Step 3: Create an Apigee organization

An Apigee organization (sometimes referred to as an org) is the top-level container in Apigee. It includes all of your environments and environment groups, users, API proxies, and related resources. For more information, see Understanding organizations.

What you're doing in this step

Now that you've enabled the required APIs, you can create an Apigee organization. When creating an organization, you will also create a database encryption key and a key ring. The process of creating and configuring your organization is called provisioning.

Also during provisioning, a service agent is created and is assigned the role of Cloud KMS CryptoKey Encrypter/Decrypter. This agent manages the encryption and decryption using the keys you generate.

The format for this agent's email address is:

service-PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com

Note that the service agent's email address specifies the project number and not the project ID. (They are easy to confuse, and you typically use the project ID during other parts of the setup process.)

When naming a new organization, the organization's name must be the same name as your project ID. In addition, it must be globally unique. This means that you can't name your organization the same as any other Cloud user.

Perform the step

To create a new organization in the Apigee provisioning wizard:

Open a browser and navigate to the Apigee provisioning wizard.
The wizard's start screen displays:
Enter your project ID in the Project field, as the following example shows:

If you enter the name incorrectly, or try to use a project that has not been approved (or entitled) by Apigee, then the wizard displays the following error:

You must enter the name of an entitled project before you can continue. If your project is not entitled, contact Apigee Sales.
Click Get Started.

Apigee displays a list of the tasks you will perform to configure your new instance and deploy an API proxy.

Each task is initially in a "Not configured" status, but you will change that shortly.
In the wizard, click Edit next to Apigee organization:

The Create an Apigee organization view displays:
From the Analytics hosting region drop-down list, select the physical location where you want your analytics data stored. This should be the same location that you set in Step 1: Define environment variables.
Add the database encryption key:
1. Create a new key ring using the gcloud command:
```
gcloud kms keyrings create database-key-ring --location us --project $PROJECT_ID
```
  This creates a key ring named "database-key-ring". Apigee runtime database encryption key supports all Cloud KMS locations that support Cloud HSM and Cloud EKM.
2. Create the key using the kms keys create command:
```
gcloud kms keys create database-key --keyring database-key-ring \
  --location us --purpose "encryption" --project $PROJECT_ID
```
  This command creates a key named "database-key" and adds it to the key ring.
  
  The key can be referenced by its key path, which uses the following syntax:
```
projects/project_ID/locations/us/keyRings/database-key-ring/cryptoKeys/database-key
```
3. Grant access for the Apigee Service Agent to use the new key by executing the following command:
```
gcloud kms keys add-iam-policy-binding database-key \
  --location us \
  --keyring database-key-ring \
  --member serviceAccount:service-$PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
  --project $PROJECT_ID
```
  This command binds the key to the Apigee Service Agent.
4. In the Runtime database encryption key ID field, enter the key path for the database key that you just created.
For additional details, see About the Apigee encryption keys.
Click Create Organization.

Apigee begins the process of creating an organization for your project.
Wait three to four minutes. Now is a good time to go warm up a delicious stroopwaffle.

Apigee displays a spinner next to Apigee organization in the task list while it's creating the organization:

Tip: If you get an error that you don't understand, try using your browser's developer tools to view the underlying HTTP response. It may help you understand what caused the error.
For more information, see Troubleshooting.

When Apigee finishes creating your organization, a check mark appears next to the task and an Edit button appears next to the next task in the wizard:

If you encounter errors during this part of the process, see Troubleshooting.

Progress (3/8 ... Keep going!)

1 2 3 NEXT: Configure service networking 5 6 7 8