Apigee hybrid provides validation that ensures the location of your service accounts' keys
are correct and that the accounts have the proper permissions in your Google Cloud project. This validation
is enabled by default.
This section describes how to enable or disable service account validation. In addition, this
step ensures that you have the proper APIs enabled for your Google Cloud project so that validation
works.
In your overrides file, add the validateServiceAccounts property and set it to
true. For example:
...
# Enables strict validation of service account permissions.
validateServiceAccounts: true
...
When validation is enabled, any time you apply configuration changes to the
Apigee hybrid runtime components to your cluster, the Helm chart validates the
service account keys that are included in your
overrides file.
Troubleshooting validation errors
If validation fails, the runtime deployment stops, and helm upgrade or
helm install exits. To troubleshoot service account failure, it's helpful to
know that validation checks permissions in this order:
Permission on the project ID.
(For UDCA and Synchronizer only) If the permission check on the project fails, validation
proceeds to check permission against the Apigee environment's
IAM policy. These SAs are
environment scoped and environments support finer-grained permissions.
To update the IAM policy for a specific environment, go to the hybrid UI. Go to
Admin > Environments > Access
For example, the following is an error message for a failed permission check:
To disable service account permission validation, set the validationServiceAccounts
property in your overrides file to false, as the following example shows:
...
# Enables strict validation of service account permissions.
validateServiceAccounts: false
...
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eApigee hybrid performs validation on service account keys and permissions in your Google Cloud project, which is enabled by default.\u003c/p\u003e\n"],["\u003cp\u003eYou can enable service account permission validation by ensuring the Cloud Resource Manager API is enabled in your Google Cloud project and setting \u003ccode\u003evalidateServiceAccounts\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e in your overrides file.\u003c/p\u003e\n"],["\u003cp\u003eValidation failures will halt runtime deployment, and troubleshooting can be done by verifying permissions at the project ID level or, for certain components, at the Apigee environment's IAM policy level.\u003c/p\u003e\n"],["\u003cp\u003eService account JSON key format validation is always performed and cannot be disabled, while overall service account permission validation can be turned off by setting \u003ccode\u003evalidateServiceAccounts\u003c/code\u003e to \u003ccode\u003efalse\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eReusing a deleted service account name may cause unexpected issues, so always recreate it with a new name.\u003c/p\u003e\n"]]],[],null,["# Service account validation\n\n| You are currently viewing version 1.14 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nApigee hybrid provides validation that ensures the location of your service accounts' keys\nare correct and that the accounts have the proper permissions in your Google Cloud project. This validation\nis enabled by default.\n\nThis section describes how to enable or disable service account validation. In addition, this\nstep ensures that you have the proper APIs enabled for your Google Cloud project so that validation\nworks.\n\nEnable service account permission validation\n--------------------------------------------\n\n**To enable permission validation:**\n\n1. Be sure the [Cloud Resource Manager API](https://cloud.google.com/resource-manager/reference/rest/) is enabled for your Google Cloud project:\n 1. Open the [Google Cloud console](https://console.cloud.google.com) and log in with the account you created in [Step 1: Create a Google Cloud account](/apigee/docs/hybrid/v1.14/precog-gcpaccount).\n 2. Select the project that you created in [Step 2: Create a Google Cloud project](/apigee/docs/hybrid/v1.14/precog-gcpproject).\n 3. Select **APIs \\& Services \\\u003e Library**.\n 4. Search for \"Cloud Resource Manager\".\n 5. Locate the **Cloud Resource Manager API** service and click on it.\n 6. If it is not enabled, click **Enable**.\n\n You can also enable the API using gcloud: \n\n ```\n gcloud services enable cloudresourcemanager.googleapis.com --project GCP_PROJECT_ID\n ```\n2. In your overrides file, add the `validateServiceAccounts` property and set it to `true`. For example: \n\n ```text\n ...\n # Enables strict validation of service account permissions.\n validateServiceAccounts: true\n ...\n ```\n\nWhen validation is enabled, any time you apply configuration changes to the\nApigee hybrid runtime components to your cluster, the Helm chart validates the\n[service account](/apigee/docs/hybrid/v1.14/precog-serviceaccounts) keys that are included in your\noverrides file.\n| **NOTE:** Service account JSON key format validation is always performed. You do not have to take any steps to enable this validation and you cannot disable it.\n\nTroubleshooting validation errors\n---------------------------------\n\n| **Deleting and recreating service accounts:** Note that reusing the name of a deleted service account may result in unexpected behavior. If you create a service account and delete it, always recreate it with a different name than the original SA. For details, see [Deleting and recreating service accounts](https://cloud.google.com/iam/docs/service-account-overview#deleting-recreating).\n\nIf validation fails, the runtime deployment stops, and `helm upgrade` or\n`helm install` exits. To troubleshoot service account failure, it's helpful to\nknow that validation checks permissions in this order:\n\n1. Permission on the project ID.\n2. (For UDCA and Synchronizer only) If the permission check on the project fails, validation proceeds to check permission against the Apigee environment's [IAM policy](/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments/setIamPolicy). These SAs are environment scoped and environments support finer-grained permissions.\n\n\n To update the IAM policy for a specific environment, go to the hybrid UI. Go to\n **Admin \\\u003e Environments \\\u003e Access**\n\n\nFor example, the following is an error message for a failed permission check: \n\n```transact-sql\nInvalid Metrics Service Account. Service Account\n\"apigee-metrics@hybrid-project.iam.gserviceaccount.com\" is missing 1 or more required\npermissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list\nmonitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create].\nVisit Service accounts and roles used by\nhybrid components for more details on setting up Apigee hybrid service account permissions.\n```\n\n\nTo address this error, add the required roles to the service account. For\ninformation on creating and modifying service accounts, see [Create the service accounts](/apigee/docs/hybrid/v1.14/sa-about#create-the-service-accounts). To check the required permissions for each Apigee hybrid component, see\n[Service accounts and roles used by hybrid components](/apigee/docs/hybrid/v1.14/sa-about#recommended-sas).\n\nDisable permission validation\n-----------------------------\n\nTo disable service account permission validation, set the `validationServiceAccounts`\nproperty in your overrides file to `false`, as the following example shows: \n\n```text\n...\n# Enables strict validation of service account permissions.\nvalidateServiceAccounts: false\n...\n```"]]
