Step 7: Install hybrid runtime

You are currently viewing version 1.4 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Enable synchronizer access

To enable synchronizer access:

  1. Create a Google Cloud service account and add theApigee Organization Admin role to it. This service account will be used to authenticate an API call that you will make in a later step. An easy way to create the service account is through the GCP console. For instructions, see Creating and managing service accounts in the GCP documentation.

    For example, the followinggcloud commands will create the service account and assign theApigee Organization Admin to it:

    1. Create the account:
      gcloud iam service-accounts createapigee-org-admin \    --display-name="apigee-org-admin"

      Whereapigee-org-admin is the name of the service account you are creating. "apigee-org-admin" is recommended for this tutorial.

    2. Assign theApigee Org Admin role to the service account:
      gcloud projects add-iam-policy-binding$PROJECT_ID \    --member="serviceAccount:apigee-org-admin@$PROJECT_ID.iam.gserviceaccount.com" \    --role="roles/apigee.admin"

      Where:

      • $PROJECT_ID is the name of your Google Cloud project that you created inStep 2: Create a Google Cloud project.
      • apigee-org-admin is the name of the service account you just created.
      • roles/apigee.admin is theApigee Org Admin role.
  2. Download the service account key to your system. Use the following command to make download the key into yourservice-accounts/ directory. For more information see the instructions in Creating service account keys in the GCP documentation.
    1. Make sure you are in the/hybrid-base-directory/hybrid-files/ directory.
    2. Download the key:
      gcloud iam service-accounts keys create ./service-accounts/$PROJECT_ID-apigee-org-admin.json \  --iam-accountapigee-org-admin@$PROJECT_ID.iam.gserviceaccount.com

      The output should look something like:

      created key [a0b1c2d3e4f5a0b1c2d3e4f5a0b1c2d3e4f5a0b1] of type [json] as [./service-accounts/hybrid-example-apigee-org-admin.json] for [apigee-org-admin@my-hybrid.iam.gserviceaccount.com]$
  3. Verify the path to the Apigee Org Admin service account key with the following command:
    ls service-accounts/*admin*

    The result should look something like the following:

    service-accounts/hybrid-example-apigee-org-admin.json
  4. Create anORG_ADMIN_ACCOUNT environment variable with the name of the key file. For example:
    export ORG_ADMIN_ACCOUNT="hybrid-example-apigee-org-admin.json"
  5. Execute the following commands to get a token:
    export GOOGLE_APPLICATION_CREDENTIALS=./service-accounts/$ORG_ADMIN_ACCOUNTexport TOKEN=$(gcloud auth application-default print-access-token)
  6. Get the email address for yourapigee-synchronizer service account with the following command:
    gcloud iam service-accounts list --filter "apigee-synchronizer"

    If it matches the patternapigee-synchronizer$ORG_NAME.iam.gserviceaccount.com, you can use that pattern in the next step.

  7. Call thesetSyncAuthorization API to enable the required permissions for Synchronizer using the following command:
    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/$ORG_NAME:setSyncAuthorization" \   -d '{"identities":["'"serviceAccount:apigee-synchronizer@$ORG_NAME.iam.gserviceaccount.com"'"]}'

    Where:

    • $ORG_NAME: The name of your hybrid organization.
    • apigee-synchronizer$ORG_NAME.iam.gserviceaccount.com: The email address of the apigee-syncnronizer service account.
  8. To verify that the service account was set, use the following command to call the API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer$TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/$ORG_NAME:getSyncAuthorization" \   -d ''

    The output looks similar to the following:

    {   "identities":[      "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"   ],   "etag":"BwWJgyS8I4w="}

Apply the configuration to the cluster

Use the following steps to install Apigee hybrid into your cluster:

  1. Be sure that you are in thehybrid-base-directory/hybrid-files directory.
  2. Verify thatkubectl is set to the correct context using the following command. The current context should be set to the cluster to which you are deploying Apigee hybrid.
    kubectl config get-contexts
  3. ForAWS on GKE,EKS, andGKE on prem platforms only, Verify that theKUBECONFIG variable is set using the following command.
    echo $KUBECONFIG
  4. Do adry run initialization. Execute theinit command with the--dry-run flag. Doing a dry run lets you check for any errors before any changes are made to the cluster.

    In hybrid version 1.4.4, the syntax of the--dry-run flag depends on the version ofkubectl you are running. Check the version ofkubectl with the following command:

    kubectl version

    kubectl version 1.17 and older:

    $APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml --dry-run=true

    kubectl version 1.18 and newer:

    $APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml --dry-run=client
  5. If there are no errors, execute theinit command as follows:
    $APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml

    Theinit command installs theApigee deployment services Apigee Deployment Controller and Apigee Admission Webhook.

  6. To check the status of the deployment, you can use the following commands:
    $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yamlkubectl get pods -n apigee-systemkubectl get pods -n istio-system

    When the pods are ready, go to the next step.

  7. Do adry run install. Execute theapply command with the--dry-run flag.

    kubectl version 1.17 and older:

    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --dry-run=true

    kubectl version 1.18 and newer:

    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --dry-run=client
  8. If there are no errors, you can apply the Apigee-specific runtime components to the cluster with the following command:
    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml
  9. To check the status of the deployment, run the following command:
    $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml

    Repeat this step until the pods are all ready. The pods may take several minutes to start up.

Congratulations!

You've successfully installed Apigee hybrid. You are now ready to test it.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.