API Service Graph connector for Apigee X - Setup Instructions1. Create service account For the ServiceNow Service Graph Connector for Apigee to securely integrate with a Google Console environment, a service account is created in a Apigee Project. Depending on the security configurations, a service account might have access to all the projects or a selected group of projects. Follow below steps to create a service account: Navigate to Cloud Console: https://console.cloud.google.com/.Activate Google Cloud Shell by clicking on the Cloud Shell icon at the top right of the console.A terminal console will open at the bottom of the browser window where you can run the following command to create a service account: gcloud iam service-accounts create apigee-apis --project=PROJECT_ID Where "apigee-apis" is the name of the service account, you can choose a different name in accordance with your company's naming conventions. Replace "PROJECT_ID" to the name of the project. The service account created may look like apigee-apis@example.iam.gserviceaccount.com where the example is the project name. 2. Create and Assign role For different portions of the Apigee APIs, different admin privileges are needed. Depending upon if you want to have permissions to all the projects in your organization or to specific projects of the organization, you can choose to either have a single role or to have two different roles for organization and projects separately. 2.1 For single role with all permissions under organization. In this setup, you need to create only one IAM role 'SnowApigeeOrgRole' which will have the below list of permissions. These are read-only specific roles to specific APIs, refer to the 'API List & IAM Permission' for API to IAM mapping list. apigee.deployments.listapigee.developers.listresourcemanager.folders.getresourcemanager.folders.listresourcemanager.organizations.getresourcemanager.projects.getresourcemanager.projects.listapigee.envgroupattachments.listapigee.envgroups.listapigee.proxies.getapigee.proxies.listapigee.proxyrevisions.get gcloud command to create 'SnowApigeeOrgRole'gcloud iam roles create SnowApigeeOrgRole --organization=ORGANIZATION_ID\--permissions=apigee.deployments.list,\apigee.developers.list,\resourcemanager.folders.get,\resourcemanager.folders.list,\resourcemanager.organizations.get,\resourcemanager.projects.get,\resourcemanager.projects.list,\apigee.envgroupattachments.list,\apigee.envgroups.list,\apigee.proxies.get,\apigee.proxies.list,\apigee.proxyrevisions.get 2.1.1 For separate roles under organization and projects. In this scenario, we need to create two roles - SnowApigeeOrgRole and SnowApigeeProjRole. The below list of IAM permissions is applicable only at the organization level with the role 'SnowApigeeOrgRole'. apigee.deployments.listapigee.developers.listresourcemanager.folders.getresourcemanager.folders.listresourcemanager.organizations.getresourcemanager.projects.getresourcemanager.projects.list gcloud command to create 'SnowApigeeOrgRole' gcloud iam roles create SnowApigeeOrgRole --organization=ORGANIZATION_ID\--permissions=apigee.deployments.list,\apigee.developers.list,\resourcemanager.folders.get,\resourcemanager.folders.list,\resourcemanager.organizations.get,\resourcemanager.projects.get,\resourcemanager.projects.list,\ 2.1.2. SnowApigeeProjRole - IAM Role Below IAM permissions should be created in each project. apigee.envgroupattachments.listapigee.envgroups.listapigee.proxies.getapigee.proxies.listapigee.proxyrevisions.get gcloud command to create 'SnowApigeeProjRole' gcloud iam roles create SnowApigeeProjRole --project=PROJECT_ID\--permissions=apigee.envgroupattachments.list,\apigee.envgroups.list,\apigee.proxies.get,\apigee.proxies.list,\apigee.proxyrevisions.get 3. Binding Roles to Service Account Binding the SnowApigeeOrgRole or SnowApigeeProjRole IAM role grants the Service Account the ability to make the necessary API calls. 3.1 Binding SnowApigeeOrgRole to Service Account: If you chose to have all permissions under organization then you can only execute the below command and bind the 'SnowApigeeOrgRole' to service account and skip the step 3.2. gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member=serviceAccount:apigee-apis@example.iam.gserviceaccount.com --role=organizations/ORGANIZATION_ID/roles/SnowApigeeOrgRole Note: apigee-apis@example.iam.gserviceaccount.com should be replaced with your service account. 3.2 Binding SnowApigeeProjRole to Service Account(s): If you chose to have few permissions under project and others under organization. You should the below command for each project to bind 'SnowApigeeProjRole' to service account after step 3.1. gcloud projects add-iam-policy-binding PROJECT_ID --member=serviceAccount:apigee-apis@PROJECT_ID.iam.gserviceaccount.com --role=projects/PROJECT_ID/roles/SnowApigeeProjRole 4. Enable the API Navigate to Cloud Console: https://console.cloud.google.com/.Select cloud project.Go to APIs & Services > Enable APIs and Services.Search for “Admin SDK”.Select “Admin SDK API”.Familiarize yourself with Terms of Service.Click Enable. 5. Get Organisation and Project ID Organisation id and Project Id are unique ID for each project and the organisation it belongs. Log in to your Google Cloud (https://console.cloud.google.com/) and open google cloud shell. Use the command gcloud organizations list to get Id or your organisation.Use the command gcloud projects list to get Id of your project. 6. Create a P12 file The Service Graph Connector for Apigee X must be authenticated using a P12 file to get an OAuth2 JWT token. You can select any of the two ways (6.1 or 6.2) indicated below to generate the P12 file. 6.1 GCP Generated P12 file: The P12 file is created in the GCP console in this stage and has a preset password. If using this mode does not feel right to you, move on to the following step, "Alternate Step to Generate P12 File". Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. Next, choose "ADD KEY" and select 'Create a new key'.Click CREATE after selecting "P12" as the key type.Make a note of the private key and save it safely. 6.2 Alternate Step to Generate P12 File In this step, you will be performing a series of Linux commands to generate a P12 file. This P12 file is then uploaded in the GCP console for the service account created and in the ServiceNow guided setup next steps. The steps below create a P12 file: Create a SSH Key. Create a Self-Signed Certificate. Convert the Certificate and Private Key to PKCS#12 format. Attach P12 to the ServiceNow Service Account created in the previous step. 6.2.1. Create a SSH Key You can generate a SSH key using the command below, or you can choose an SSH private key file that already exists. Consider the "myapigeeprivatekey.pem" file for this example. ssh-keygen -t rsa -b 4096 6.2.2. Create a Self-Signed Certificate With the private key file you generated in the previous step, this step creates a X.509 certificate. This step created the "myapigeecertificate.pem" file as an example, which will be needed in the following step. openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout myapigeeprivatekey.pem -out myapigeecertificate.pem 6.2.3. Convert Certificate and Private Key to PKCS#12 format You will create the P12 file (eg. snowkeystore.p12) in this stage using the command listed below: openssl pkcs12 -export -in mygcpcertificate.pem -inkey myapigeeprivatekey.pem -certfile myapigeecertificate.pem -out snowkeystore.p12 6.2.4. Registering X.509 file in a GCP service account Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. After that, select "Upload Existing Key" and add the P12 file (eg. myapigeecertificate.pem).Make a note of the private key and save it safely. 7. Registering P12 file in ServiceNow instance for Service Graph Connector for Apigee X As seen below, the P12 file prepared in the preceding step is uploaded in the ServiceNow's X.509 certificate page.