About Apigee provisioning permissions

This page applies toApigee, but not toApigee hybrid.

View Apigee Edge documentation.

This document describes the Google Cloud IAM permissions that are required to successfully provision Apigee.

You can specify permissions using the following:

  • Predefined roles: Provide sufficient permission to do the provisioning steps. Predefined roles may give the Apigee administrator more permissions than they need to complete provisioning.
  • Custom roles: Provide the least-necessary privilege needed to do the provisioning steps.

Google Cloud project owner role

The owner of the Google Cloud project that is used for Apigee provisioning already has permission to perform all of the basic Apigee provisioning steps.

If the Apigee provisioner is not the project owner, then use this document to determine the permissions needed to perform each of the provisioning steps.

If you use Shared Virtual Private Cloud (VPC) networking, additional permissions in the Shared VPC project are required, and these cases are also noted in this document.

Predefined roles

If you just want to make sure the Apigee administrator has sufficient permission to complete the provisioning, give the Apigee administrator the followingIAM predefined roles; however, predefined roles may give the Apigee administrator more permissions than they need to complete provisioning. See Custom roles and permissions to provide least-necessary privileges.

How to specify a predefined role

To add users and roles:

  1. In the Google Cloud console, go toIAM & Admin > IAM for your project.

    Go to the IAM/Iam page

  2. To add a new user:
    1. ClickGrant access.
    2. Type a newPrincipal name.
    3. Click theSelect a role menu and then type the role name in theFilter field. For example,Apigee Organization Admin. Click the role listed in the results.
    4. ClickSave.
  3. To edit an existing user:
    1. ClickEdit.
    2. To change an existing role, click theRole menu and then select a different role.
    3. To add another role, clickAdd another role.
    4. Click theSelect a role menu and then type the role name in theFilter field. For example,Apigee Organization Admin. Click the role listed in the results.
    5. ClickSave.
RoleRequired for stepsAccount typePurpose
Apigee Organization Admin
apigee.admin
  • Start Apigee provisioning
  • Create an organization
  • Create an environment
  • Create an Apigee instance
Paid and evalGrants full access to all Apigee resource features.
Service Usage Admin
serviceusage.serviceUsageAdmin
  • Enable APIs
Paid and evalAbility to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
Cloud KMS Admin
cloudkms.admin
  • Create an organization
  • Configure a runtime instance
Paid onlyCreating Cloud KMS keys and keyrings.
Compute Admin
compute.admin
  • Create an organization
  • Configure a runtime instance
  • Configure service networking
  • Configure access routing (to create the external HTTPS load balancer)
Paid and evalListing Compute regions, setting up service networking, and creating the external HTTPS load balancer.

Custom roles and permissions

To provide least-necessary privileges, create anIAM custom role and assign permissions from the following sections.

How to specify a custom role

To add a custom role:

  1. In the Google Cloud console, go toIAM & Admin > Roles for your project.

    Go to the IAM & Admin/Roles page

  2. To add a new role:
    1. ClickCreate role.
    2. Type a newTitle.
    3. Type aDescription (optional).
    4. Type anID.
    5. Select aRole launch stage.
    6. ClickAdd permissions.
    7. Copy the desired permission text from the tables below and paste it into theFilter field. For example,apigee.environments.create.
    8. PressEnter or click an item from the results.
    9. Select the checkbox for the item just added.
    10. ClickAdd.Note: To add multiple permissions at a time:
      • Select theOR operator between each permission as you add them, or
      • Search for a partial permission string, for example,apigee.environments, select multiple checkboxes, and then clickSave.
    11. Once you have added all the permissions for this role, clickCreate.
  3. To edit an existing custom role:
    1. Locate the custom role.
    2. ClickMore >Edit.
    3. Make any desired changes.
    4. ClickUpdate.

UI-based Apigee management permissions

This permission is required for all users who will manage an organization through theApigee UI in Cloud console. Include it in custom roles that involve management through that interface.

