API Service Graph connector for Apigee X - Setup Instructions1. Create service account For the ServiceNow Service Graph Connector for Apigee to securely integrate with a Google Console environment, a service account is created in a Apigee Project. Depending on the security configurations, a service account might have access to all the projects or a selected group of projects. Follow below steps to create a service account: Navigate to Cloud Console: https://console.cloud.google.com/.Activate Google Cloud Shell by clicking on the Cloud Shell icon at the top right of the console.A terminal console will open at the bottom of the browser window where you can run the following command to create a service account: gcloud iam service-accounts create apigee-apis --project=PROJECT_ID Where "apigee-apis" is the name of the service account, you can choose a different name in accordance with your company's naming conventions. Replace "PROJECT_ID" with the id of your project. The service account created may look like apigee-apis@example.iam.gserviceaccount.com where the example is the project name. 2. Get Organisation and Project ID Organisation Id and Project Id are unique ID for each project and the organisation. Log in to your Google Cloud (https://console.cloud.google.com/) and open google cloud shell. Use the command gcloud organizations list to get Id or your organisation.Use the command gcloud projects list to get Id of your project. 3. Create and Assign role For different portions of the Apigee APIs, different admin privileges are needed. Depending upon if you want to have permissions to all the projects in your organization or to specific projects of the organization, you can choose to either have a single role or to have two different roles for organization and projects separately. 3.1 For single role with all permissions under organization. In this setup, you need to create only one IAM role 'SnowApigeeOrgRole' which will have the below list of permissions. These are read-only specific roles to specific APIs, refer to the 'API List & IAM Permission' for API to IAM mapping list. resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.list apigee.deployments.list apigee.developers.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getStats apigee.environments.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.targetservers.get gcloud command to create 'SnowApigeeOrgRole'gcloud iam roles create SnowApigeeOrgRole --organization=ORGANIZATION_ID\--permissions=resourcemanager.folders.get,\resourcemanager.folders.list,\resourcemanager.organizations.get,\resourcemanager.projects.get,\resourcemanager.projects.list,\apigee.apiproducts.get,\apigee.apiproducts.list,\apigee.apps.list,\apigee.deployments.list,\apigee.developers.list,\apigee.envgroupattachments.list,\apigee.envgroups.list,\apigee.environments.getStats,\apigee.environments.list,\apigee.proxies.get,\apigee.proxies.list,\apigee.proxyrevisions.get,\apigee.targetservers.get 3.1.1 For separate roles under organization and projects. In this scenario, we need to create two roles - SnowApigeeOrgRole and SnowApigeeProjRole. The below list of IAM permissions is applicable only at the organization level with the role 'SnowApigeeOrgRole'. resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list gcloud command to create 'SnowApigeeOrgRole'gcloud iam roles create SnowApigeeOrgRole --organization=ORGANIZATION_ID\--permissions=resourcemanager.folders.get,\resourcemanager.folders.list,\resourcemanager.organizations.get,\resourcemanager.projects.get,\resourcemanager.projects.list 3.1.2. SnowApigeeProjRole - IAM Role Below IAM permissions should be created in each project. apigee.apiproducts.get apigee.apiproducts.list apigee.apps.list apigee.deployments.list apigee.developers.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getStats apigee.environments.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.targetservers.get gcloud command to create 'SnowApigeeProjRole'gcloud iam roles create SnowApigeeProjRole --project=PROJECT_ID\--permissions=apigee.apiproducts.get,\apigee.apiproducts.list,\apigee.apps.list,\apigee.deployments.list,\apigee.developers.list,\apigee.envgroupattachments.list,\apigee.envgroups.list,\apigee.environments.getStats,\apigee.environments.list,\apigee.proxies.get,\apigee.proxies.list,\apigee.proxyrevisions.get,\apigee.targetservers.get 4. Binding Roles to Service Account Binding the SnowApigeeOrgRole or SnowApigeeProjRole IAM role grants the Service Account the ability to make the necessary API calls. 4.1 Binding SnowApigeeOrgRole to Service Account: If you chose to have all permissions under organization then you can only execute the below command and bind the 'SnowApigeeOrgRole' to service account and skip the step 4.2. gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member=serviceAccount:apigee-apis@example.iam.gserviceaccount.com --role=organizations/ORGANIZATION_ID/roles/SnowApigeeOrgRole Note: apigee-apis@example.iam.gserviceaccount.com should be replaced with your service account. 4.2 Binding SnowApigeeProjRole to Service Account(s): If you chose to have few permissions under project and others under organization. You should the below command for each project to bind 'SnowApigeeProjRole' to service account after step 4.1. gcloud projects add-iam-policy-binding PROJECT_ID --member=serviceAccount:apigee-apis@PROJECT_ID.iam.gserviceaccount.com --role=projects/PROJECT_ID/roles/SnowApigeeProjRole 5. Enable the Cloud Resource Manager API You need to enable the "Cloud Resource Manager API" under the project in which service account was created. Login to APIGEE portal with your service account email and select the project under which the service account was created.Search "Cloud Resource Manager API" in search bar of the APIGEE portal.Click "Enable". 6. Create a P12 file The Service Graph Connector for Apigee X must be authenticated using a P12 file to get an OAuth2 JWT token. You can select any of the two ways (6.1 or 6.2) indicated below to generate the P12 file. 6.1 GCP Generated P12 file: The P12 file is created in the GCP console in this stage and has a preset password. If using this mode does not feel right to you, move on to the following step, "Alternate Step to Generate P12 File". Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. Next, choose "ADD KEY" and select 'Create a new key'.Click CREATE after selecting "P12" as the key type.Make a note of the private key and save it safely. 6.2 Alternate Step to Generate P12 File If you already have a key in JSON format you can skip to 6.2.1 otherwise you can get a JSON key following the below steps : Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. Next, choose "ADD KEY" and select 'Create a new key'.Click CREATE after selecting "JSON" as the key type.Your JSON file be downloaded in your system. 6.2.1. Extract private key from JSON Your JSON file say "service-account.json" downloaded in previous step will have a key named "private_key" with value as your private key. Use below command to extract the private key to a file named say "myapigeeprivatekey.pem". jq -r '.private_key' service-account.json > myapigeeprivatekey.pem 6.2.2. Extract certificate URL from JSON, use the url to download the JSON for certificate mappings and extract the correct certificate. STEP 1: The Google Cloud public certificate is not provided in "service-account.json" directly. Instead, it is available at "client_x509_cert_url" property in your json file. Extract the key named "client_x509_cert_url" from your json file using below command. jq -r '.client_x509_cert_url' service-account.json STEP 2: Fetch JSON of certificate mappings to a file named say "myapigeecertificate.json". curl -s "<EXTRACTED URL FROM STEP 1" > myapigeecertificate.json STEP 3: Since "myapigeecertificate.json" contains multiple certificates indexed by key ID, extract the one that matches your private_key_id key from your "service-account.json" file.` jq -r '.private_key_id' service-account.json STEP 4: Now, extract the corresponding certificate and save it as "myapigeecertificate.pem". jq -r '."<EXTRACTED PRIVATE KEY ID FROM STEP 3>"' myapigeecertificate.json > myapigeecertificate.pem 6.2.3. Verify the Extracted Certificate To confirm that "myapigeecertificate.pem" is valid, run: openssl x509 -in myapigeecertificate.pem -noout -text` You should see details like:Certificate: Data: Version: 3 (0x2) Serial Number: ... Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Google Cloud Subject: CN=my-service-account@project-id.iam.gserviceaccount.com If the verification was successful then move to 6.2.4. 6.2.4. Convert to .p12 Keystore If you need to use this certificate in ServiceNow, some instances require a .p12 keystore instead of a raw .pem file. Create a .p12 file named say "apigee.p12" with: openssl pkcs12 -export -inkey myapigeeprivatekey.pem -in myapigeecertificate.pem -out apigee.p12 You will be prompted to set an export password. Keep it safe. 6.2.5. Convert .p12 to .jks Keystore Some instances restrict certain file types and the authentication will work for either p12 or jks when creating the java keystore in ServiceNow. So you can also create a .jks keystore using the .p12 keystore generated in previous step. Use below command to create a .jks file named say "apigee.jks". keytool -importkeystore -srckeystore apigee.p12 -srcstoretype pkcs12 -destkeystore apigee.jks -deststoretype JKS 6.2.6. Registering X.509 file in a GCP service account Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. After that, select "Upload Existing Key" and add the P12 file (eg. myapigeecertificate.pem).Make a note of the private key and save it safely. 7. Registering P12 file in ServiceNow instance for Service Graph Connector for Apigee X As seen below, the P12 file prepared in the preceding step is uploaded in the ServiceNow's X.509 certificate page.