accounts
Use the following procedures to create the Google Cloud service accounts for your hybrid installation:
- The create-service-accounttool: If you are installing Apigee hybrid on a platform other than GKE, or if you are installing on GKE but do not want to use workload identity, Use the Apigee provided tool,create-service-account, to create the service accounts, assign the roles to the service accounts, and create and download the key files for the service account in a single command. Follow the procedures in
 Create service accounts usingcreate-service-account.
- Google Cloud console or gcloud: If you are installing Apigee hybrid on GKE and plan to use workload identity, use the Google Cloud console orgcloudto create the service accounts without downloading the certificate files. Follow the procedures in
 Create service accounts in the Google Cloud console or withgcloud.
Create service accounts using create-service-account
  Use the create-service-account tool in the following circumstances:
- You are installing on a platform other than GKE
- You are installing on GKE but do not plan to use workload identity.
  Otherwise, skip to Create service accounts in the Google Cloud console or with gcloud.
- Make sure your HYBRID_FILES and PROJECT_ID environment variables are set.
    PROJECT_ID must be set to your Google cloud project ID, because the create-service-accounttool reads the PROJECT_ID environment variable to create the service accounts in the correct project.echo $HYBRID_FILES echo $PROJECT_ID
- Create the service account with the following command: 
    Non-prodThis command creates a single service account named apigee-non-prodfor use in a non-production installation and downloads the key file for the service account in the$HYBRID_FILES/service-accountsdirectory.$HYBRID_FILES/tools/create-service-account --env non-prod --dir $HYBRID_FILES/service-accounts ProductionThis command creates all the individual service accounts for a production installation and downloads the key files for the service accounts in the $HYBRID_FILES/service-accountsdirectory.$HYBRID_FILES/tools/create-service-account --env prod --dir $HYBRID_FILES/service-accounts If you see the following prompt, enter y: [INFO]: gcloud configured project ID is project_id. Enter: y to proceed with creating service account in project: project_id Enter: n to abort. If this is the first time you are creating a particular service account, then the tool creates it without further prompts. If, however, you see the following message and prompt, enter y to generate new keys: [INFO]: Service account apigee-non-prod@project_id.iam.gserviceaccount.com already exists. ... [INFO]: The service account might have keys associated with it. It is recommended to use existing keys. Press: y to generate new keys.(this does not deactivate existing keys) Press: n to skip generating new keys. 
- 
    Verify that the service account key was created using the following command. You are responsible for storing these
    private keys securely. The key filenames are prefixed with the name of your Google Cloud project.
    ls $HYBRID_FILES/service-accounts The result should look something like the following: project_id-apigee-non-prod.json 
- To learn more about create-service-accountand all its options see,create-service-account.
- To learn about the related Google Cloud concepts, see Creating and managing service accounts and Creating and managing service account keys.
Create service accounts in the Google Cloud console or with gcloud
  If you plan to use workload identity on GKE to authenticate 
  hybrid runtime components, you do not need to create and download certificate files for the 
  service accounts. Therefore, do not use the create-service-account tool. Instead, 
  create the service accounts in the Google Cloud console or with the IAM API in gcloud.
  Otherwise, skip to Create service accounts using create-service-account.
Console
Follow the instructions in Create service accounts to create the following service accounts and assign the following roles to them:
Non-prod
For non-production installations:
| Service account name | IAM roles | 
|---|---|
| apigee-non-prod | 
 | 
Production
For production installations:
| Production installations | |
|---|---|
| Service account name | IAM roles | 
| apigee-cassandra | Storage Object Admin | 
| apigee-logger | Logs Writer | 
| apigee-mart | Apigee Connect Agent | 
| apigee-metrics | Monitoring Metric Writer | 
| apigee-runtime | No role required | 
| apigee-synchronizer | Apigee Synchronizer Manager | 
| apigee-udca | Apigee Analytics Agent | 
| apigee-watcher | Apigee Runtime Agent | 
gcloud
    Use the following commands to create the service accounts and assign the IAM roles.
Non-prod
For non-production installations:
- Create the apigee-non-prodservice account:gcloud iam service-accounts create apigee-non-prod \ --display-name="apigee-non-prod" \ --project=$PROJECT_ID 
- Assign the IAM roles to the service account:
        gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/logging.logWriter" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigeeconnect.Agent" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigee.synchronizerManager" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigee.analyticsAgent" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigee.runtimeAgent" 
- Verify the role bindings: 
        gcloud projects get-iam-policy ${PROJECT_ID} \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:apigee-non-prod@$PROJECT_ID.iam.gserviceaccount.com"
Production
For production installations:
Use the following commands to create each service account and assign the corresponding IAM role.
- apigee-cassandraservice account:- gcloud iam service-accounts create apigee-cassandra \ --display-name="apigee-cassandra" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-cassandra@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" 
- apigee-loggerservice account:- gcloud iam service-accounts create apigee-logger \ --display-name="apigee-logger" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-logger@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/logging.logWriter" 
- apigee-martservice account:- gcloud iam service-accounts create apigee-mart \ --display-name="apigee-mart" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-mart@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigeeconnect.Agent" 
- apigee-metricsservice account:- gcloud iam service-accounts create apigee-metrics \ --display-name="apigee-metrics" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-metrics@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/monitoring.metricWriter" 
- apigee-runtimeservice account:- gcloud iam service-accounts create apigee-runtime \ --display-name="apigee-runtime" \ --project=$PROJECT_ID 
- apigee-synchronizerservice account:- gcloud iam service-accounts create apigee-synchronizer \ --display-name="apigee-synchronizer" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-synchronizer@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigee.synchronizerManager" 
- apigee-udcaservice account:- gcloud iam service-accounts create apigee-udca \ --display-name="apigee-udca" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-udca@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigee.analyticsAgent" 
- apigee-watcherservice account:- gcloud iam service-accounts create apigee-watcher \ --display-name="apigee-watcher" \ --project=$PROJECT_ID - gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:apigee-watcher@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/apigee.runtimeAgent" 
      To learn more about creating service accounts with gcloud, see 
      Create service accounts.
    
You now have created service accounts and assigned the roles needed by the Apigee hybrid components. Next, create the TLS certificates required by the hybrid ingress gateway.
1 2 3 4 (NEXT) Step 5: Create TLS certificates 6 7 8 9 10 11