Enabling monetization for Apigee hybrid
Overview
This document describes the procedures to enable recurring, top-up, and setup fees for Apigee's Monetization feature in Hybrid orgs.
Prerequisites
- Apigee hybrid version 1.15.1 or higher. SeeUpgrading Apigee hybrid for upgrade instructions.
- Monetization enabled for your Apigee hybrid project. SeeEnabling Apigee monetization.
Procedure
Enabling recurring, top-up, and setup fees for Apigee hybrid monetization requires creating and setting up theapigee-mint-task-scheduler Google service account and granting it access to the Pub/Sub data pipeline.
- If you have not already downloaded version 1.15.1 of the Helm charts, Pull the Helm charts with the following commands:Note: If you are performing a fresh install, you will perform this step inStep 2: Download the Apigee Helm charts: Pull Apigee Helm charts.
In the$APIGEE_HELM_CHARTS_HOME directory, use the
pullcommand to copy all of the Apigee hybrid Helm charts to your local storage:exportCHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
exportCHART_VERSION=1.15.1helm pull$CHART_REPO/apigee-operator --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-datastore --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-env --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-ingress-manager --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-org --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-redis --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-telemetry --version$CHART_VERSION --untarhelm pull$CHART_REPO/apigee-virtualhost --version$CHART_VERSION --untar - Create the
apigee-mint-task-schedulerservice account.If you haven't already created the
apigee-mint-task-schedulerservice account, create it now with thecreate-service-accounttool. SeeStep 4: Create service accounts for information on creating service accounts as part of a fresh hybrid install.- Locate the
create-service-accounttool in the$APIGEE_HELM_CHARTS_HOME directory:$APIGEE_HELM_CHARTS_HOME/ └── apigee-operator/ └── etc/ └── tools/ └── create-service-account
Verify you can execute
create-service-account. If you have just downloaded the chartsthecreate-service-accountfile might not be in an executable mode. In yourAPIGEE_HELM_CHARTS_HOME directory run the following command:$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account --help
If your output says
permission deniedyou need to make the file executable, forexample withchmodin Linux, MacOS, or UNIX or in the Windows Explorer or with theicaclscommand in Windows. For example:chmod +x$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account
- Create the
apigee-mint-task-schedulerservice account and store the downloaded cert file in theapigee-orgchart directory with the following command:$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \ --profile apigee-mint-task-scheduler \ --env prod \ --dir$APIGEE_HELM_CHARTS_HOME/apigee-org
- Locate the
- Enable control plane access for the
apigee-martandapigee-mint-task-schedulerservice accounts.If you have not already enabled control plane access for the
apigee-martandapigee-mint-task-schedulerservice accounts, do so now with the following steps. SeeStep 7: Enable control plane access for information on enabling control plane access as part of a fresh hybrid install.- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has theroles/apigee.admin (Apigee Organization Admin) role. You can check the roles assigned to you with this command:
gcloud projects get-iam-policy${PROJECT_ID} \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your_account_email"If your output does not includeroles/apigee.admin, seeStep 7: Enable control plane access for steps to add the role or have a user who does have the role perform this step.
- Call theupdateControlPlaneAccessAPI to enable the required permissions using the following command:
No data residency
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \ -d "{\"analytics_publisher_identities\": [\"serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-mint-task-scheduler@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com\"]}"Where the following are the email addresses of the service accounts:
apigee-mart@${ORG_NAME}.iam.gserviceaccount.comapigee-mint-task-scheduler@${ORG_NAME}.iam.gserviceaccount.comapigee-runtime@${ORG_NAME}.iam.gserviceaccount.com
Data residency
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \ -d "{\"analytics_publisher_identities\": [\"serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-mint-task-scheduler@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com\"]}"Where:
CONTROL_PLANE_LOCATIONis the location for your control plane data if your hybrid installation usesdata residency. This is location where customer core content like proxy bundles are stored. For a list seeAvailable Apigee API control plane regions.- The following are the email addresses of the service accounts:
apigee-mart@${ORG_NAME}.iam.gserviceaccount.comapigee-mint-task-scheduler@${ORG_NAME}.iam.gserviceaccount.comapigee-runtime@${ORG_NAME}.iam.gserviceaccount.com
- Verify control plane access for the
apigee-martandapigee-mint-task-schedulerservice accounts.No data residency
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess"
Data residency
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type:application/json" \ "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess"
Your output should include the
apigee-mart,apigee-mint-task-scheduler, andapigee-runtimeservice accounts similar to the following:{ "synchronizerIdentities": [ "serviceAccount:apigee-synchronizer@$ORG_NAME.iam.gserviceaccount.com" ], "analyticsPublisherIdentities": [ "serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com", "serviceAccount:apigee-mint-task-scheduler@$ORG_NAME.iam.gserviceaccount.com", "serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com" ]}
- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has theroles/apigee.admin (Apigee Organization Admin) role. You can check the roles assigned to you with this command:
- Add the Monetization-specific stanzas to your
overrides.yamlfile.Add the following stanzas to your
overrides.yamlfile:runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" #must be 1.15.1 or higher.mintTaskScheduler: # if using stored SA cert files: serviceAccountPath:MINT_TASK_SCHEDULER_SA_CERT_FILE.json # if using stored Kubernetes secrets: serviceAccountRef:MINT_TASK_SCHEDULER_SA_K8S_SECRET # if using Workload Identity on GKE: gsa: "apigee-mint-task-scheduler@PROJECT_ID.iam.gserviceaccount.com"# or if using Vault:serviceAccountSecretProviderClass: apigee-orgsakeys-spc
If you are using Kubernetes secrets, seeStoring data in a Kubernetes secret.
If you are using Vault, seeStoring service account keys in Hashicorp Vault.
If you are using Vault, make sure you have added
mintto the organization-specific secret provider class. SeeCreateSecretProviderClassobjects. - Apply the changes to the
apigee-operator,apigee-org, andapigee-envcharts.If you have set the$ORG_NAME andAPIGEE_NAMESPACE environment variables, you can use them in the following commands:
- Install the operator.
Dry run:
helm upgrade operator apigee-operator/ \ --install \ --namespace$APIGEE_NAMESPACE \ --atomic \ -foverrides.yaml \ --dry-run=server
Install the chart:
helm upgrade operator apigee-operator/ \ --install \ --namespace$APIGEE_NAMESPACE \ --atomic \ -foverrides.yaml
- Install Apigee organization.
Dry run:
helm upgrade$ORG_NAME apigee-org/ \ --install \ --namespace$APIGEE_NAMESPACE \ --atomic \ -foverrides.yaml \ --dry-run=server
Install the chart:
helm upgrade$ORG_NAME apigee-org/ \ --install \ --namespace$APIGEE_NAMESPACE \ --atomic \ -foverrides.yaml
- Install the environment. Repeat this step for each environment.
You must install one environment at a time. Specify the environment with
--set env=ENV_NAME. If you have set the$ENV_NAME environment variable in your shell, you can use that in the following commands:Dry run:
helm upgradeENV_RELEASE_NAME apigee-env/ \ --install \ --namespace$APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -foverrides.yaml \ --dry-run=server
ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-envchart. This name must be unique from the other Helm release names in your installation. Usually this is the same asENV_NAME. However, if your environment has the same name as your environment group, you must use different release names for the environment and environment group, for exampledev-env-releaseanddev-envgroup-release. For more information on releases in Helm, seeThree big concepts in the Helm documentation.Install the chart:
helm upgradeENV_RELEASE_NAME apigee-env/ \ --install \ --namespace$APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -foverrides.yaml
- Install the operator.
- Workload Identity on GKE only: Configure Workload Identity for the
apigee-mint-task-schedulerservice account.If you are performing a fresh install, perform this step in addition to the steps inStep 11 (Optional): Configure Workload Identity.
When you run the helm upgrade with the
--dry-runflag for theapigee-orgchart, the output will include the commands you will need to configure Workload Identity with the correct Google service account and Kubernetes service account names.- Get the commands to set up Workload Identity for
apigee-organd run the command underNOTES:in the output.helm upgrade$ORG_NAME apigee-org/ \ --namespace $NAMESPACE \ -foverrides.yaml \ --dry-run=server
The output should contain instructions similar to the following under
NOTES::NOTES:...For organization GKE Workload Identity, please make sure to add the below membership to the IAM policy binding using the respective Kubernetes SA (KSA).gcloud iam service-accounts add-iam-policy-bindingapigee-mint-task-scheduler@PROJECT_ID.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[APIGEE_NAMESPACE/apigee-mint-task-scheduler-PROJECT_ID-UNIQUE_ID]" \ --projectPROJECT_ID
The Kubernetes service account name has the format
apigee-mint-task-scheduler-PROJECT_ID-UNIQUE_ID. - Run the commands to set up Workload Identity for
apigee-mint-task-scheduler.
- Get the commands to set up Workload Identity for
See also
- Enabling Apigee monetization for more information about monetization in Apigee.
mintTaskScheduler.serviceAccountPath: Sets the path to the service account key file for theapigee-mint-task-schedulerservice account.mintTaskScheduler.serviceAccountRef: Sets the Kubernetes secret that contains the service account key for theapigee-mint-task-schedulerservice account.mintTaskScheduler.gsa: Sets the Google service account for theapigee-mint-task-schedulerservice account. This must be the service account email address.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.