RoleAccount typePurpose
apigee.projectorganizations.get
Paid and eval

Provisioning permissions

These permissions are required to start provisioning Apigee:

RoleAccount typePurpose
apigee.entitlements.get
apigee.environments.create
apigee.environments.get
apigee.environments.list
apigee.envgroups.create
apigee.envgroups.get
apigee.envgroups.list
apigee.envgroups.update
apigee.envgroupattachments.create
apigee.envgroupattachments.list
apigee.instances.create
apigee.instances.get
apigee.instances.list
apigee.instanceattachments.create
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.operations.get
apigee.operations.list
apigee.organizations.create
apigee.organizations.get
apigee.organizations.update
apigee.projectorganizations.get
apigee.projects.update
apigee.setupcontexts.get
apigee.setupcontexts.update		Paid and eval
  • Start Apigee provisioning
  • Create an organization
  • Create an environment
  • Create an Apigee instance

API enablement permissions

These permissions are required to enable Google Cloud APIs:

RoleAccount typePurpose
serviceusage.services.get
serviceusage.services.list
serviceusage.services.enable		Paid and evalEnabling Google Cloud APIs

Organization creation permissions (paid org)

These permissions are needed to create an Apigee organization for paid accounts (Subscription or Pay-as-you-go):

PermissionsAccount typePurpose
compute.regions.listPaid onlySelecting an analytics hosting location
cloudkms.cryptoKeys.list
cloudkms.locations.list
cloudkms.keyRings.list		Paid onlySelecting a runtime database encryption key
cloudkms.cryptoKeys.create
cloudkms.keyRings.create		Paid onlyCreating a runtime database encryption key
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.setIamPolicy		Paid onlyGranting Apigee service account permission to use an encryption key

Organization creation permissions (eval org)

This permission is required for selecting analytics and runtime hosting regions for an eval organization:

PermissionsAccount typePurpose
compute.regions.listEval organizations onlySelecting analytics and runtime hosting regions

Service networking permissions

These permissions are needed in the service networking configuration steps. If you are using Shared VPC networking, see Service networking permissions with Shared VPC.

PermissionsAccount typePurpose
compute.globalAddresses.createInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get		Paid and eval

These permissions are required to perform the tasks in the service networking configuration step.

Note:If you are using Shared Virtual Private Cloud (VPC) networking, see Service networking permissions with Shared VPC.

Service networking permissions with Shared VPC

If you are using Shared Virtual Private Cloud (VPC) networking, a user with administrative privileges in the Shared VPC project must peer the Shared VPC project with Apigee, as described in Using shared VPC networks. Peering must be completed before the Apigee admin can complete the service networking steps. See alsoAdministrators and IAM.

When Shared VPC is properly set up, the Apigee admin needs these permissions to complete the service networking configuration steps:

PermissionsAccount typePurpose
compute.projects.getPaid and eval

The Apigee admin must have this permissionin the project where Apigee is installed. This permission allows the admin to view the Shared VPC host project ID.

Compute Network User role
(compute.networkUser)		Paid and eval The Apigee admin must be granted this rolein the Shared VPC host project. This role allows the admin to view and select the Shared VPC network in the Apigee provisioning UI.

Runtime instance permissions

These permissions are needed to create a runtime instance (Subscription and Pay-as-you-go accounts only):

PermissionsAccount typePurpose
compute.regions.listPaid onlySelecting a runtime hosting location
cloudkms.cryptoKeys.list
cloudkms.locations.list
cloudkms.keyRings.list		Paid onlySelecting a runtime disk encryption key
cloudkms.cryptoKeys.create
cloudkms.keyRings.create		Paid onlyCreating a runtime disk encryption key
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.setIamPolicy		Paid onlyGranting Apigee service account permission to use an encryption key

Access routing permissions

These permissions are needed for the access routing steps:

PermissionsAccount typePurpose
compute.autoscalers.create
compute.backendServices.create
compute.backendServices.use
compute.disks.create
compute.globalAddresses.create
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalOperations.get
compute.firewalls.create
compute.firewalls.get
compute.healthChecks.create
compute.healthChecks.useReadOnly
compute.images.get
compute.images.useReadOnly
compute.instances.create
compute.instances.setMetadata
compute.instanceGroups.use
compute.instanceGroupManagers.create
compute.instanceGroupManagers.use
compute.instanceTemplates.get
compute.instanceTemplates.create
compute.instanceTemplates.useReadOnly
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.regionOperations.get
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.use
compute.sslCertificates.create
compute.sslCertificates.get
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.use		Paid and eval

Configuring basic access routing

Note:If you are using Shared Virtual Private Cloud (VPC) networking, seeAccess routing permissions with Shared VPC.

Access routing permissions with Shared VPC

If you are using Shared Virtual Private Cloud (VPC) networking, be aware that the Shared VPC configuration and peering must be completed before you can perform the access routing step.

After the Shared VPC is set up properly, the Apigee admin requires thecompute.networkUser rolein the Shared VPC project to complete the access routing steps. See also Required administrative roles for Shared VPC.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.