create-service-account

You are currently viewing version 1.13 of the Apigee hybrid documentation. For more information, seeSupported versions.

create-serice-account overview

create-serice-account is a command-line tool provided with Apigee hybrid that creates Google Cloud service accounts with roles that allow individual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can use the service account key files generated by this command in your configuration overrides file.

create-service-account creates one or more service accounts in your current Google Cloud project or the project you specify, assigns the correctIAM role to the service account, and downloads the certificate file for the service account into a directory on your local machine.

To learn more about service accounts and read the full list of service accounts recommended for production environments, see the following:

You can also create service accounts in the Google Cloud console. See alsoCreating and managing service accounts.

Prerequisites

Role

Thecreate-service-account tool requires that thegcloud CLI be installed. Users invoking the utility should have the roleService Account Admin.

Project

Service accounts are bound to a specific Google Cloud project.create-service-account creates service accounts in your current project or in the project you specify, and binds the IAM roles to the service accounts within that project.create-service-account also uses the Project ID as part of the service account key file name and email. For example, if your project is namedmy-hybrid-project, the apigee-logger service account key file will be namedmy-hybrid-project-apigee-logger.json and the service account's email address will beapigee-logger@my-hybrid-project.iam.gserviceaccount.com.

You can specify a project by defining aPROJECT_ID environment variable or with the--project-id flag.create-service-account reads the value of thePROJECT_ID environment variable. If it is not present, you can use the--project-id flag.

If you do not specify a Cloud project ID,create-service-account uses the project in your current gcloud project configuration.

You can check current setgcloud project configuration with the following command:

gcloud config list project

If you need to change the current project ID, use the following command:

gcloud config set projectPROJECT_ID

WherePROJECT_ID is the ID of your current Cloud project. Instructions for creating a Cloud Project are covered inStep 2: Create a Google Cloud project.

File location

You can find thecreate-service-account tool in the following directory:

$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/

Verifying thecreate-service-account tool is executable

Verify you can executecreate-service-account. If you have just downloaded the Apigee Helm charts, the command line tools might not be in an executable mode. Navigate to the directory wherecreate-service-account is installed and verify that it is executable by running it with--help:

./create-service-account --help

If your output sayspermission denied you need to make the file executable, for example withchmod in Linux, MacOS, or UNIX or in the Windows Explorer or with theicacls command in Windows. For example:

chmod +x ./create-service-account

Usingcreate-service-account

The following examples show usingcreate-service-account for common Apigee hybrid setup tasks.

Create service accounts for a production environment

In a production hybrid environment Apigee recommends using a separate service account for each component. Use the following command to create all the service accounts for the hybrid components with their default names in the default directory.

./tools/create-service-account --env prod

This will create the following service accounts with the cert files downloaded in the./tools/service-accounts directory:

Service accountIAM roleEmailCert file
apigee-cassandraroles/storage.objectAdminapigee-cassandra@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-cassandra.json
apigee-loggerroles/logging.logWriterapigee-logger@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-logger.json
apigee-martroles/apigeeconnect.Agentapigee-mart@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-mart.json
apigee-metricsroles/monitoring.metricWriterapigee-metrics@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-metrics.json
apigee-runtimeNo role assignedapigee-runtime@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-runtime.json
apigee-synchronizerroles/apigee.synchronizerManagerapigee-synchronizer@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-synchronizer.json
apigee-udcaroles/apigee.analyticsAgentapigee-udca@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-udca.json
apigee-watcherroles/apigee.runtimeAgentapigee-watcher@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-watcher.json

Create a single service account for a non-production environment

For non-production environments, like an experimental or demo environment, you can create a single service account named "apigee-non-prod" that you can use for all components. This service account will have all the IAM roles in the previous example assigned to it.

./tools/create-service-account --env non-prod

This will create as single service account namedapigee-non-prod and download the cert file in the./tools/service-accounts directory:

Service accountIAM rolesEmailCert file
apigee-non-prodroles/apigee.analyticsAgent
roles/apigee.runtimeAgent
roles/apigee.synchronizerManager
roles/apigeeconnect.Agent
roles/logging.logWriter
roles/monitoring.metricWriter
roles/storage.objectAdmin		apigee-non-prod@PROJECT_ID.iam.gserviceaccount.comPROJECT_ID-apigee-non-prod.json

create-service-account syntax

Thecreate-service-account tool uses the following syntax:

create-service-account [flags]

The following table lists thecreate-service-account flags:

FlagValuesDescription
--dir
-d		directory nameSpecifies an output directory for the service account key files. If the directory does not exist,create-service-account will create it. If the directory already exists,create-service-account will overwrite any files in the directory that have the same name as the key files it is creating.

If you do not specify an output directory,create-service-account will write the service account files to theservice-accounts/ directory within the directory wherecreate-service-account resides.

--env
-e		prod
non-prod		Specifies if you are creating service accounts for a production (prod) environment or a non-production (non-prod) environment.
  • --env prod creates service accounts for production hybrid environments.

    In a production environment it is recommended that you have a single service account for each Apigee service. Each role created will have a single IAM role associated with it.

    create-service-account -env prod will create all the service accounts used by Apigee hybrid unless you specify a specific service account with--profile.

  • --env non-prod creates a single service account with all the IAM roles bound to it. This is useful for non-production environments like an experimental or demo installation.

    The service account will be namedapigee-non-prod unless you specify a name with the--name flag.

If you runcreate-service-account without--env, it will prompt you to enterprod ornon-prod.

--help
-h		noneDisplays help text.
--name
-n		service account nameSpecifies a name for the service account.--name only applies to a single service account, either specified with--profile or--env non-prod.

The name is also part of the cert file name and email for the service account. For example if you runcreate-service-account --profile apigee-logger --name my-logger (assuming for this example your current Cloud project ismy-hybrid-project)create-service-account will create an account with:

  • Name:my-logger
  • Email:my-logger@my-hybrid-project.iam.gserviceaccount.com
  • Cert file:my-hybrid-project-my-logger.json

If you do not specify--name,create-service-account uses the name of the profile for the name of the service account or "apigee-non-prod" if you specify--env non-prod.

‑‑profile
-p		apigee‑cassandra
apigee‑logger
apigee‑mart
apigee‑metrics
apigee‑runtime
apigee‑synchronizer
apigee‑udca
apigee‑watcher		For production environments only, specifies a single service account to create.

You can specify a name for the service account with the--name flag.

Requires--env prod.

‑‑project‑id
-i		project idThe Project ID of the Google Cloud project in which you are creating the service accounts.

create-service-account reads the value of thePROJECT_ID environment variable. If it is not present, you can use the--project-id flag.

If you do not specify a Project ID,create-service-account will use the ID of the project in your current gcloud configuration.

Note: Thecreate-service-account tool cannot create theapigee-org-admin service account used to enable synchronizer access to. To do that, you must use theGoogle Cloud console or thegCloud APIs.

For more information about the service accounts used by Apigee hybrid, seeAbout service accounts.

You can also create service accounts in the Google Cloud console. See alsoCreating and managing service accounts.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.