This article provides step-by-step instructions on how to create a new GCP service account to be used with Cirrus Data Cloud's GCP integration. To learn more about how Cirrus Data Cloud integrates with Google Cloud Platform (GCP), see Google Cloud Platform GCE Storage Integration

Prerequisites

Enabling APIs
The following steps enable APIs required by the GCP Integration. Unless this is a brand new GCP account, some or all of these APIs may have already been enabled.

In the top search bar type 'Resource Manager'.
Select Marketplace | Cloud Resource Manager API.

Select Cloud Resource Manager API
Click Enable if it is not already enabled.
Next, in the top search bar, type IAM.
Select Marketplace | Identity and Access Management (IAM) API.

IAM API
Click Enable if it is not already enabled.

Creating Custom Role For Cirrus Data Cloud
The following steps will create a custom IAM role with all necessary permissions used by Cirrus Data Cloud's GCP integration. This role will be assigned to the service account created in later steps.

From the search bar, enter IAM and go to IAM & Admin page.

IAM & Admin page

Go to Roles, and click Create Role.

Create Role

Enter a descriptive Name and ID for the role.

Click + Add Permissions button, and add the following permissions from the dialog.
iam.roles.get
resourcemanager.projects.getIamPolicy
iam.serviceAccounts.getIamPolicy
compute.diskTypes.get
compute.diskTypes.list
compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.disks.use
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.list
compute.snapshots.useReadOnly
compute.zoneOperations.get

Tip: Use the properties filter bar in the table, not the "Filter permissions by role" dropdown, to filter.

Add Permissions Dialog

Click Create to save the IAM Role.

Creating Service Account for Cirrus Data Cloud to Run As
The following steps will create a service account to be used by Cirrus Data Cloud's GCP Integration.

From the search bar, enter IAM and go to IAM & Admin page.
Go to Service Accounts tab.
Click Create Service Account
Specify a Name, ID, and Description for this service account.

Tip: Record the value of the generated email address for later use.
Create New Service Account

Click Create and Continue.
Grant the service account access to the project with the custom role created above.


Click Done. A custom service account is now created.

Granting Permissions to use VMs' Service Accounts
A user cannot modify an instance that is running as a specific service account. Therefore, it is necessary to add the newly created service account as a user of the service accounts your virtual machines are running as.

From the search bar, enter IAM and go to IAM & Admin page.
Go to Service Accounts tab.
Find the service account your VMs are running as.
Tip: By default, a service account named Compute Engine default service account is created for you when the project is created and is selected by default when creating a VM.
Click the actions button and select Manage Permissions from the dropdown menu.
Under Principals with access to this service account tab, click Grant Access.



A side menu should pop up. Enter the service account email address saved from earlier step under New principals.
Select Service Account User under Role field.



Click Save.

Create Service Account Key
Finally, the following steps will create an API key pair that you can download and use with the GCP Integration.

From the search bar, enter IAM and go to IAM & Admin page.
Go to Service Accounts tab.
Find the newly created service account.
Click on the action button and select Manage Keys.


Under Keys, click on Add Key and select Create New Key



Under Key Type, select JSON and click Create



A key file will be created and downloaded to your computer. This is the key file you will use to enable the GCP integration inside of Cirrus Data Cloud
Was this article helpful?
Cancel
Thank you!