Step 3: Create an Apigee organization

An Apigee organization (sometimes referred to as an org) is the top-level container in Apigee. It includes all of your environments and environment groups, users, API proxies, and related resources. For more information, see Understanding organizations.

What you're doing in this step

Now that you've enabled the required APIs, you can create an Apigee organization. When creating an organization, you will also create a database encryption key and a key ring. The process of creating and configuring your organization is called provisioning.

Also during provisioning, a service agent is created and is assigned the role of Cloud KMS CryptoKey Encrypter/Decrypter. This agent manages the encryption and decryption using the keys you generate.

The format for this agent's email address is:

service-PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com

Note that the service agent's email address specifies the project number and not the project ID. (They are easy to confuse, and you typically use the project ID during other parts of the setup process.)

When naming a new organization, the organization's name must be the same name as your project ID. In addition, it must be globally unique. This means that you can't name your organization the same as any other Cloud user.

Perform the step

To create a new organization in the Apigee provisioning wizard:

  1. Open a browser and navigate to the Apigee provisioning wizard.

    The wizard's start screen displays:

    Start screen

  2. Enter your project ID in the Project field, as the following example shows:

    Start screen

    If you enter the name incorrectly, or try to use a project that has not been approved (or entitled) by Apigee, then the wizard displays the following error:

    The start screen for setting

    You must enter the name of an entitled project before you can continue. If your project is not entitled, contact Apigee Sales.

  3. Click Get Started.

    Apigee displays a list of the tasks you will perform to configure your new instance and deploy an API proxy.

    Each task is initially in a "Not configured" status, but you will change that shortly.

  4. In the wizard, click Edit next to Apigee organization:

    The start screen for setting up

    The Create an Apigee organization view displays:

    Create organization screen

  5. From the Analytics hosting region drop-down list, select the physical location where you want your analytics data stored. This should be the same location that you set in Step 1: Define environment variables.
  6. Add the database encryption key:

    1. Create a new key ring using the gcloud command:
      gcloud kms keyrings create database-key-ring --location us --project $PROJECT_ID

      This creates a key ring named "database-key-ring". Note that the location must be set to "us" for both the database encryption key's key ring and key.

    2. Create the key using the kms keys create command:
      gcloud kms keys create database-key --keyring database-key-ring \
        --location us --purpose "encryption" --project $PROJECT_ID

      This command creates a key named "database-key" and adds it to the key ring.

      The key can be referenced by its key path, which uses the following syntax:

      projects/project_ID/locations/us/keyRings/database-key-ring/cryptoKeys/database-key

      As with the key ring, the database key must be in the "us" location.

    3. Grant access for the Apigee Service Agent to use the new key by executing the following command:
      gcloud kms keys add-iam-policy-binding database-key \
        --location us \
        --keyring database-key-ring \
        --member serviceAccount:service-$PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com \
        --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
        --project $PROJECT_ID

      This command binds the key to the Apigee Service Agent.

    4. In the Runtime database encryption key ID field, enter the key path for the database key that you just created.

    For additional details, see About the Apigee encryption keys.

  7. Click Create Organization.

    Apigee begins the process of creating an organization for your project.

  8. Wait three to four minutes. Now is a good time to go warm up a delicious stroopwaffle.

    Apigee displays a spinner next to Apigee organization in the task list while it's creating the organization:

    Spinner that appears during the creation process

    When Apigee finishes creating your organization, a check mark appears next to the task and an Edit button appears next to the next task in the wizard:

    Create organization screen

If you encounter errors during this part of the process, see Troubleshooting.


1 2 3 NEXT: Configure service networking 5 6 7 8