Step 7: Enable Synchronizer access

You are currently viewing version 1.12 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Get an authorization token

To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.

  1. If you are not the owner of the Google Cloud project that is associated with your Apigee hybrid organization, be sure that your Google Cloud user account has theroles/apigee.admin (Apigee Organization Admin) role. You can check the roles assigned to you with this command:
    gcloud projects get-iam-policy${PROJECT_ID}  \  --flatten="bindings[].members" \  --format='table(bindings.role)' \  --filter="bindings.members:your_account_email"

    For example:

    gcloudprojectsget-iam-policymy-project\--flatten="bindings[].members" \--format='table(bindings.role)' \--filter="bindings.members:myusername@example.com"

    The output should includeroles/apigee.admin.

  2. If you do not haveroles/apigee.admin, add theApigee Organization Admin role to your user account. Use the following command to add the role to your user account:
    gcloud projects add-iam-policy-binding${PROJECT_ID} \  --member user:your_account_email \  --role roles/apigee.admin

    For example:

    gcloud projects add-iam-policy-binding my-project \  --member user:myusername@example.com \  --role roles/apigee.admin

  3. On the command line, get yourgcloud authentication credentials using the following command:

    Linux / MacOS

    export TOKEN=$(gcloud auth print-access-token)

    To check that your token was populated, useecho, as the following example shows:

    echo $TOKEN

    This should display your token as an encoded string.

    Windows

    for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%a

    To check that your token was populated, useecho, as the following example shows:

    echo %TOKEN%

    This should display your token as an encoded string.

Enable synchronizer access

To enable synchronizer access:

  1. Get the email address for the service account to which you are granting synchronizer access. For non-production environments (as suggested in this tutorial) it should beapigee-non-prod. For production environments, it should beapigee-synchronizer. Use the following command:
    gcloud iam service-accounts list --project${PROJECT_ID} --filter "apigee-synchronizer"
  2. Call thesetSyncAuthorization API to enable the required permissions for Synchronizer using the following command:

    No data residency

    curl -X POST -H "Authorization: Bearer ${TOKEN}" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \   -d "{\"identities\":[\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\"]}"

    Where:

    • ${ORG_NAME}: The name of your hybrid organization.
    • apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.

    Data residency

    curl -X POST -H "Authorization: Bearer ${TOKEN}" \  -H "Content-Type:application/json" \  "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}:setSyncAuthorization" \   -d "{\"identities\":[\"serviceAccount:apigee-synchronizer@${ORG_NAME}.iam.gserviceaccount.com\"]}"

    Where:

    • CONTROL_PLANE_LOCATION: The location for your control plane data if your hybrid installation usesdata residency. This is location where customer core content like proxy bundles are stored. For a list seeAvailable Apigee API control plane regions.
    • ${ORG_NAME}: The name of your hybrid organization.
    • apigee-synchronizer${ORG_NAME}.iam.gserviceaccount.com: The email address of the service account.
  3. To verify that the service account was set, use the following command to call the API to get a list of service accounts:

    No data residency

    curl -X GET -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization"

    Data residency

    curl -X GET -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/${ORG_NAME}:getSyncAuthorization"

    The output looks similar to the following:

    {"identities":[      "serviceAccount:apigee-synchronizer@my_project_id.iam.gserviceaccount.com"],"etag":"BwWJgyS8I4w="}
    Note: The call to the Apigee API uses${ORG_NAME}, and the results from the IAM service account mappings usemy_project_id. In most cases, the values are the same. One uncommon exception is when using amulti-org cluster, where there would be more than one org name, and the service accounts could be different per org.

You have now enabled your Apigee hybrid runtime and management planes to communicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage certificates.

Next step

1234567(NEXT) Step 8: Install cert-manager9101112

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.