You are currently viewing version 1.7 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This section describes the Synchronizer.

Synchronizer overview

In Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts which are supplied by the management plane. Information communicated by contract includes API proxies, API products, caches, and virtual hosts. Synchronizer by default stores environment configuration data in the Cassandra database.

Synchronizer instances running in the runtime-plane are expected to poll the managementplane on a regular basis, download the contracts and make the same available to local runtimeinstances.

One Synchronizer can support many Message Processors deployed in the same pod.

Enable Synchronizer access

You must grant theSynchronizer permission to pull downApigee artifacts, such as proxy bundles and resources from the management plane. You must call anApigee API to authorize the Synchronizer to pull artifacts down from the management plane to theruntime plane.

1. Ensure that you have enabled the Apigee API as explained in the GCP setup steps. For details, seeStep 3: Enable APIs.
2. Locate thewrite-enabled GCP service account key (a JSON file) that you downloaded as part ofCreate service accounts. The service account has theApigee Org Admin role and is the one named "apigee-org-admin". If you did not previously create this service account, you must do so before continuing.

3. Set theGOOGLE_APPLICATION_CREDENTIALS environment variable to the path where the service account key is located:

   export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.json

4. Call thesetSyncAuthorization API to enable the required permissions for Synchronizer:IMPORTANT:Be sure that the service account name that you add to this API has the roleApigee Synchronizer Manager. See alsoCreate service accounts.

   curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \   -d '{"identities":["serviceAccount:synchronizer-manager-service-account-name"]}'

   Where:

   • your_org_name: The name of the hybrid organization.
   • synchronizer-manager-service-account-name: The name of a service account with theApigee Synchronizer Manager role. The name is formed like an email address. For example:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com

   Example:

   curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \   -d '{"identities":["serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"]}'

   For more information on this API, seeSyncAuthorization API.

5. To verify that the service account was set, call the following API to get a list of service accounts:

   curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \   -d ''

   The output looks similar to the following:

   {"identities":[      "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"],"etag":"BwWJgyS8I4w="}