An Apigee organization (sometimes referred to as an org) is the top-level container in Apigee. It includes all of your environments and environment groups, users, API proxies, and related resources. For more information, see Understanding organizations.
What you're doing in this step
Now that you've enabled the required APIs, you can create an Apigee organization. When creating an organization, you will also create a database encryption key and a key ring. The process of creating and configuring your organization is called provisioning.
Also during provisioning, a service agent is created and is assigned the role of
CryptoKey Encrypter/Decrypter. This agent manages the encryption and decryption using
the keys you generate.
The format for this agent's email address is:
Note that the service agent's email address specifies the project number and not the project ID. (They are easy to confuse, and you typically use the project ID during other parts of the setup process.)
When naming a new organization, the organization's name must be the same name as your project ID. In addition, it must be globally unique. This means that you can't name your organization the same as any other Cloud user.
Perform the step
To create a new organization in the Apigee provisioning wizard:
- Open a browser and navigate to the Apigee
The wizard's start screen displays:
- Enter your project ID in the Project field, as the following example
If you enter the ID incorrectly, or try to use a project that has not been approved (or entitled) by Apigee, then the wizard displays the following error:
You must enter the ID of an entitled project before you can continue. If your project is not entitled, contact Apigee Sales.
Click Get Started.
Apigee displays a list of the tasks you will perform to configure your new instance and deploy an API proxy.
Each task is initially in a "Not configured" status, but you will change that shortly.
- In the wizard, click Edit next to Apigee organization:
The Create an Apigee organization view displays:
- From the Analytics hosting region drop-down list, select the physical location where you want your analytics data stored. This should be the same location that you set in Step 1: Define environment variables.
Add the database encryption key:
- Create a new key ring using the
gcloud kms keyrings create database-key-ring --location us --project $PROJECT_ID
This creates a key ring named "database-key-ring". Apigee runtime database encryption key supports all Cloud KMS locations that support Cloud HSM and Cloud EKM.
- Create the key using the
kms keys createcommand:
gcloud kms keys create database-key --keyring database-key-ring \ --location us --purpose "encryption" --project $PROJECT_ID
This command creates a key named "database-key" and adds it to the key ring.
The key can be referenced by its key path, which uses the following syntax:
- Grant access for the Apigee Service Agent to use the new key by executing the
gcloud kms keys add-iam-policy-binding database-key \ --location us \ --keyring database-key-ring \ --member serviceAccount:service-$PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --project $PROJECT_ID
This command binds the key to the Apigee Service Agent.
- In the Runtime database encryption key ID field, enter the key path for the database key that you just created.
For additional details, see About the Apigee encryption keys.
- Create a new key ring using the
Click Create Organization.
Apigee begins the process of creating an organization for your project.
Wait three to four minutes. Now is a good time to go warm up a delicious stroopwaffle.
Apigee displays a spinner next to Apigee organization in the task list while it's creating the organization:
When Apigee finishes creating your organization, a check mark appears next to the task and an Edit button appears next to the next task in the wizard:
If you encounter errors during this part of the process, see Troubleshooting.