(GCP) Configuring GCS' external access

Instructions

Taking as general guide this article, we enumerate the steps to set up external delegated access to the Flashback service account:

Create a service account

In Google Cloud Console, select the project where your bucket resources are, and create a service account on "IAM & Admin - Service Accounts - Create service account".

Enter an easily recognizable name and description. For our example purposes we created one called "Flashback Storage TEST".

Grant the service account access to the bucket resources

If for example you want the service account to have full access in the project on in a specific bucket, you can grant it the "Storage admin" and "Storage Object admin" roles.

If you want more specific/granular access, you will have to create specific access roles and apply them to the service account at the required scope.

Add impersionation roles to Flashback service account

Go to the newly created service account, and in "Permissions" tab, press button below "+ Grant Access"

Then a modal opens to the right and we have to indicate the following:

In Principals, we enter "[email protected]"
In "Roles", we add "Service Account Token Creator" y "Service Account User"

Then we Save.

Now, when configuring the GCS bucket, we will indicate our service account principal as client email, and will leave the "Private Key" to empty. This will signal Flashback nodes that the access to the bucket is delegated to Flashback's service account.

Previous(AWS) Configure S3 external access NextCreate a Bucket

Last updated 2 months ago

Was this helpful?