To make the Apigee API calls described later in this topic, you need to get an authorization
token that has the Apigee Organization Admin role.
If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid
organization, be sure that your Google Cloud user account has the roles/apigee.admin (Apigee
Organization Admin) role. You can check the roles assigned to you with this command:
If you do not have roles/apigee.admin in your roles, add the Apigee
Organization Admin role to your user account. Use the following command to add the
role to your user account:
Get the email address for the service account to which you are granting synchronizer access.
For non production environments (as suggested in this tutorial) it should be
apigee-non-prod. For production environments, it should be
apigee-synchronizer. Use the following command:
${ORG_NAME}: The name of your hybrid organization.
apigee-non-prod${ORG_NAME}.iam.gserviceaccount.com or apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email
address of the service account.
To verify that the service account was set, use the following command to call the API to get
a list of service accounts:
You have now made it possible for your Apigee hybrid runtime and management planes to
communicate. Next, let's apply your configuration to the hybrid runtime and complete your
installation of Apigee hybrid.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation is for Apigee hybrid version 1.6, which is end-of-life, and users should upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eTo make Apigee API calls, you must first obtain an authorization token with the Apigee Organization Admin role.\u003c/p\u003e\n"],["\u003cp\u003eYou can verify your assigned roles and add the necessary "Apigee Organization Admin" role using the provided \u003ccode\u003egcloud\u003c/code\u003e commands.\u003c/p\u003e\n"],["\u003cp\u003eEnabling synchronizer access involves getting the appropriate service account email address (\u003ccode\u003eapigee-non-prod\u003c/code\u003e for non-production, \u003ccode\u003eapigee-synchronizer\u003c/code\u003e for production) and calling the \u003ccode\u003esetSyncAuthorization\u003c/code\u003e API.\u003c/p\u003e\n"],["\u003cp\u003eYou can confirm that synchronizer access is correctly configured by using the provided \u003ccode\u003egetSyncAuthorization\u003c/code\u003e API command, which will output a list of service accounts.\u003c/p\u003e\n"]]],[],null,["# Step 8: Enable Synchronizer access\n\n| You are currently viewing version 1.6 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nGet an authorization token\n--------------------------\n\n\nTo make the Apigee API calls described later in this topic, you need to get an authorization\ntoken that has the Apigee Organization Admin role.\n\n1. If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has the **roles/apigee.admin** (Apigee Organization Admin) role. You can check the roles assigned to you with this command: \n\n ```\n gcloud projects get-iam-policy ${PROJECT_ID} \\\n --flatten=\"bindings[].members\" \\\n --format='table(bindings.role)' \\\n --filter=\"bindings.members:your_account_email\"\n ```\n\n\n For example: \n\n ```transact-sql\n gcloud projects get-iam-policy my-project \\\n --flatten=\"bindings[].members\" \\\n --format='table(bindings.role)' \\\n --filter=\"bindings.members:myusername@example.com\"\n ```\n\n\n The output should look something like: \n\n ```text\n ROLE\n roles/apigee.admin\n roles/compute.admin\n roles/container.admin\n roles/gkehub.admin\n roles/iam.serviceAccountAdmin\n roles/iam.serviceAccountKeyAdmin\n roles/meshconfig.admin\n roles/owner\n roles/resourcemanager.projectIamAdmin\n roles/servicemanagement.admin\n roles/serviceusage.serviceUsageAdmin\n ```\n2. If you do not have `roles/apigee.admin` in your roles, add the **Apigee\n Organization Admin** role to your user account. Use the following command to add the role to your user account: \n\n ```\n gcloud projects add-iam-policy-binding ${PROJECT_ID} \\\n --member user:your_account_email \\\n --role roles/apigee.admin\n ```\n\n\n For example: \n\n ```\n gcloud projects add-iam-policy-binding my-project \\\n --member user:myusername@example.com \\\n --role roles/apigee.admin\n ```\n3. On the command line, get your `gcloud` authentication\n credentials using the following command:\n\n ### Linux / MacOS\n\n ```\n TOKEN=$(gcloud auth print-access-token)\n ```\n\n To check that your token was populated, use `echo`, as the\n following example shows: \n\n ```\n echo $TOKEN\n ```\n\n This should display your token as an encoded string.