Step 7: Enable Synchronizer access

Get an authorization token

To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.

If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has the roles/apigee.admin (Apigee Organization Admin) role. You can check the roles assigned to you with this command:

gcloud projects get-iam-policy ${PROJECT_ID}  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:your_account_email"

For example:

gcloud projects get-iam-policy my-project  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:myusername@example.com"

The output should look something like:

ROLE
roles/apigee.admin
roles/compute.admin
roles/container.admin
roles/gkehub.admin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountKeyAdmin
roles/meshconfig.admin
roles/owner
roles/resourcemanager.projectIamAdmin
roles/servicemanagement.admin
roles/serviceusage.serviceUsageAdmin

If you do not have roles/apigee.admin in your roles, add the Apigee Organization Admin role to your user account. Use the following command to add the role to your user account:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member user:your_account_email \
  --role roles/apigee.admin

For example:

gcloud projects add-iam-policy-binding my-project \
  --member user:myusername@example.com \
  --role roles/apigee.admin

On the command line, get your gcloud authentication credentials using the following command:
Linux / MacOS
```
export TOKEN=$(gcloud auth print-access-token)
```
To check that your token was populated, use echo, as the following example shows:
```
echo $TOKEN
```
This should display your token as an encoded string.
Windows
```
for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%a
```
To check that your token was populated, use echo, as the following example shows:
```
echo %TOKEN%
```
This should display your token as an encoded string.

Enable synchronizer access

To enable synchronizer access:

Get the email address for the service account to which you are granting synchronizer access. For non-production environments (as suggested in this tutorial) it should be apigee-non-prod. For production environments, it should be apigee-synchronizer. Use the following command:
Non-prod
```
gcloud iam service-accounts list --filter "apigee-non-prod"
```
If it matches the pattern apigee-non-prod@${ORG_NAME}.iam.gserviceaccount.com, you can use that pattern in the next step.
Prod
```
gcloud iam service-accounts list --filter "apigee-synchronizer"
```
If it matches the pattern apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com, you can use that pattern in the next step.

Call the setSyncAuthorization API to enable the required permissions for Synchronizer using the following command:

Non-prod

curl -X POST -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \
   -d '{"identities":["'"serviceAccount:apigee-non-prod@${ORG_NAME}.iam.gserviceaccount.com"'"]}'

Prod

curl -X POST -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \
   -d '{"identities":["'"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com"'"]}'

Where:

${ORG_NAME}: The name of your hybrid organization.
apigee-non-prod${ORG_NAME}.iam.gserviceaccount.com or
apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.

Tip: Some shells may return an error like bad substitution. In this case, replace $ORG_NAME with the name of your organization and replace the "'" with " as follows:

Non-prod

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \
   -d '{"identities":["serviceAccount:apigee-non-prod@YOUR_ORG_NAME.iam.gserviceaccount.com"]}'

Prod

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \
   -d '{"identities":["serviceAccount:apigee-synchronizer@YOUR_ORG_NAME.iam.gserviceaccount.com"]}'

To verify that the service account was set, use the following command to call the API to get a list of service accounts:
```
curl -X GET -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization"
```
The output looks similar to the following:
Non-prod
```
{
   "identities":[
      "serviceAccount:apigee-non-prod@my_project_id.iam.gserviceaccount.com"
   ],
   "etag":"BwWJgyS8I4w="
}
```
Prod
```
{
   "identities":[
      "serviceAccount:apigee-synchronizer@my_project_id.iam.gserviceaccount.com"
   ],
   "etag":"BwWJgyS8I4w="
}
```
Note: The call to the Apigee API uses ${ORG_NAME}, and the results from the IAM service account mappings use my_project_id. In most cases, the values are the same. One uncommon exception is when using a multi-org cluster, where there would be more than one org name, and the service accounts could be different per org.

You have now made it possible for your Apigee hybrid runtime and management planes to communicate. Next, let's apply your configuration to the hybrid runtime and complete your installation of Apigee hybrid.

1 2 3 4 5 6 7 (NEXT) Step 8: Install the hybrid runtime 9 10

Step 7: Enable Synchronizer access Stay organized with collections Save and categorize content based on your preferences.

Get an authorization token

Linux / MacOS

Windows

Enable synchronizer access

Non-prod

Prod

Non-prod

Prod

Non-prod

Prod

Step 7: Enable Synchronizer access