Overview

This step explains how to create the Google Cloud service accounts that are required for Apigee hybrid to operate, and assign the appropriate IAM roles to them.

This procedure uses the following two environment variables defined inStep 2: Download the Apigee Helm charts. These variables are optional. If you did not define them, substitute the appropriate directory path for each variable in the code samples.

• $APIGEE_HELM_CHARTS_HOME: The directory where you downloaded the Apigee Helm charts, defined inStep 2: Download the Apigee Helm charts.
• $PROJECT_ID: Your Google Cloud project ID, defined inPart 1: Project and Org setup--Step 1: Enable APIs.

Production vs. non-production environments

This guide refers toProduction ("Prod") andNon-production ("Non-prod") installations. A production installation is tuned for greater usage capacity, storage, and scalability. A non-production installation uses fewer resources and is mainly for learning and demonstration purposes.

When you create and configure service accounts for Apigee hybrid, it is important to be aware of the type of installation you are targeting.

Forproduction installations, we recommend creating a separate service account for each Apigee hybrid component. For example, runtime, mart, metrics, udca, and so on each get their own service account.

Fornon-prod installations, you can create a single service account that applies to all the components.

To learn more about the service accounts used by Apigee and the roles they are assigned, seeService accounts and roles used by hybrid components.

Authenticating service accounts

Apigee hybrid supports three methods of authenticating Google service accounts:

Workload Identity on AKS, EKS, or GKE

For Apigee hybrid installations on GKE, Google Cloud offers an option called Workload Identity to authenticate hybrid runtime components. This option does not use downloaded certificate files to authenticate the service accounts, Instead, it associates the Google Cloud service accounts that you create in this step with Kubernetes service accounts in the Kubernetes cluster. SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS

Create the service accounts

Apigee hybrid uses the following service accounts:

Thecreate-service-account tool

Apigee provides a tool,create-service-account, in theapigee-operator/etc/tools directory:

$APIGEE_HELM_CHARTS_HOME/└──apigee-operator/└──etc/└──tools/└──create-service-account

This tool creates the service accounts, assigns the IAM roles to each account, and downloads the certificate files in JSON format for each account.

Verify you can executecreate-service-account. If you have just downloaded the charts thecreate-service-account file might not be in an executable mode. In yourAPIGEE_HELM_CHARTS_HOME directory run the following command:

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account --help

If your output sayspermission denied you need to make the file executable, for example withchmod in Linux, MacOS, or UNIX or in the Windows Explorer or with theicacls command in Windows. For example:

chmod +x$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account

Create the service accounts

Because Helm does not support referencing files outside of the chart directory, you will create each service account certificate file in the chart directory for the corresponding hybrid component.

For the next steps choose whether you are configuring a Production or Non-production installation.

For more information about service accounts and thecreate-service-account tool see:

• About service accounts
• create-service-account

You now have created service accounts and assigned the roles needed by the Apigee hybrid components. Next, create the TLS certificates required by the hybrid ingress gateway.

Next step