Google Apigee API Discovery Connectors

The Google Apigee API Discovery Connector enables Qualys to securely connect to your Google Cloud Platform (GCP) environment and automatically discover API assets managed through Google Apigee.

The connector continuously collects API inventory and configuration data to keep the Cloud Inventory, Cloud Security Assessment, and Asset Inventory up to date:

his ensures accurate visibility into your API surface and supports improved security posture management.

Category Supported Asset Type Supported Finding Type
API Connector APIs N/A (Discovery only)

Prerequisites

  • An active TotalAppSec module subscription
  • Access to your Google Cloud Apigee API Management platform with the required permissions as specified in the permissions for the role.

How to Obtain a JSON Key File

  1. Login to https://console.cloud.google.com/.
  2. Navigate to IAM& Admin / Roles > Roles, and click Create role.
  3. Assign the following permissions to the role. 
    • apigee.deployments.list
    • apigee.envgroupattachments.list
    • apigee.envgroups.list
    • apigee.proxies.list
    • apigee.proxyrevisions.get
    • apigee.proxyrevisions.list

The following image displays the addition of apigee.proxyrevisions.list permission:

  1. Create a service account:
    1. Navigate to IAM &Admin / Service accounts >  Service Accounts, and click Create service account
    2. In the Create service account, enter Service account nameThe Service account ID is generated automatically based on this name.
    3. Click Create and continue.
    4. In the Role field, select a role, and click Continue
  2. Create a new key in the service account. 
    1. For the service account, click Actions > Manage keys
    2. Click Add key
    3. In the Key Type, select JSON, and click Create

The JSON key file will be downloaded to your computer. Store this key file securely. Use the JSON file while creating the connector in the Basic Details step. 

Permissions

The following table presents the Apigee management APIs and the required IAM permissions required for each operation.

API Endpoint IAM Permissions
GET /v1/organizations/{org}/envgroups apigee.envgroups.list
GET /v1/organizations/{org}/envgroups/{group}/attachments apigee.envgroupattachments.list
GET /v1/organizations/{org}/apis apigee.proxies.list
GET /v1/organizations/{org}/apis/{api}/revisions apigee.proxyrevisions.list
GET /v1/organizations/{org}/apis/{api}/deployments apigee.deployments.list
GET /v1/organizations/{org}/apis/{api}/revisions/{rev} apigee.proxyrevisions.get
GET /v1/organizations/{org}/apis/{api}/revisions/{rev}?format=bundle apigee.proxyrevisions.get

Connector Configuration

To create a new Google Apigee API Discovery Connector, navigate to the Discovery tab > Sources > Google Apigee API Discovery Connector, and click Create Connector.

Create GCP Connector 

Basic Details

  1. Provide a Name and Description.
  2. Select the Qualys Data Model - API Discovery and Qualys Data Model Type - API.
  3. Provide required Authentication Details.

Basic details.

Data Model

The GCP API Discovery Default Data Model provides an out-of-the-box schema aligned with the Qualys schema.

Use the schema view to understand the attributes and structure of the imported API data.

Data model.

Here's the default data model mapping.

data model mapping.

Transform Maps

Transform maps ensure data is correctly transformed during data import. Qualys provides the default transform map, and it cannot be edited. 

Transform maps.

Profile Configuration

Create a profile for your connector to control execution behavior. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Profile Configuration.

  1. Click  to create a new profile.
    New Profile
  2. In the Create Profile screen, provide the necessary inputs for your new profile:
    1. Provide a Name and Description.
    2. Select the required Transform Map for the data mapping.
    3. In the Status field select whether the connector should be in Active or Inactive state after creation. 
    4. In the Schedule section, select Single Occurrence schedule or a Recurring schedule. For the Single occurrence, select the timezone, start time, and end time. For recurrent scheduling, select the timezone, frequency, start time, and end time. 
    5. Click Create to add a new profile.

Connector States

After configuration, the connector progresses through these states:

State Description
Registered Connector created and registered successfully
Scheduled Connection execution is scheduled
Processing A connection is executed  and the connector is retrieving asset data. 
Processed

Asset discovery completed; findings ingestion may still continue. The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.

Logs

End-to-end logging provides enhanced visibility into connector activities from the TotalAppSec, enabling more effective analysis and troubleshooting. You can access these logs from the Logs tab.

View Discovered Assets in TotalAppSec

Follow the steps to view your assets in the TAS application.

Sources

Source tab.

Discovered APIs

Here, you can view all API assets discovered by the GCP connector, along with additional details such as Status, URL, Endpoints, and so on.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.