create-service-account
Creates Google Cloud Platform (GCP) service accounts with roles that allowindividual Apigee hybrid components to make authorized API calls and downloads the associated service account key files. You can usethe service account key files generated by this command in your configuration overrides file.
Thecreate-service-account tool is located inhybrid_root_dir/tools directory.
Prerequisites
Thecreate-service-account tool requires that thegcloud CLI beinstalled. Users invoking the utility should have the roleService Account Admin.
To get started, be sure yourgcloud projectconfiguration is set to the project you created inStep 2: Create a Google Cloud project:
gcloud config list project
If you need to change the current project ID, use this command:
gcloud config set projectgcp_project_id
Wheregcp_project_id is the project created inStep 2: Create a Google Cloud project.
create-service-account syntax
Thecreate-service-account tool uses the following syntax:
create-service-accountcomponent_nameoutput_dir [gcp_project_id]
Where:
- component_name: Specifies the hybrid service that uses the service account. Valid values are:
apigee-cassandraapigee-loggerapigee-martapigee-metricsapigee-synchronizerapigee-udca
Note that the
create-service-accounttool cannot create theapigee-org-adminservice account. You must create that either with the GCP or gCloud APIs, as described inCreate service accounts. - output_dir: The output directory in which to store the downloaded service account key.
- gcp_project_id: (Optional) Specifies the GCP project ID of the project that is bound to your hybrid-enabled organization. If the GCP project ID is not provided, the tool attempts to retrieve it from the current gcloud configuration.
apigee-mart you'll see this error:[ERROR]: No roles found for component apigee-mart
You can ignore the error—the service account for MART does not need a role and is created with no role assigned to it.
Detailed description
Thecreate-service-account tool:
- CreatesGCP service accounts used by hybrid components. The created service account is granted the role required by the specific component to operate.
- Downloads the service account key to your system. You place the service account keys in your hybrid configuration overrides file, as explained in the hybridinstallation instructions.
The tool creates service accounts for the following components:
| Component* | Role | Required for basic install? | Description |
|---|---|---|---|
apigee-cassandra | Storage Object Admin | Allows Cassandra backups to Google Cloud Storage, as described inBackup and recovery. | |
apigee-logger | Logs Writer | Allows logging data collection, as described inLogging. Only required for non-GKE cluster installations. | |
apigee-mart | No role | Allows MART service authentication. This service account should not have a role associated with it; as a result, when you create this service account, do not assign a role to it. | |
apigee-metrics | Monitoring Metric Writer | Allows metrics data collection, as described inMetrics collection | |
apigee-org-admin | Apigee Organization Admin | Lets you call thegetSyncAuthorization API andsetSyncAuthorization API. You cannot create this service account with thecreate-service-account tool. | |
apigee-synchronizer | Apigee Synchronizer Manager | Allows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature. | |
apigee-udca | Apigee Analytics Agent | Allows the transfer of trace, analytics and deployment status data to the management plane. | |
| * This name is used in the downloaded service account key's filename. | |||
You can also create service accounts in the GCP Console. See alsoCreating and managing service accounts.
Example
The following example creates a new service account for theapigee-loggerservice and places the downloaded key in the./service-accounts directory.
./my-hybrid-root/tools/create-service-account apigee-logger ./service-accounts
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.