Step 8: Enable Synchronizer access Stay organized with collections Save and categorize content based on your preferences.
Get an authorization token
To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.
- If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has theroles/apigee.admin (Apigee Organization Admin) role. You can check the roles assigned to you with this command:
gcloud projects get-iam-policy$PROJECT_ID \--flatten="bindings[].members" \--format='table(bindings.role)' \--filter="bindings.members:your_account_email"
For example:
gcloud projects get-iam-policy my-project \--flatten="bindings[].members" \--format='table(bindings.role)' \--filter="bindings.members:myusername@example.com"
The output should look something like:
ROLEroles/apigee.adminroles/compute.adminroles/container.adminroles/gkehub.adminroles/iam.serviceAccountAdminroles/iam.serviceAccountKeyAdminroles/meshconfig.adminroles/ownerroles/resourcemanager.projectIamAdminroles/servicemanagement.adminroles/serviceusage.serviceUsageAdmin
- If you do not have
roles/apigee.adminin your roles, add theApigee Organization Admin role to your user account. Use the following command to add the role to your user account:gcloud projects add-iam-policy-binding$PROJECT_ID \ --member user:your_account_email \ --role roles/apigee.admin
For example:
gcloud projects add-iam-policy-binding my-project \ --member user:myusername@example.com \ --role roles/apigee.admin
- Get an authorization token for your user account:
export TOKEN=$(gcloud auth print-access-token)
You can check the$TOKEN environment variable with the following command:
echo $TOKEN
Enable synchronizer access
To enable synchronizer access:
- Get the email address for the service account to which you are granting synchronizer access. For non production environments (as suggested in this tutorial) it should be
apigee-non-prod. For production environments, it shoudl beapigee-synchronizer. Use the following command:gcloud iam service-accounts list --filter "apigee-non-prod"
If it matches the pattern
apigee-non-prod@$ORG_NAME.iam.gserviceaccount.com, you can use that pattern in the next step. - Call thesetSyncAuthorization API to enable the required permissions for Synchronizer using the following command:
curl -X POST -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME:setSyncAuthorization" \ -d '{"identities":["'"serviceAccount:apigee-non-prod@$ORG_NAME.iam.gserviceaccount.com"'"]}'Where:
$ORG_NAME: The name of your hybrid organization.apigee-non-prod$ORG_NAME.iam.gserviceaccount.com: The email address of the service account.
bad substitution. In this case, replace$ORG_NAME with the name of your organization and replace the"'"with"as follows:curl -X POST -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/YOUR_ORG_NAME:setSyncAuthorization" \ -d '{"identities":["serviceAccount:apigee-non-prod@YOUR_ORG_NAME.iam.gserviceaccount.com"]}' - To verify that the service account was set, use the following command to call the API to get a list of service accounts:
curl -X POST -H "Authorization: Bearer$TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME:getSyncAuthorization" \ -d ''
The output looks similar to the following:
{ "identities":[ "serviceAccount:apigee-non-prod@my_project_id.iam.gserviceaccount.com" ], "etag":"BwWJgyS8I4w="}
You have now made it possible for your Apigee hybrid runtime and management planes to communicate. Next, let's apply your configuration to the hybrid runtime and complete your installation of Apigee hybrid.
12345678(NEXT) Step 9: Install the hybrid runtimeExcept as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.