Destination Setup
Google Cloud Storage
Configuring your Google Cloud Storage destination.
Prerequisites
- By default, GCS authentication uses role-based access. You will need the data-syncing service’s service account name available to grant access. It should look like
some-name@some-project.iam.gserviceaccount.com
.
Step 1: Create a service account
- In the GCP console, navigate to the IAM & Admin menu, click into the Service Accounts tab, and click Create service account at the top of the menu.
- In the first step, name the service account that will be used to transfer data into Cloud Storage and click Create and Continue. Click Continue in the following optional step without assigning any roles.
- In the Grant users access to this service account step, within the Service account users role field, enter the provided Service account (see prerequisite) and click Done.
- Once successfully created, search for the created service account in the service accounts list, click the Service account name to view the details, and make a note of the email (note: this is a different email than the service’s service account).
- Select the permissions tab, find the provided principal name (Service account from the prerequisite), click the Edit principal button (pencil icon), click Add another role, select the Service Account Token Creator role, and click Save.
Alternative authentication method: HMAC Access Key & Secret
Role based authentication is the preferred authentication mode for Google Cloud Storage based on GCP recommendations, however, HMAC Access Key ID & Secret Access Key is an alternative authentication method that can be used if preferred. An HMAC key is a type of credential and can be associated with a service account or a user account to access Google Cloud Storage.
- Navigate to the Cloud Storage page.
- Click into the Settings tab on the left side menu.
- Navigate to the Interoperability tab and click the Create a key for a Service Account button.
- Select the Service Account created in Step 1, and click Create key.
- Make a note of the Access key and Secret.
Step 2: Create destination GCS bucket
- Navigate to the Cloud Storage page.
- Click Create.
- Enter a bucket name, choose a region. Note: at the Choose how to control access to objects step, we recommend selecting Enforce public access prevention on this bucket.
- After choosing your preferences for the remaining steps, click Create.
- On the Bucket details page for the bucket you created, select the Permissions tab, and click Grant access.
- Grant access to the principal (Service Account) you created in Step 1 (Note: this is the service account you created, not the service account from the prerequisite), and assign the Role: Storage Legacy Bucket Writer. Click Save.
Step 3: Add your destination
Securely share your bucket name, your chosen folder name for the data, and your Service account email with us to complete the connection.