Supported versions:
Unsupported versions:
In order for the runtime plane and control plane to communicate, you must enable the required permissions for Synchronizer and analytics publisher access with the updateControlPlaneAccess API.
To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.
gcloud projects get-iam-policy $PROJECT_ID \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your_account_email"
For example:
gcloud projects get-iam-policy my-project \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:myusername@example.com"
The output should include roles/apigee.admin.
roles/apigee.admin, add the Apigee
Organization Admin role to your user account. Use the following command to add the
role to your user account:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member user:your_account_email \ --role roles/apigee.admin
For example:
gcloud projects add-iam-policy-binding my-project \ --member user:myusername@example.com \ --role roles/apigee.admin
On the command line, get your gcloud authentication
credentials using the following command:
export TOKEN=$(gcloud auth print-access-token)
To check that your token was populated, use echo, as the
following example shows:
echo $TOKEN
This should display your token as an encoded string.
for /f "tokens=*" %a in ('gcloud auth print-access-token') do set TOKEN=%aTo check that your token was populated, use echo, as the
following example shows:
echo %TOKEN%
This should display your token as an encoded string.
To enable synchronizer access:
apigee-non-prod. For production environments, it should be
apigee-synchronizer. Use the following command:
gcloud iam service-accounts list --project $PROJECT_ID --filter "apigee-synchronizer"
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
-H "Content-Type:application/json" \
"https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=synchronizer_identities" \
-d "{\"synchronizer_identities\": [\"serviceAccount:apigee-synchronizer@$ORG_NAME.iam.gserviceaccount.com\"]}"
Where:
$ORG_NAME: The name of your hybrid
organization.apigee-synchronizer@$ORG_NAME.iam.gserviceaccount.com: The email address of the service account.
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
-H "Content-Type:application/json" \
"https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=synchronizer_identities" \
-d "{\"synchronizer_identities\": [\"serviceAccount:apigee-synchronizer@$ORG_NAME.iam.gserviceaccount.com\"]}"
Where:
CONTROL_PLANE_LOCATION: The location for your control plane data if your hybrid installation uses data residency. This is location where customer core content like proxy bundles are stored. For a list see Available Apigee API control plane regions.
$ORG_NAME: The name of your hybrid organization.apigee-synchronizer@$ORG_NAME.iam.gserviceaccount.com: The email address of the service account.
curl -X GET -H "Authorization: Bearer $TOKEN" \
-H "Content-Type:application/json" \
"https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess"
curl -X GET -H "Authorization: Bearer $TOKEN" \
-H "Content-Type:application/json" \
"https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess"
The output should look similar to the following:
{
"synchronizerIdentities": [
"serviceAccount:apigee-synchronizer@YOUR_ORG_NAME.iam.gserviceaccount.com"
]
}Several Apigee hybrid runtime components publish analytics and debug records to provide information for reporting and debugging. To enable publishing this data, you need to grant additional permissions to the service accounts that run these apigee components to publish data directly to the control plane.
To enable analytics publisher access:
apigee-non-prod. For production environments, it should be
apigee-runtime.Call the updateControlPlaneAccess API to enable permissions for the runtime and MART service accounts:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type:application/json" \
"https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \
-d "{\"analytics_publisher_identities\": [\"serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com\"]}"
If you are enabling Monetization for Apigee hybrid, set the permissions for the mint task scheduler service account:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type:application/json" \
"https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \
-d "{\"analytics_publisher_identities\": [\"serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-mint-task-scheduler@$ORG_NAME.iam.gserviceaccount.com\"]}"
Where the following are the email addresses of the service accounts:
apigee-mart@${ORG_NAME}.iam.gserviceaccount.comapigee-mint-task-scheduler@${ORG_NAME}.iam.gserviceaccount.comapigee-runtime@${ORG_NAME}.iam.gserviceaccount.comCall the updateControlPlaneAccess API to enable permissions for the runtime and MART service accounts:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type:application/json" \
"https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \
-d "{\"analytics_publisher_identities\": [\"serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com\"]}"
If you are enabling Monetization for Apigee hybrid, set the permissions for the mint task scheduler service account:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type:application/json" \
"https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess?update_mask=analytics_publisher_identities" \
-d "{\"analytics_publisher_identities\": [\"serviceAccount:apigee-mart@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-runtime@$ORG_NAME.iam.gserviceaccount.com\",\"serviceAccount:apigee-mint-task-scheduler@$ORG_NAME.iam.gserviceaccount.com\"]}"
Where:
CONTROL_PLANE_LOCATION is the location for your control plane data if your hybrid installation uses data residency. This is location where customer core content like proxy bundles are stored. For a list see Available Apigee API control plane regions.apigee-mart@${ORG_NAME}.iam.gserviceaccount.comapigee-mint-task-scheduler@${ORG_NAME}.iam.gserviceaccount.comapigee-runtime@${ORG_NAME}.iam.gserviceaccount.comThe response should look similar to the following:
{
"name": "organizations/YOUR_ORG_NAME/operations/OPERATION_ID",
"metadata": {
"@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
"operationType": "UPDATE",
"targetResourceName": "organizations/YOUR_ORG_NAME/controlPlaneAccess",
"state": "IN_PROGRESS"
}
}
Where: OPERATION_ID is the UUID of the operation, for example 8316aa78-c137-4733-92ec-cc0d2d92fd29.
export OPERATION_ID=OPERATION_ID
export OPERATION_ID=8316aa78-c137-4733-92ec-cc0d2d92fd29
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/operations/$OPERATION_ID"
curl -X GET -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/operations/$OPERATION_ID"
The response should look like the following:
{
"name": "organizations/YOUR_ORG_NAME/operations/OPERATION_ID",
"metadata": {
"@type": "type.googleapis.com/google.cloud.apigee.v1.OperationMetadata",
"operationType": "UPDATE",
"targetResourceName": "organizations/YOUR_ORG_NAME/controlPlaneAccess",
"state": "FINISHED"
},
"done": true,
"response": {
"@type": "type.googleapis.com/google.cloud.apigee.v1.ControlPlaneAccess",
"name": "organizations/YOUR_ORG_NAME/controlPlaneAccess"
}
}
curl "https://apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess" \ -H "Authorization: Bearer $TOKEN"
curl "https://$CONTROL_PLANE_LOCATION-apigee.googleapis.com/v1/organizations/$ORG_NAME/controlPlaneAccess" \ -H "Authorization: Bearer $TOKEN"
The response should look like the following:
{
"synchronizerIdentities": [
"serviceAccount:apigee-synchronizer@YOUR_ORG_NAME.iam.gserviceaccount.com"
],
"analyticsPublisherIdentities": [
"serviceAccount:apigee-mart@YOUR_ORG_NAME.iam.gserviceaccount.com",
"serviceAccount:apigee-mint-task-scheduler@YOUR_ORG_NAME.iam.gserviceaccount.com",
"serviceAccount:apigee-runtime@YOUR_ORG_NAME.iam.gserviceaccount.com"
]
}
You have now enabled your Apigee hybrid runtime and management planes to communicate. Next, install cert-manager to enable Apigee hybrid to interpret and manage certificates.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-11 UTC.