This step explains how to create the Google Cloud service accounts and TLS credentials
that are required for Apigee hybrid to operate.
Create the service accounts
Apigee hybrid uses Google Cloud service accounts to
allow hybrid components to communicate by making authorized API calls.
In this step, you use an Apigee hybrid command-line tool to create a set of service accounts
and download the service account private key files.
Apigee provides a tool, create-service-account, that creates the service accounts,
assigns the roles to the service accounts, and creates and downloads the key files for the service
account in a single command.
To learn more about create-service-account and all its
options see create-service-account
Make sure your PROJECT_ID environment variable is set to your Google cloud project ID.
The create-service-account tool reads the PROJECT_ID environment variable to
create the service accounts in the correct project.
echo $PROJECT_ID
Create a non-prod service account with the following command. This command creates a
single service account named apigee-non-prod for use in non-production environments
and places the downloaded key file in the $HYBRID_FILES/service-accounts directory.
Verify that the service account key was created using the following command. You are responsible for storing these
private keys securely. The key filenames are prefixed with the name of your Google Cloud project.
ls $HYBRID_FILES/service-accounts
The result should look something like the following:
project_id-apigee-non-prod.json
You now have created service accounts and assigned the roles needed by the Apigee hybrid
components. Next, create the TLS certificates required by the hybrid ingress gateway.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[[["\u003cp\u003eThis guide details how to create Google Cloud service accounts and download their private key files using the \u003ccode\u003ecreate-service-account\u003c/code\u003e tool, essential for Apigee hybrid component communication.\u003c/p\u003e\n"],["\u003cp\u003eFor non-production environments, a single service account named "apigee-non-prod" can be used for all components, but in production, it is recommended to use a separate service account for each component.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ecreate-service-account\u003c/code\u003e tool simplifies service account creation by also assigning roles and downloading key files, and can be used to create individual accounts for production environments.\u003c/p\u003e\n"],["\u003cp\u003eThe tool requires the \u003cstrong\u003ePROJECT_ID\u003c/strong\u003e environment variable to be set, and after creation, you must verify that the key files were generated successfully.\u003c/p\u003e\n"],["\u003cp\u003eEnsure that the Cloud Pub/Sub API is enabled in your Google Cloud project for the Synchronizer service account.\u003c/p\u003e\n"]]],[],null,[]]