Integrating Google Cloud Storage (GCS) with the ThinkData Works platform allows seamless access to cloud storage. Follow the steps below to securely add your Client Secret to the platform.
Prerequisites:
- An active Google Cloud account.
- A Service Account Key from Google Cloud with the necessary permissions.
- Access to your platform account with the necessary permissions to configure storage.
Step-by-Step Guide:
Step 1: Create a Service Account and Generate Access Key
To get your Access Key and Secret Key, you’ll need to create a Service Account in your Google Cloud project. Follow these steps:
- Sign in to the Google Cloud Console.
- Navigate to the IAM & Admin section and select Service Accounts.
- Select the desired service account and click Keys under the Keys tab.
- Click Add Key > Create New Key, and choose JSON as the key type. Download the JSON file as this contains your Client Secret.
Step 2: Log in to the ThinkData Works Platform
We will need to add our GCS credentials to the platform. You will only need to do this step once as long as you continue to use the same user account these credentials are associated with.
- Open the platform and navigate to the Credentials page: Data > Credentials > Create Credential
- Enter the user name these credentials belong to (or any other identifying name)
- In the type dropdown, select "Google Storage (GCS)"
- Enter the Region, Project Name, and Client Secret.
- Save
Important Security Note:
- Never share these credentials with any support staff of ThinkData Works. You should always be entering them in to the console.
- Regularly rotate your keys to maintain security.
Troubleshooting:
- If the integration fails, ensure that your Service Account has the proper permissions to access Google Cloud Storage.
- Verify that the Private Key and other fields are correctly copied from the JSON file.
- Ensure that the correct Bucket Name and Project ID are used in the configuration.
- Ensure that you are using the Project Name, not the Project Title or Project Number. This is usually a user created, alphanumeric identifier that may contain dashes "-"
Minimum Permissions
These instructions will demonstrate how to assign minimum permissions to access objects in a particular bucket.
- Copy the email address of the service account you intend to grant
- Navigate to the bucket you want to grant permissions to
- Click Permissions > + Grant Access and paste the copied email address into the Principal field Under roles add Storage Object Viewer and Storage Legacy Bucket Reader
- If you would like to add a Condition to the Storage Object Viewer to only allow access to a specific prefix, use the resource attribute template below:
resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix")
- If you would like to add a Condition to the Storage Object Viewer to only allow access to a specific prefix, use the resource attribute template below: