This page applies to Apigee and Apigee hybrid.
This topic explains how to provision API hub using the Apigee UI in Google Cloud console. This is the recommended method for provisioning API hub. Figure 1 highlights the basic steps described in this provisioning document.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Make sure that you have the following role or roles on the project:
roles/serviceusage.serviceUsageAdmin
roles/cloudkms.admin
roles/apihub.provisioningAdmin
roles/resourcemanager.projectIamAdmin
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
Summary of steps
The provisioning steps are as follows:
- Step 1: Enable APIs. Apigee requires you to enable a few Google Cloud APIs.
- Step 2: Choose a hosting location. Specify the physical location of your API hub.
- Step 3: Register a host project. The current Google Cloud project is selected by default.
- Step 4. Configure encryption. Select or create a customer-managed encryption key (CMEK) or use a Google-owned and Google-managed encryption key to encrypt and decrypt your API data at rest.
- Step 5: Create a service identity. Assign access permissions to a service identity.
- Create your API hub instance. Provisioning takes several minutes to complete.
Provisioning steps
To launch provisioning for API hub:
- Ensure that you have met the prerequisites described in Before you begin.
In the Google Cloud console, go to the Apigee API hub welcome page.
- Click Create instance.
- If API hub is not provisioned in your organization, the UI displays Step 1 of the provisioning workflow.
- If API hub has already been provisioned, you are taken to the API resources page.
Step 1: APIs
To provision API hub, you must enable the following APIs for your Google Cloud project:
API Name | Location | Description |
---|---|---|
API hub API | apihub.googleapis.com |
API hub API. |
Cloud Key Management Service (KMS) | cloudkms.googleapis.com |
Manages keys and performs cryptographic operations for direct use by other Cloud resources. |
To enable the required APIs, click Enable APIs. This step takes seconds to complete.
Step 2: Location
You need to select two locations: First, the physical location (region) where you'd like to host your Apigee API hub instance, and second, the multi-region in which your Vertex AI search data will be stored:
- From the drop-down list, select the region in which you want your API hub instance
to be hosted. Supported locations include:
Region description Region name Iowa us-central1
Northern Virginia us-east4
Oregon us-west1
Belgium europe-west1
London europe-west2
Singapore asia-southeast1
Mumbai asia-south1
Sao Paulo southamerica-east1
Sydney australia-southeast1
If the Enable Vertex search capability option is enabled (the default), you must select the multi-region location in which to store your Vertex AI-based search data, the data associated with the Semantic Search feature of API hub. By default, the multi-region that includes the API hub region you set in Step 1 is selected. For example, if you select
us-central1
as the API hub region, the multi-regionus
will be selected by default. However, you are free to change to another multi-region if you wish.The Vertex search option enables the Vertex AI-powered Semantic Search feature of API hub. If you deselect the Enable Vertex search capability option, Semantic Search is disabled, and the multi-region selector is hidden.
- Click Set location.
Step 3: Register host project
A host project is a Google Cloud project in your Apigee organization that you designate as the consumer project for all API hub resources. A single API hub instance can be provisioned per host project.
To use the Google Cloud project of your Apigee organization as the host project for API hub, click Register.
Step 4: Encryption
In this step, you can choose to use a Google-owned and Google-managed encryption key or a Customer Managed Encryption Key (CMEK) defined in the Cloud Key Management Service to encrypt the data stored in your API hub instance.
To use a Google-owned and Google-managed encryption key, just select the Google-managed encryption key option. If you select this option, no further key configuration is required.
To use an existing CMEK:
- In the Choose a customer-managed encryption key (CMEK) box, type to filter or scroll to search for your existing key. Alternatively, you can enter the key's resource id to locate an existing key.
- Select your key and click OK.
- Click Confirm.
To create a new CMEK:
- Click Create key. The Create a new key dialog displays.
- In the Key ring section you can specify an existing key ring or create a new one.
- To use an existing key ring:
- Select an existing key ring from the Key ring list.
- Click Continue.
- To create a new key ring:
- Click the Create key ring toggle or click Create key ring in the select box.
- In the Key ring name field, enter a name for your key ring.
Key ring names can contain letters, numbers, underscores (_), and hyphens (-). Key rings can't be renamed or deleted.
- Select a location from the Key ring location list.
This location is restricted to the hosting location you chose in the previous step to ensure that the key and data remain in the same region.
- Click Continue.
- To use an existing key ring:
- In the Key section:
- Enter a name for your key in the Key name field.
Key names can contain letters, numbers, underscores (_), and hyphens (-). Keys can't be renamed or deleted.
- Select a Protection level, for example, Software.
- Click Continue.
- Enter a name for your key in the Key name field.
- In the Review section, confirm the details you specified for key creation.
If the information is correct, click Create.
- Select your newly created key in the Choose a customer-managed encryption key box.
- Click Confirm encryption key.
Step 5: Service identity
In this step, you create a new service identity and grant it access to your selected customer-managed encryption key. This key is used to encrypt and decrypt your API hub data.
To create the new service identity, click Create service identity & grant permissions.
Apigee creates a service account and assigns the cloudkms.cryptoKeyEncrypterDecrypter
,
apihub.admin
, and apihub.runtimeProjectServiceAgent
roles to the service account.
Create your API hub instance
Click Submit to create your API hub instance.
When provisioning begins, the Finalizing API hub instance page displays. This step takes a few minutes to complete.
When provisioning is complete, the API hub APIs page displays.
What's next
Congratulations! You have successfully provisioned API hub.
Now, you are ready to begin using API hub:
- Review the roles and permissions required to use API hub
- Configure API hub attributes:
- Register an API resource:
- Add an API version: