apigee/ERR/2023_004
Product: Apigee API Management
Rule class: ERR - Something that is very likely to be wrong
Description
Apigee uses a Google-managed service account, which is called Networking Service Agent which is used to create/modify the Apigee runtime networking. Service Networking enables you to offer your managed services on internal IP addresses to service consumers. Service consumers use private services access to privately connect to your service.
The servicenetworking.serviceAgent role should be assigned to this account and shouldn’t be revoked.
Remediation
Ensure that you’ve the following binding in the IAM policy for the project:
- Principal:
service-PROJECT_NUMBER@service-networking.iam.gserviceaccount.com - Role:
roles/servicenetworking.serviceAgent
Steps to validate:
-
Verify if Service Networking is enabled, if not, enable it using the below command
gcloud services enable servicenetworking.googleapis.com --project={PROJECT_ID} -
Create a service account for service networking
gcloud beta services identity create --service=servicenetworking.googleapis.com --project={PROJECT_ID} -
Bind the service account created with the role servicenetworking.serviceAgent
gcloud projects add-iam-policy-binding {PROJECT_ID} \ --member=serviceAccount:service-{PROJECT_NUMBER}@service-networking.iam.gserviceaccount.com \ --role=roles/servicenetworking.serviceAgent