apigee/ERR/2022_001

Product: Apigee API Management
Rule class: ERR - Something that is very likely to be wrong

Description

Apigee uses a Google-managed service account, which is called Apigee Service Agent, to authenticate Apigee API requests sent by the Apigee runtime components to the Management plane.

The apigee.serviceAgent role should be assigned to this account and shouldn’t be revoked.

Remediation

Ensure that you’ve the following binding in the IAM policy for the project:

• Principal: service-PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com
• Role: roles/apigee.serviceAgent

Further information

• About Google-managed service accounts