Apigee hybrid provides validation that ensures the location of your service accounts' keys
are correct and that the accounts have the proper permissions in your GCP project. This validation
is enabled by default.
This section describes how to enable or disable service account validation. In addition, this
step ensures that you have the proper APIs enabled for your GCP project so that validation
works.
In your overrides file, add the validateServiceAccounts property and set it to
true. For example:
...
# Enables strict validation of service account permissions.
validateServiceAccounts: true
...
When validation is enabled, any time apigeectl applies the
Apigee hybrid runtime components to your cluster, it validates the
service account keys that are included in your overrides
file.
Troubleshooting validation errors
If validation fails, the runtime deployment stops and apigeectl exits.
To troubleshoot service account failure, it's helpful to know that validation checks
permissions in this order:
Permission on the project ID.
(For UDCA and Synchronizer only) If the permission check on the project fails, validation
proceeds to check permission against the Apigee environment's
IAM policy. These SAs are
environment scoped and environments support finer-grained permissions.
To update the IAM policy for a specific environment, go to the hybrid UI. Go to
Admin > Environments > Access
For example, the following is an error message for a failed permission check:
Invalid Metrics Service Account. Service Account
"apigee-metrics@hybrid-project.iam.gserviceaccount.com" is missing 1 or more required
permissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create].
Visit Service accounts and roles used by
hybrid components for more details on setting up Apigee hybrid service account permissions.
To disable service account permission validation, set the validationServiceAccounts
property in your overrides file to false, as the following example shows:
...
# Enables strict validation of service account permissions.
validateServiceAccounts: false
...
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eApigee hybrid documentation version 1.1 is end-of-life, and users should upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eService account permission validation is enabled by default in Apigee hybrid to ensure keys are correct and accounts have proper GCP project permissions.\u003c/p\u003e\n"],["\u003cp\u003eTo enable validation, ensure the Cloud Resource Manager API is enabled in your GCP project and set \u003ccode\u003evalidateServiceAccounts: true\u003c/code\u003e in your overrides file.\u003c/p\u003e\n"],["\u003cp\u003eService account JSON key format validation is always performed and cannot be disabled.\u003c/p\u003e\n"],["\u003cp\u003eService account permission validation can be disabled by setting the \u003ccode\u003evalidateServiceAccounts\u003c/code\u003e property to \u003ccode\u003efalse\u003c/code\u003e in the overrides file.\u003c/p\u003e\n"]]],[],null,["# Service account validation\n\n| You are currently viewing version 1.1 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nApigee hybrid provides validation that ensures the location of your service accounts' keys\nare correct and that the accounts have the proper permissions in your GCP project. This validation\nis enabled by default.\n\nThis section describes how to enable or disable service account validation. In addition, this\nstep ensures that you have the proper APIs enabled for your GCP project so that validation\nworks.\n\nEnable service account permission validation\n--------------------------------------------\n\n**To enable permission validation:**\n\n1. Be sure the [Cloud Resource Manager API](https://cloud.google.com/resource-manager/reference/rest/) is enabled for your GCP project:\n 1. Open the [Google Cloud console](https://console.cloud.google.com) and log in with the account you created in [Step 1: Create a Google Cloud account](/apigee/docs/hybrid/v1.1/precog-gcpaccount).\n 2. Select the project that you created in [Step 2: Create a Google Cloud project](/apigee/docs/hybrid/v1.1/precog-gcpproject).\n 3. Select **APIs \\& Services \\\u003e Library**.\n 4. Search for \"Cloud Resource Manager\".\n 5. Locate the **Cloud Resource Manager API** service and click on it.\n 6. If it is not enabled, click **Enable**.\n\n You can also enable the API using gcloud: \n\n ```\n gcloud services enable cloudresourcemanager.googleapis.com --project GCP_project_ID\n ```\n2. In your overrides file, add the `validateServiceAccounts` property and set it to `true`. For example: \n\n ```text\n ...\n # Enables strict validation of service account permissions.\n validateServiceAccounts: true\n ...\n ```\n\nWhen validation is enabled, any time [apigeectl](/apigee/docs/hybrid/v1.1/cli-reference) applies the\nApigee hybrid runtime components to your cluster, it validates the\n[service account](/apigee/docs/hybrid/v1.1/precog-serviceaccounts) keys that are included in your overrides\nfile.\n| **NOTE:** Service account JSON key format validation is always performed. You do not have to take any steps to enable this validation and you cannot disable it.\n\nTroubleshooting validation errors\n---------------------------------\n\n| **Deleting and recreating service accounts:** Note that reusing the name of a deleted service account may result in unexpected behavior. If you create a service account and delete it, always recreate it with a different name than the original SA. For details, see [Deleting and recreating service accounts](https://cloud.google.com/iam/docs/service-account-overview#deleting-recreating).\n\nIf validation fails, the runtime deployment stops and `apigeectl` exits.\nTo troubleshoot service account failure, it's helpful to know that validation checks\npermissions in this order:\n\n1. Permission on the project ID.\n2. (For UDCA and Synchronizer only) If the permission check on the project fails, validation proceeds to check permission against the Apigee environment's [IAM policy](/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments/setIamPolicy). These SAs are environment scoped and environments support finer-grained permissions.\n\n\n To update the IAM policy for a specific environment, go to the hybrid UI. Go to\n **Admin \\\u003e Environments \\\u003e Access**\n\n\nFor example, the following is an error message for a failed permission check: \n\n```\nInvalid Metrics Service Account. Service Account\n\"apigee-metrics@hybrid-project.iam.gserviceaccount.com\" is missing 1 or more required\npermissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list\nmonitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create].\nVisit Service accounts and roles used by\nhybrid components for more details on setting up Apigee hybrid service account permissions.\n```\n\n\nTo address this error, add the required roles to the service account. For\ninformation on creating and modifying service accounts, see [Create the service accounts](/apigee/docs/hybrid/v1.1/sa-about#create-the-service-accounts). To check the required permissions for each Apigee hybrid component, see\n[Service accounts and roles used by hybrid components](/apigee/docs/hybrid/v1.1/sa-about#recommended-sas).\n\nDisable permission validation\n-----------------------------\n\nTo disable service account permission validation, set the `validationServiceAccounts`\nproperty in your overrides file to `false`, as the following example shows: \n\n```text\n...\n# Enables strict validation of service account permissions.\nvalidateServiceAccounts: false\n...\n```"]]
