The procedures to install and manage Apigee hybrid require the following permissions and roles.
Individual tasks can be performed by different members of your organization who have the required
permissions and roles.
Cluster permissions
Each supported platform has its own permission requirements for creating a cluster. As cluster
owner, you can proceed to install the Apigee-specific components (including cert-manager and the
Apigee runtime) into the cluster. However, if you want to delegate to another user the
installation of the runtime components into the cluster, you can manage the necessary permissions
through Kubernetes
authn-authz.
To install the hybrid runtime components into the cluster, a non-cluster-owner user should
have CRUD permission on these resources:
StorageClass (Optional, if the default StorageClass is not used. For information on
changing the default and creating a custom storage class, see StorageClass configuration.)
IAM Roles
You need to have the following IAM roles assigned to your user account in order to perform
these steps. If your account does not have these roles, have a user with the roles perform the
steps. For more information on IAM roles, see
IAM basic and predefined roles reference.
To create service accounts and grant them access to your project:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eApigee hybrid installation and management require specific permissions and roles, which can be distributed among different users within an organization.\u003c/p\u003e\n"],["\u003cp\u003eInstalling hybrid runtime components necessitates non-cluster-owner users to have CRUD permissions on various Kubernetes resources, including ClusterRole, ClusterRoleBinding, Webhooks, PriorityClass, ClusterIssuer, CustomerResourceDefinitions, and optionally StorageClass.\u003c/p\u003e\n"],["\u003cp\u003eCreating service accounts and managing their project access requires the \u003ccode\u003eroles/iam.serviceAccountCreator\u003c/code\u003e and \u003ccode\u003eroles/resourcemanager.projectIamAdmin\u003c/code\u003e IAM roles.\u003c/p\u003e\n"],["\u003cp\u003eGranting synchronizer access to a project requires the \u003ccode\u003eroles/apigee.admin\u003c/code\u003e IAM role.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring workload identity on GKE installations optionally needs \u003ccode\u003eroles/container.admin\u003c/code\u003e and \u003ccode\u003eroles/iam.serviceAccountAdmin\u003c/code\u003e IAM roles.\u003c/p\u003e\n"]]],[],null,["# Permissions and roles for installing Apigee hybrid\n\n| You are currently viewing version 1.13 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThe procedures to install and manage Apigee hybrid require the following permissions and roles.\nIndividual tasks can be performed by different members of your organization who have the required\npermissions and roles.\n\nCluster permissions\n-------------------\n\n\nEach supported platform has its own permission requirements for creating a cluster. As cluster\nowner, you can proceed to install the Apigee-specific components (including cert-manager and the\nApigee runtime) into the cluster. However, if you want to delegate to another user the\ninstallation of the runtime components into the cluster, you can manage the necessary permissions\nthrough Kubernetes\n[authn-authz](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).\n\n\nTo install the hybrid runtime components into the cluster, a non-cluster-owner user should\nhave CRUD permission on these resources:\n\n- [ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)\n- [ClusterRoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding)\n- Webhooks ([ValidatingWebhookConfiguration](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/) and [MutatingWebhookConfiguration](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1/))\n- [PriorityClass](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/priority-class-v1/)\n- [ClusterIssuer](https://cert-manager.io/docs/concepts/issuer/)\n- [CustomerResourceDefinitions](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)\n- [StorageClass](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1/) (Optional, if the default StorageClass is not used. For information on changing the default and creating a custom storage class, see [StorageClass configuration](./cassandra-config).)\n\nIAM Roles\n---------\n\n\nYou need to have the following IAM roles assigned to your user account in order to perform\nthese steps. If your account does not have these roles, have a user with the roles perform the\nsteps. For more information on IAM roles, see\n[IAM basic and predefined roles reference](/iam/docs/understanding-roles).\n\n\nTo create service accounts and grant them access to your project:\n\n- [Create Service Accounts](/iam/docs/understanding-roles#iam.serviceAccountCreator) (`roles/iam.serviceAccountCreator`)\n- [Project IAM Admin](/iam/docs/understanding-roles#resourcemanager.projectIamAdmin) (`roles/resourcemanager.projectIamAdmin`)\n\n\nTo grant synchronizer access to your project:\n\n- [Apigee Organization Admin](/iam/docs/understanding-roles#apigee.admin) (`roles/apigee.admin`)\n\n\nTo configure workload identity for installations on GKE (optional):\n\n- [Kubernetes Engine Admin](/iam/docs/understanding-roles#container.admin) (`roles/container.admin`)\n- [Service Account Admin](/iam/docs/understanding-roles#iam.serviceAccountAdmin) (`roles/iam.serviceAccountAdmin`)"]]
