# Configuring GCS' external access

## Instructions

Taking as general guide [this article](https://cloud.google.com/iam/docs/manage-access-service-accounts), we enumerate the steps to set up external delegated access to the Flashback service account:

{% stepper %}
{% step %}

### Create a service account

In Google Cloud Console, select the project where your bucket resources are, and create a service account on "IAM & Admin - Service Accounts - Create service account".

Enter an easily recognizable name and description. For our example purposes we created one called "Flashback Storage TEST".
{% endstep %}

{% step %}

### Grant the service account access to the bucket resources

If for example you want the service account to have full access in the project on in a specific bucket, you can grant it the "Storage admin" and "Storage Object admin" roles.

If you want more specific/granular access, you will have to create specific access roles and apply them to the service account at the required scope.
{% endstep %}

{% step %}

### Add impersionation roles to Flashback service account

Go to the newly created service account, and in "Permissions" tab, press button below "+ Grant Access"

<figure><img src="/files/UaRVPMYLS33y1PHmNl4H" alt=""><figcaption></figcaption></figure>

Then a modal opens to the right and we have to indicate the following:

* In Principals, we enter "**<flashback-network@flashback-network.iam.gserviceaccount.com>**"
* In "Roles", we add "**Service Account Token Creator**" y "**Service Account User**"

<figure><img src="/files/nOAjF5AwH3syv4eLo5dD" alt=""><figcaption></figcaption></figure>

Then we Save.
{% endstep %}
{% endstepper %}

Now, when configuring the GCS bucket, we will indicate our service account principal as client email, and will leave the "Private Key" to empty. This will signal Flashback nodes that the access to the bucket is delegated to Flashback's service account.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flashback.tech/guides/configure-external-delegated-credentials/configuring-external-access-for-gcss-buckets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.