Step 4: Create service accounts and credentials

This step explains how to create the Google Cloud service accounts and TLS credentials that are required for Apigee hybrid to operate.

Create the service accounts

Apigee hybrid uses Google Cloud service accounts to allow hybrid components to communicate by making authorized API calls.

In this step, you use an Apigee hybrid command-line tool to create a set of service accounts and download the service account private key files.

Apigee provides a tool, create-service-account, that creates the service accounts, assigns the roles to the service accounts, and creates and downloads the key files for the service account in a single command.

To learn more about create-service-account and all its options see create-service-account
To learn about the related Google Cloud concepts, see Creating and managing service accounts and Creating and managing service account keys.

Make sure your PROJECT_ID environment variable is set to your Google cloud project ID. The create-service-account tool reads the PROJECT_ID environment variable to create the service accounts in the correct project.
```
echo $PROJECT_ID
```
Create a non-prod service account with the following command. This command creates a single service account named apigee-non-prod for use in non-production environments and places the downloaded key file in the $HYBRID_FILES/service-accounts directory.
```
$HYBRID_FILES/tools/create-service-account --env non-prod --dir $HYBRID_FILES/service-accounts
```
Note: If you would prefer to create all the individual service accounts for a production environment, use the following command:
```
$HYBRID_FILES/tools/create-service-account --env prod --dir $HYBRID_FILES/service-accounts
```
If you see the following prompt, enter y:
```
[INFO]: gcloud configured project ID is project_id.
 Enter: y to proceed with creating service account in project: project_id
 Enter: n to abort.
```
If this is the first time you are creating an SA with a particular name assigned, then the tool creates it without further prompts.

If, however, you see the following message and prompt, enter y to generate new keys:
```
[INFO]: Service account apigee-non-prod@project_id.iam.gserviceaccount.com already exists.
...
 [INFO]: The service account might have keys associated with it. It is recommended to use existing keys.
 Press: y to generate new keys.(this does not deactivate existing keys)
 Press: n to skip generating new keys.
```
Note: The Cloud Pub/Sub API must be enabled in the Google Cloud project that owns the service account for Synchronizer. To see if you enabled this API, see Enable APIs.
Verify that the service account key was created using the following command. You are responsible for storing these private keys securely. The key filenames are prefixed with the name of your Google Cloud project.
```
ls $HYBRID_FILES/service-accounts
```
The result should look something like the following:
```
project_id-apigee-non-prod.json
```

You now have created service accounts and assigned the roles needed by the Apigee hybrid components. Next, create the TLS certificates required by the hybrid ingress gateway.

1 2 3 4 (NEXT) Step 5: Create TLS certificates 6 7 8 9 10

Step 4: Create service accounts and credentials Stay organized with collections Save and categorize content based on your preferences.

Create the service accounts

Step 4: Create service accounts and credentials