Provision API hub using the UI

This page applies to Apigee and Apigee hybrid.

This topic describes how to provision API hub using the Apigee UI in Google Cloud console. This is the recommended method for provisioning API hub.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Make sure that you have the following role or roles on the project:
- roles/serviceusage.serviceUsageAdmin
- roles/cloudkms.admin
- roles/apihub.provisioningAdmin
- roles/resourcemanager.projectIamAdmin
Check for the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the project.
3. In the Principal column, find the row that has your email address.
  
  If your email address isn't in that column, then you do not have any roles.
4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.
Grant the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the project.
3. Click Grant access.
4. In the New principals field, enter your email address.
5. In the Select a role list, select a role.
6. To grant additional roles, click Add another role and add each additional role.
7. Click Save.

Summary of steps

The provisioning steps are as follows:

Step 1: Enable APIs. Apigee requires you to enable a few Google Cloud APIs.
Step 2: Choose a hosting location. Specify the physical location of your API hub.
Step 3: Register a host project. Select the Google Cloud consumer project for API hub resources.
Step 4. Configure encryption. Select or create a customer-managed encryption key (CMEK) to encrypt and decrypt your API data at rest.
Step 5: Create a service identity. Assign access permissions to a service identity to manage your CMEK.
Create your API hub instance. Wait 5 minutes for provisioning to complete.

Provisioning steps

To launch provisioning for API hub:

Ensure that you have met the prerequisites described in Before you begin.
In the Google Cloud console, go to the Start with Apigee API hub page.
Go to Apigee API hub
On the Start with Apigee API hub page, click Get started.
- If API hub is not provisioned in your organization, the UI displays Step 1 of the provisioning workflow.
- If API hub has already been provisioned, a dialog displaying your existing host project for API hub is shown. Click Take me there to view the existing API hub resources in your host project.

Step 1: APIs

To provision API hub, you must enable the following APIs for your Google Cloud project:

API Name	Location	Description
API hub API	`apihub.googleapis.com`	API hub API.
Cloud Key Management Service (KMS)	`cloudkms.googleapis.com`	Manages keys and performs cryptographic operations for direct use by other Cloud resources.

To enable the required APIs, click Enable APIs. This step takes seconds to complete.

Step 2: Hosting location

To select the physical location (region) where you'd like to host your Apigee API hub instance:

In the Region for cloud instance list, select the hosting location from the regions listed. For example, US or EU.
Note: API hub supports a subset of Google Cloud regions as hosting locations.
Click Set location.

Step 3: Register host project

A host project is a Google Cloud project in your Apigee organization that you designate as the consumer project for all API hub resources. A single API hub instance can be provisioned per host project.

To use the Google Cloud project of your Apigee organization as the host project for API hub, click Register.

Step 4: Encryption

In this step, you select or create a Customer Managed Encryption Key (CMEK) defined in the Cloud Key Management Service to encrypt the data stored in your API hub instance.

To use an existing key:

In the Choose a customer-managed encryption key box, type to filter or scroll to search for your existing key. Alternatively, you can enter the key's resource id to locate an existing key.
Select your key and click OK.
Click Confirm.

To create a new key:

Click Create key. The Create a new key dialog displays.
In the Key ring section you can specify an existing key ring or create a new one.
- To use an existing key ring:
  1. Select an existing key ring from the Key ring list.
  2. Click Continue.
- To create a new key ring:
  1. Click the Create key ring toggle or click Create key ring in the select box.
  2. In the Key ring name field, enter a name for your key ring.
    Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
  3. Select a location from the Key ring location list.
    This location is restricted to the hosting location you chose in the previous step to ensure that the key and data remain in the same region.
  4. Click Continue.
In the Key section:
1. Enter a name for your key in the Key name field.
  Key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted.
2. Select a Protection level, for example, Software.
3. Click Continue.
In the Review section, confirm the details you specified for key creation.
If the information is correct, click Create.

Warning: Keys and key rings cannot be deleted after creation. To learn more, see Why can't I delete keys or key rings?.
Select your newly created key in the Choose a customer-managed encryption key box.
Click Confirm encryption key.

Step 5: Service identity

In this step, you create a new service identity and grant it access to your selected customer-managed encryption key. This key is used to encrypt and decrypt your API hub data.

To create the new service identity, click Create service identity & grant permissions.

Apigee creates a service account and assigns the cloudkms.cryptoKeyEncrypterDecrypter role to the service account.

Create your API hub instance

Click Submit to create your API hub instance.

When provisioning begins, the Finalizing API hub instance page displays. This step takes 5 minutes to complete.

When provisioning is complete, the API hub APIs page displays.

Note: If you have provisioned API hub in a project that has Apigee proxies, such proxies are automatically registered in API hub within a few hours after provisioning API hub. For example, if you are provisioning API hub in test-project-1, and this project has Apigee proxies, the test-project-1 is automatically attached as a runtime project, and the proxies in the test-project-1 are registered in API hub.

What's next

Congratulations! You have successfully provisioned API hub.

Now, you are ready to begin using API hub:

Review the roles and permissions required to use API hub
Configure API hub attributes:
- Manage attributes
- Quickstart: Edit attributes
Register an API resource:
- Manage API resources
- Quickstart: Register an API
Add an API version:
- Versions overview
- Quickstart: Create an API version