In Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts
which are supplied by the management plane. Information communicated by contract includes API
proxies, API products, caches, and virtual hosts. Synchronizer by default stores environment
configuration data in the Cassandra database.
Synchronizer instances running in the runtime-plane are expected to poll the management
plane on a regular basis, download the contracts and make the same available to local runtime
instances.
One Synchronizer can support many Message Processors deployed in the same pod.
Enable Synchronizer access
You must grant the Synchronizer permission to pull down
Apigee artifacts, such as proxy bundles and resources from the management plane. You must call an
Apigee API to authorize the Synchronizer to pull artifacts down from the management plane to the
runtime plane.
Ensure that you have enabled the Apigee API as explained in the Google Cloud setup steps.
For details, see Step 3: Enable APIs.
Locate the write-enabled Google Cloud service account key (a JSON file) that you
downloaded as part of Create service accounts. The service account has the Apigee Org Admin
role and is the one named "apigee-org-admin". If you did not previously create this service
account, you must do so before continuing.
Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path where the
service account key is located:
your_org_name: The name of the hybrid organization.
synchronizer-manager-service-account-name: The name of a service account
with the Apigee Synchronizer Manager role. The name is formed like an
email address. For example:
my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation covers version 1.6 of Apigee hybrid, which is end-of-life, and users should upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eThe Synchronizer polls and downloads runtime contracts from the management plane, including API proxies, products, caches, and virtual hosts, and stores environment configuration data in Cassandra by default.\u003c/p\u003e\n"],["\u003cp\u003eSynchronizer instances regularly poll the management plane, download contracts, and make them available to local runtime instances, with one Synchronizer supporting multiple Message Processors.\u003c/p\u003e\n"],["\u003cp\u003eEnabling Synchronizer access requires calling the Apigee \u003ccode\u003esetSyncAuthorization\u003c/code\u003e API to grant permissions for pulling artifacts from the management plane, using a service account with the Apigee Synchronizer Manager role.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egetSyncAuthorization\u003c/code\u003e API can be used to check that a service account was correctly set for the Synchronizer.\u003c/p\u003e\n"]]],[],null,["# Configure the Synchronizer\n\n| You are currently viewing version 1.6 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis section describes the Synchronizer.\n\nSynchronizer overview\n---------------------\n\nIn Apigee hybrid, the Synchronizer's primary job is to poll and download the runtime contracts\nwhich are supplied by the management plane. Information communicated by contract includes API\nproxies, API products, caches, and virtual hosts. Synchronizer by default stores environment\nconfiguration data in the Cassandra database.\n\nSynchronizer instances running in the runtime-plane are expected to poll the management\nplane on a regular basis, download the contracts and make the same available to local runtime\ninstances.\n\nOne Synchronizer can support many Message Processors deployed in the same pod.\n\nEnable Synchronizer access\n--------------------------\n\nYou must grant the [Synchronizer](/apigee/docs/hybrid/v1.6/what-is-hybrid#synchronizer) permission to pull down\nApigee artifacts, such as proxy bundles and resources from the management plane. You must call an\nApigee API to authorize the Synchronizer to pull artifacts down from the management plane to the\nruntime plane.\n\n1. Ensure that you have enabled the Apigee API as explained in the Google Cloud setup steps. For details, see [Step 3: Enable APIs](/apigee/docs/hybrid/v1.6/precog-enableapi).\n2. Locate the **write-enabled Google Cloud service account key** (a JSON file) that you downloaded as part of [Create service accounts](/apigee/docs/hybrid/v1.6/install-download-install#create-service-accounts). The service account has the **Apigee Org Admin** role and is the one named \"apigee-org-admin\". If you did not previously create this service account, you must do so before continuing.\n3. Set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the path where the\n service account key is located:\n\n export GOOGLE_APPLICATION_CREDENTIALS=\u003cvar translate=\"no\"\u003eyour_sa_credentials_file\u003c/var\u003e.json\n\n 4. Call the [setSyncAuthorization](/apigee/docs/hybrid/v1.6/syncauthorization-reference) API to enable the required permissions for Synchronizer: **IMPORTANT:** Be sure that the service account name that you add to this API has the role **Apigee Synchronizer Manager** . See also [Create service accounts](/apigee/docs/hybrid/v1.6/install-download-install#create-service-accounts). \n\n ```\n curl -X POST -H \"Authorization: Bearer $(gcloud auth application-default print-access-token)\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization\" \\\n -d '{\"identities\":[\"serviceAccount:synchronizer-manager-service-account-name\"]}'\n ```\n\n Where:\n - `your_org_name`: The name of the hybrid organization.\n - `synchronizer-manager-service-account-name`: The name of a service account with the **Apigee Synchronizer Manager** role. The name is formed like an email address. For example: `my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com`\n\n Example: \n\n ```\n curl -X POST -H \"Authorization: Bearer $(gcloud auth application-default print-access-token)\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization\" \\\n -d '{\"identities\":[\"serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com\"]}'\n ```\n\n For more information on this API, see [SyncAuthorization\n API](/apigee/docs/hybrid/v1.6/syncauthorization-reference).\n5. To verify that the service account was set, call the following API to get a list of service accounts: \n\n ```\n curl -X POST -H \"Authorization: Bearer $(gcloud auth application-default print-access-token)\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization\" \\\n -d ''\n ```\n\n The output looks similar to the following: \n\n ```transact-sql\n {\n \"identities\":[\n \"serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com\"\n ],\n \"etag\":\"BwWJgyS8I4w=\"\n }\n ```"]]
