Apigee hybrid provides validation that ensures the location of your service accounts' keys are correct and that the accounts have the proper permissions in your GCP project. This validation is enabled by default.
This section describes how to enable or disable service account validation. In addition, this step ensures that you have the proper APIs enabled for your GCP project so that validation works.
Enable service account permission validation
To enable permission validation:
- Be sure the
Cloud Resource Manager API is enabled for your GCP project:
- Open the Google Cloud console and log in with the account you created in Step 1: Create a Google Cloud account.
- Select the project that you created in Step 2: Create a Google Cloud project.
- Select APIs & Services > Library.
- Search for "Cloud Resource Manager".
- Locate the Cloud Resource Manager API service and click on it.
- If it is not enabled, click Enable.
You can also enable the API using gcloud:
gcloud services enable cloudresourcemanager.googleapis.com --project GCP_project_ID
- In your overrides file, add the
validateServiceAccounts
property and set it totrue
. For example:... # Enables strict validation of service account permissions. validateServiceAccounts: true ...
When validation is enabled, any time apigeectl applies the Apigee hybrid runtime components to your cluster, it validates the service account keys that are included in your overrides file.
Troubleshooting validation errors
If validation fails, the runtime deployment stops and apigeectl
exits.
To troubleshoot service account failure, it's helpful to know that validation checks
permissions in this order:
- Permission on the project ID.
- (For UDCA and Synchronizer only) If the permission check on the project fails, validation
proceeds to check permission against the Apigee environment's
IAM policy. These SAs are
environment scoped and environments support finer-grained permissions.
To update the IAM policy for a specific environment, go to the hybrid UI. Go to Admin > Environments > Access
For example, the following is an error message for a failed permission check:
Invalid Metrics Service Account. Service Account "[email protected]" is missing 1 or more required permissions [monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.timeSeries.create]. Visit Service accounts and roles used by hybrid components for more details on setting up Apigee hybrid service account permissions.
To address this error, add the required roles to the service account. For information on creating and modifying service accounts, see Create the service accounts. To check the required permissions for each Apigee hybrid component, see Service accounts and roles used by hybrid components.
Disable permission validation
To disable service account permission validation, set the validationServiceAccounts
property in your overrides file to false
, as the following example shows:
... # Enables strict validation of service account permissions. validateServiceAccounts: false ...