API Security: On-board GCP Apigee X and Apigee Hybrid

Owned by Alban (Unlicensed)
Last updated: Mar 08, 2024 by Thomas Sileo
2 min read

Pre-Requisite:  This tutorial assumes that the GCP On-boarding process has already been completed.

Follow these extra steps in order to allow us to discover API proxies running on GCP Apigee X or Apigee Hybrid.

Step 1: Enable the Apigee API in the project created for Data Theorem

Go to https://console.cloud.google.com/apis/library/apigee.googleapis.com. Ensure that the project created for Data Theorem during the GCP onboarding is currently selected in the project list drop down.

  1.  Click on the “Enable” button near the top of the page.

    • This will allow Data Theorem to access deployed API proxies running within Apigee.

Step 2: Create a new Apigee IAM Role

In addition to the permissions granted during GCP onboarding, Data Theorem needs a custom Apigee role to be able to access the deployed APIs and shared flows.

Go to https://console.cloud.google.com/iam-admin/roles/create.
You will be directed to the “Create role” page.

At the top of the page, click the project selection drop-down list (the down arrow). In the window that appears, click on ALL  above the table, and then select your Organization (building icon) from the list of items.

  1. In the "Title" field, input "DataTheoremApigeeDiscovery"

  2. In the "ID" field, input "DataTheoremApigeeDiscovery"

  3. Leave the “Role launch stage” field as is.

  4. Then click "Add Permissions", in "Filter table":

    • input apigee.sharedflow*.get

      • then check both apigee.sharedflowrevisions.get and apigee.sharedflows.get

    • reset the filter and input apigee.prox*.get

      • then check apigee.proxies.get and apigee.proxyrevisions.get

    • reset the filter and input apigee.*organizations.get

      • then check apigee.organizations.get and apigee.projectorganizations.get

    • reset the filter and input apigee.canaryevaluations.get and check it

    • Finish by clicking "Add"

  5. Once done, you should see "7 assigned permissions":

    • apigee.sharedflowrevisions.get

    • apigee.sharedflows.get

    • apigee.proxies.get

    • apigee.proxyrevisions.get

    • apigee.organizations.get

    • apigee.projectorganizations.get

    • apigee.canaryevaluations.get

  6. Click “CREATE”

Step 3: Add the role to the "DataTheoremDiscovery" service account

  1. Click on “IAM” on the left menu section

  2. Find the "DataTheoremDiscovery" service account (created during the GCP onboarding process) and click the “Edit principal” icon

  3. Select "Add another role"

  4. Type/select "DataTheoremApigeeDiscovery"

  5. Finish by clicking "Save"

Apigee is now successfully onboarded, you should start seeing the Apigee API proxies under the Inventory tab within the Data Theorem portal in the next few hours.