Configure the Synchronizer

This section describes the Synchronizer.

Synchronizer overview

In Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts which are supplied by the management plane. Information communicated by contract includes API proxies, API products, caches, and virtual hosts. Synchronizer by default stores environment configuration data in the Cassandra database.

Synchronizer instances running in the runtime-plane are expected to poll the managementplane on a regular basis, download the contracts and make the same available to local runtimeinstances.

One Synchronizer can support many Message Processors deployed in the same pod.

Enable Synchronizer access

You must grant theSynchronizer permission to pull downApigee artifacts, such as proxy bundles and resources from the management plane. You must call anApigee API to authorize the Synchronizer to pull artifacts down from the management plane to theruntime plane.

  1. Ensure that you have enabled the Apigee API as explained in the Google Cloud setup steps. For details, seeEnable APIs.
  2. Locate thewrite-enabled Google Cloud service account key (a JSON file) that you downloaded as part ofCreate service accounts and credentials. The service account has theApigee Org Admin role and is the one named "apigee-org-admin". If you did not previously create this service account, you must do so before continuing.
  3. Use the Apigee Org Admin service account key to generate an OAuth 2.0 access token. This token is required to authenticate theApigee APIs.

    Usegcloud to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded usingGOOGLE_APPLICATION_CREDENTIALS environment variable:

    export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.jsongcloud auth application-default print-access-token

    An OAuth2.0 token is returned.

    For more information, seegcloud beta auth application-default print-access-token.

  4. Copy the OAuth 2.0 token returned and store it in a variable, such asTOKEN. For example:
    export TOKEN=ya29....Ts13inj3LrqMJlztwygtM
  5. Call thesetSyncAuthorization API to enable the required permissions for Synchronizer:TIP:If your are using Terraform, you can use thegoogle_apigee_sync_authorization Terraform attribute instead of calling thesetSyncAuthorization API.IMPORTANT:Be sure that the service account name that you add to this API has theApigee Synchronizer Manager role. For more information about service accounts, seeCreate service accounts and credentials.

    No data residency

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \   -d '{"identities":["serviceAccount:SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME"]}'

    Where:

    • YOUR_ORG_NAME: The name of the hybrid organization.
    • SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME: The name of a service account with theApigee Synchronizer Manager role. The name is formed like an email address. For example:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \   -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'

    Data residency

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \   -d '{"identities":["serviceAccount:SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME"]}'

    Where:

    • YOUR_ORG_NAME: The name of the hybrid organization.
    • CONTROL_PLANE_LOCATION: The location for your control plane data if your hybrid installation usesdata residency. This is location where customer core content like proxy bundles are stored. For a list seeAvailable Apigee API control plane regions.
    • SYNCHRONIZER_MANAGER_SERVICE_ACCOUNT_NAME: The name of a service account with theApigee Synchronizer Manager role. The name is formed like an email address. For example:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://us-apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \   -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'

    For more information on this API, seesetSyncAuthorization API.

  6. To verify that the service account was set, call the following API to get a list of service accounts:

    No data residency

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \   -d ''

    Data residency

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \   -d ''

    The output looks similar to the following:

    {"identities":[      "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"],"etag":"BwWJgyS8I4w="}

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.