Taking as general guide this article, we enumerate the steps to set up external delegated access to the Flashgate service account:
1
Create a service account
In Google Cloud Console, select the project where your bucket resources are, and create a service account on "IAM & Admin - Service Accounts - Create service account".
Enter an easily recognizable name and description. For our example purposes we created one called "Flashgate Storage TEST".
2
Grant the service account access to the bucket resources
If for example you want the service account to have full access in the project on in a specific bucket, you can grant it the "Storage admin" and "Storage Object admin" roles.
If you want more specific/granular access, you will have to create specific access roles and apply them to the service account at the required scope.
3
Add impersionation roles to Flashgate service account
Go to the newly created service account, and in "Permissions" tab, press button below "+ Grant Access"
Then a modal opens to the right and we have to indicate the following:
In "Roles", we add "Service Account Token Creator" y "Service Account User"
Then we Save.
Now, when configuring the GCS bucket, we will indicate our service account principal as client email, and will leave the "Private Key" to empty. This will signal Flashgate nodes that the access to the bucket is delegated to Flashgate's service account.