\n\n ### Windows\n\n ```\n for /f \"tokens=*\" %a in ('gcloud auth print-access-token') do set TOKEN=%a\n ```\n\n To check that your token was populated, use `echo`, as the\n following example shows: \n\n ```\n echo %TOKEN%\n ```\n\n This should display your token as an encoded string.\n\nEnable synchronizer access\n--------------------------\n\n\nTo enable synchronizer access:\n\n1. Get the email address for the service account to which you are granting synchronizer access. For non production environments (as suggested in this tutorial) it should be `apigee-non-prod`. For production environments, it should be `apigee-synchronizer`. Use the following command:\n\n ### Non-prod\n\n ```\n gcloud iam service-accounts list --filter \"apigee-non-prod\"\n ```\n\n ### Prod\n\n ```\n gcloud iam service-accounts list --filter \"apigee-synchronizer\"\n ```\n\n\n If it matches the pattern `apigee-non-prod`**@${ORG_NAME}**`.iam.gserviceaccount.com`, you\n can use that pattern in the next step.\n2. Call the [setSyncAuthorization](/apigee/docs/reference/apis/apigee/rest/v1/organizations/setSyncAuthorization) API to enable the required permissions for Synchronizer using the following command:\n\n ### Non-prod\n\n ```\n curl -X POST -H \"Authorization: Bearer ${TOKEN}\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization\" \\\n -d '{\"identities\":[\"'\"serviceAccount:apigee-non-prod@${ORG_NAME}.iam.gserviceaccount.com\"'\"]}'\n ```\n\n ### Prod\n\n ```\n curl -X POST -H \"Authorization: Bearer ${TOKEN}\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization\" \\\n -d '{\"identities\":[\"'\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\"'\"]}'\n ```\n\n\n Where:\n - **`${ORG_NAME}`**: The name of your hybrid organization.\n - **`apigee-non-prod${ORG_NAME}.iam.gserviceaccount.com`** or \n **`apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com`**: The email address of the service account.\n\n | **Tip:** Some shells may return an error like `bad substitution`. In this case, replace \u003cvar translate=\"no\"\u003e$ORG_NAME\u003c/var\u003e with the name of your organization and replace the `\"'\"` with `\"` as follows:\n |\n | ### Non-prod\n |\n | ```\n | curl -X POST -H \"Authorization: Bearer $TOKEN\" \\\n | -H \"Content-Type:application/json\" \\\n | \"https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization\" \\\n | -d '{\"identities\":[\"serviceAccount:apigee-non-prod@YOUR_ORG_NAME.iam.gserviceaccount.com\"]}'\n | ```\n |\n | ### Prod\n |\n | ```\n | curl -X POST -H \"Authorization: Bearer $TOKEN\" \\\n | -H \"Content-Type:application/json\" \\\n | \"https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization\" \\\n | -d '{\"identities\":[\"serviceAccount:apigee-synchronizer@YOUR_ORG_NAME.iam.gserviceaccount.com\"]}'\n | ```\n3. To verify that the service account was set, use the following command to call the API to get a list of service accounts: \n\n ```\n curl -X GET -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization\"\n ```\n\n\n The output looks similar to the following:\n\n ### Non-prod\n\n ```transact-sql\n {\n \"identities\":[\n \"serviceAccount:apigee-non-prod@\u003cvar translate=\"no\"\u003emy_project_id\u003c/var\u003e.iam.gserviceaccount.com\"\n ],\n \"etag\":\"BwWJgyS8I4w=\"\n }\n ```\n\n ### Prod\n\n ```transact-sql\n {\n \"identities\":[\n \"serviceAccount:apigee-synchronizer@\u003cvar translate=\"no\"\u003emy_project_id\u003c/var\u003e.iam.gserviceaccount.com\"\n ],\n \"etag\":\"BwWJgyS8I4w=\"\n }\n ```\n\nYou have now made it possible for your Apigee hybrid runtime and management planes to\ncommunicate. Next, let's apply your configuration to the hybrid runtime and complete your\ninstallation of Apigee hybrid.\n[1](/apigee/docs/hybrid/v1.6/install-create-cluster) [2](/apigee/docs/hybrid/v1.6/install-cert-manager) [3](/apigee/docs/hybrid/v1.6/install-asm) [4](/apigee/docs/hybrid/v1.6/install-apigeectl) [5](/apigee/docs/hybrid/v1.6/install-service-accounts) [6](/apigee/docs/hybrid/v1.6/install-create-tls-certificates) [7](/apigee/docs/hybrid/v1.6/install-configure-cluster) [8](/apigee/docs/hybrid/v1.6/install-enable-synchronizer-access) [(NEXT) Step 9: Install the hybrid runtime](/apigee/docs/hybrid/v1.6/install-hybrid-runtime)\n\n\u003cbr /\u003e"]]