A Apigee híbrida fornece validação que garante que o local das chaves das contas de serviço estejam corretas e que as contas tenham as permissões apropriadas no projeto do Google Cloud. Essa validação é
ativada por padrão.
Esta seção descreve como ativar ou desativar a validação da conta de serviço. Além disso, esta etapa garante que as APIs apropriadas estejam ativadas no projeto do Google Cloud para que a validação funcione.
Ativar a validação de permissão da conta de serviço
No arquivo de modificações, adicione a propriedade validateServiceAccounts e defina-a como
true. Exemplo:
...
# Enables strict validation of service account permissions.
validateServiceAccounts: true
...
Quando a validação está ativada, sempre que você aplica alterações de configuração aos componentes do ambiente de execução da Apigee híbrida no cluster, o gráfico Helm ou valida as chaves da conta de serviço contidas no arquivo de substituições.
Como solucionar erros de validação
Se a validação falhar, a implantação do ambiente de execução será interrompida e helm upgrade ou helm install sairá. Para resolver problemas de falha na conta de serviço, saiba que a validação verifica as permissões nesta ordem:
Permissão para o código do projeto.
(Somente para UDCA e Synchronizer) Se a verificação de permissão no projeto falhar, a validação
continuará a verificar a permissão na política de IAM do
ambiente da Apigee. Essas SAs têm
escopo de ambiente e ambientes compatíveis com permissões mais refinadas.
Para atualizar a política do IAM de um ambiente específico, acesse a IU híbrida. Acesse
Administrador > Ambientes > Acesso
Por exemplo, esta é uma mensagem de erro para uma verificação de permissão com falha:
Para desativar a validação de permissão da conta de serviço, defina a propriedade validationServiceAccounts
no arquivo de modificações como false, conforme mostrado no exemplo a seguir:
...
# Enables strict validation of service account permissions.
validateServiceAccounts: false
...
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-21 UTC."],[],[],null,["# Service account validation\n\nApigee hybrid provides validation that ensures the location of your service accounts' keys\nare correct and that the accounts have the proper permissions in your Google Cloud project. This validation\nis enabled by default.\n\nThis section describes how to enable or disable service account validation. In addition, this\nstep ensures that you have the proper APIs enabled for your Google Cloud project so that validation\nworks.\n\nEnable service account permission validation\n--------------------------------------------\n\n**To enable permission validation:**\n\n1. Be sure the [Cloud Resource Manager API](https://cloud.google.com/resource-manager/reference/rest/) is enabled for your Google Cloud project:\n 1. Open the [Google Cloud console](https://console.cloud.google.com) and log in with the account you created in [Step 1: Create a Google Cloud account](/apigee/docs/hybrid/v1.15/precog-gcpaccount).\n 2. Select the project that you created in [Step 2: Create a Google Cloud project](/apigee/docs/hybrid/v1.15/precog-gcpproject).\n 3. Select **APIs \\& Services \\\u003e Library**.\n 4. Search for \"Cloud Resource Manager\".\n 5. Locate the **Cloud Resource Manager API** service and click on it.\n 6. If it is not enabled, click **Enable**.\n\n You can also enable the API using gcloud: \n\n ```\n gcloud services enable cloudresourcemanager.googleapis.com --project GCP_PROJECT_ID\n ```\n2. In your overrides file, add the `validateServiceAccounts` property and set it to `true`. For example: \n\n ```text\n ...\n # Enables strict validation of service account permissions.\n validateServiceAccounts: true\n ...\n ```\n\nWhen validation is enabled, any time you apply configuration changes to the\nApigee hybrid runtime components to your cluster, the Helm chart validates the\n[service account](/apigee/docs/hybrid/v1.15/precog-serviceaccounts) keys that are included in your\noverrides file.\n| **NOTE:** Service account JSON key format validation is always performed. You do not have to take any steps to enable this validation and you cannot disable it.\n\nTroubleshooting validation errors\n---------------------------------\n\n| **Deleting and recreating service accounts:** Note that reusing the name of a deleted service account may result in unexpected behavior. If you create a service account and delete it, always recreate it with a different name than the original SA. For details, see [Deleting and recreating service accounts](https://cloud.google.com/iam/docs/service-account-overview#deleting-recreating).\n\nIf validation fails, the runtime deployment stops, and `helm upgrade` or\n`helm install` exits. To troubleshoot service account failure, it's helpful to\nknow that validation checks permissions in this order:\n\n1. Permission on the project ID.\n2. (For UDCA and Synchronizer only) If the permission check on the project fails, validation proceeds to check permission against the Apigee environment's [IAM policy](/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments/setIamPolicy). These SAs are environment scoped and environments support finer-grained permissions.\n\n\n To update the IAM policy for a specific environment, go to the hybrid UI. Go to\n **Admin \\\u003e Environments \\\u003e Access**\n\n\nFor example, the following is an error message for a failed permission check: \n\n```transact-sql\nInvalid Metrics Service Account. Service Account\n\"apigee-metrics@hybrid-project.iam.gserviceaccount.com\" is missing 1 or more required\npermissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list\nmonitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create].\nVisit Service accounts and roles used by\nhybrid components for more details on setting up Apigee hybrid service account permissions.\n```\n\n\nTo address this error, add the required roles to the service account. For\ninformation on creating and modifying service accounts, see [Create the service accounts](/apigee/docs/hybrid/v1.15/sa-about#create-the-service-accounts). To check the required permissions for each Apigee hybrid component, see\n[Service accounts and roles used by hybrid components](/apigee/docs/hybrid/v1.15/sa-about#recommended-sas).\n\nDisable permission validation\n-----------------------------\n\nTo disable service account permission validation, set the `validationServiceAccounts`\nproperty in your overrides file to `false`, as the following example shows: \n\n```text\n...\n# Enables strict validation of service account permissions.\nvalidateServiceAccounts: false\n...\n```"]]
