Service account validation
Apigee hybrid provides validation that ensures the location of your service accounts' keysare correct and that the accounts have the proper permissions in your GCP project. This validationis enabled by default.
This section describes how to enable or disable service account validation. In addition, thisstep ensures that you have the proper APIs enabled for your GCP project so that validationworks.
Enable service account permission validation
To enable permission validation:
- Be sure the Cloud Resource Manager API is enabled for your GCP project:
- Open theGoogle Cloud console and log in with the account you created inStep 1: Create a Google Cloud account.
- Select the project that you created inStep 2: Create a Google Cloud project.
- SelectAPIs & Services > Library.
- Search for "Cloud Resource Manager".
- Locate theCloud Resource Manager API service and click on it.
- If it is not enabled, clickEnable.
You can also enable the API using gcloud:
gcloud services enable cloudresourcemanager.googleapis.com --projectGCP_project_ID
- In your overrides file, add the
validateServiceAccountsproperty and set it totrue. For example:...# Enables strict validation of service account permissions.validateServiceAccounts: true...
When validation is enabled, any timeapigeectl applies theApigee hybrid runtime components to your cluster, it validates theservice account keys that are included in your overridesfile.
NOTE: Service account JSON key format validation is always performed. You do not have to take any steps to enable this validation and you cannot disable it.Troubleshooting validation errors
Deleting and recreating service accounts:Note that reusing the name of a deleted service account may result in unexpected behavior. If you create a service account and delete it, always recreate it with a different name than the original SA. For details, see Deleting and recreating service accounts.If validation fails, the runtime deployment stops andapigeectl exits. To troubleshoot service account failure, it's helpful to know that validation checks permissions in this order:
- Permission on the project ID.
- (For UDCA and Synchronizer only) If the permission check on the project fails, validation proceeds to check permission against the Apigee environment'sIAM policy. These SAs are environment scoped and environments support finer-grained permissions.
To update the IAM policy for a specific environment, go to the hybrid UI. Go toAdmin > Environments > Access
For example, the following is an error message for a failed permission check:
Invalid Metrics Service Account. Service Account"apigee-metrics@hybrid-project.iam.gserviceaccount.com" ismissing 1 or more requiredpermissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create].VisitService accounts and roles used byhybrid components for more details on setting up Apigee hybrid service account permissions.
To address this error, add the required roles to the service account. For information on creating and modifying service accounts, see Create the service accounts. To check the required permissions for each Apigee hybrid component, seeService accounts and roles used by hybrid components.
Disable permission validation
To disable service account permission validation, set thevalidationServiceAccounts property in your overrides file tofalse, as the following example shows:
...# Enables strict validation of service account permissions.validateServiceAccounts: false...
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.