Get an authorization token
To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.
- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid
organization, be sure that your Google Cloud user account has the roles/apigee.admin (Apigee
Organization Admin) role. You can check the roles assigned to you with this command:
gcloud projects get-iam-policy ${PROJECT_ID} \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your_account_email"For example:
gcloud projects get-iam-policy my-project \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:myusername@example.com"
The output should include
roles/apigee.admin. - If you do not have
roles/apigee.admin, add the Apigee Organization Admin role to your user account. Use the following command to add the role to your user account:gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member user:your_account_email \ --role roles/apigee.adminFor example:
gcloud projects add-iam-policy-binding my-project \ --member user:myusername@example.com \ --role roles/apigee.admin
-
On the command line, get your
gcloudauthentication credentials using the following command:Linux / MacOS
export TOKEN=$(gcloud auth print-access-token)
To check that your token was populated, use
echo, as the following example shows:echo $TOKEN
This should display your token as an encoded string.
Windows
for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%aTo check that your token was populated, use
echo, as the following example shows:echo %TOKEN%
This should display your token as an encoded string.
Enable synchronizer access
To enable synchronizer access:
- Get the email address for the service account to which you are granting synchronizer access.
For non-production environments (as suggested in this tutorial) it should be
apigee-non-prod. For production environments, it should beapigee-synchronizer. Use the following command:gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee-synchronizer" - Call the
setSyncAuthorization
API to enable the required permissions for Synchronizer using the following command:
No data residency
curl -X POST -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \ -d "{\"identities\":[\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\"]}"Where:
${ORG_NAME}: The name of your hybrid organization.apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.
Data residency
curl -X POST -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type:application/json" \ "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \ -d "{\"identities\":[\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\"]}"Where:
CONTROL_PLANE_LOCATION: The location for your control plane data if your hybrid installation uses data residency. This is location where customer core content like proxy bundles are stored. For a list see Available Apigee API control plane regions.${ORG_NAME}: The name of your hybrid organization.apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.
- To verify that the service account was set, use the following command to call the API to get
a list of service accounts:
No data residency
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization"Data residency
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization"The output looks similar to the following:
{ "identities":[ "serviceAccount:apigee-synchronizer@my_project_id.iam.gserviceaccount.com" ], "etag":"BwWJgyS8I4w=" }
You have now enabled your Apigee hybrid runtime and management planes to communicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage certificates.