Permissions and roles for installing Apigee hybrid

You are currently viewing version 1.13 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

The procedures to install and manage Apigee hybrid require the following permissions and roles. Individual tasks can be performed by different members of your organization who have the required permissions and roles.

Cluster permissions

Each supported platform has its own permission requirements for creating a cluster. As cluster owner, you can proceed to install the Apigee-specific components (including cert-manager and the Apigee runtime) into the cluster. However, if you want to delegate to another user the installation of the runtime components into the cluster, you can manage the necessary permissions through Kubernetesauthn-authz.

To install the hybrid runtime components into the cluster, a non-cluster-owner user should have CRUD permission on these resources:

IAM Roles

You need to have the following IAM roles assigned to your user account in order to perform these steps. If your account does not have these roles, have a user with the roles perform the steps. For more information on IAM roles, seeIAM basic and predefined roles reference.

To create service accounts and grant them access to your project:

To grant synchronizer access to your project:

To configure workload identity for installations on GKE (optional):

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.