Configuring Google Cloud Platform
(Workload Identity Federation Setup)
You can configure your Google Cloud Platform account for import or export of data to the InfoSum Platform using the Google Cloud Storage data connector.
This article describes step-by-step how to configure your Google Cloud Platform account in InfoSum Platform using the Google Cloud Storage data connector.
This page provides an overview of the identity federation setup for external workloads. Using identity federation, you can grant on-premises or multi-cloud workloads access to Google Cloud resources, without using a service account key.
You can use identity federation with Amazon Web Services (AWS), or with any identity provider (IdP) that supports OpenID Connect (OIDC), such as Microsoft Azure, or SAML 2.0.
Note: InfoSum does not support Google Cloud Storage (GCS) parallel composite uploads.
Note: If you decide to proceed with a Service Account Key setup and not use Workload Identity Federation, please check here for further information Configuring Google Cloud Platform (Service Account Key Setup)
First, you will need a Google Cloud Platform account. To set up an account, or access an existing account, go to the URL: console.cloud.google.com
Once you have created your Google Cloud Platform account, you will need to create the following to work with InfoSum Platform:
- Create a project
- Create a bucket for your project
- Create a service account for your project
- Create Identity Pool
- Complete the Infosum Google Cloud Storage data connector fields
The sections below describe the steps to do this.
Creating a project
Go to the console.cloud.google.com URL for your account.
Select Browser and click the New Project button in the Menu bar. Alternately, select a project and click the New Project button in the dialog box that opens.
The new project window opens, where you can change the new project name and browse and select the location of an associated Google organization.
Note: personal accounts cannot be associated with a Google organization.
Click the Create button to create the project.
Next, you will need to create a bucket for your project.
Creating a bucket for your project
Select Browser from the Cloud Storage menu for your newly-created project.
Select Create Bucket.
Enter a name for the bucket from the window that opens.
Click Continue to select the location to store your data depending on where you are.
Select the location type and location, for example, Multi-region and EU.
Note: You can see a breakdown of monthly cost estimates in the right-hand pane of the window.
Click Continue and select the default storage for your data. This can be left as Standard.
Click Continue and choose how to control access to objects, which can be left as is.
Click Continue to open advanced settings, which can be left as is.
Click Create and the bucket and its selected settings appear in the Browser list.
Click on the bucket to open the details window, where you can drag and drop files into the bucket.
Next, you will need to create a service account. This account is used to create the JSON file for the Google Cloud Platform connector file drop that you will see on the InfoSum Platform, here:
Creating a service account for your project
Select Service Accounts from the IAM & Admin menu in the Google Cloud Platform.
Select Create Service Account.
This opens the window shown below. Give the service account a name - this name is used to auto-complete the randomly generated Service account... field underneath.
Click Create and Continue to create the account and grant service account access to the project.
Select the Storage Object Viewer role or above to be able to use this account. Storage Object Viewer is the lowest level role that can use this service account.
IMPORTANT: For destination setup, be sure to set permissions to create and write files to a folder and if required, the subfolder.
Click Continue to grant specific users access to this account. There is no need to add any users here because when you create the account, the JSON file is downloaded to your computer and can be given to any users that need it.
Click Done and the account appears in the list of Service Accounts.
Next, you will need to create a ‘pool of identities’.
Creating a pool of identities
In the GCP console navigate to “IAM And Admin” and select “Workload Identity Federation” from the menu on the left. Then select “Create Pool”
To create the new identity pool first give it a name and description, which can be anything of your choosing, and click “continue”
Under “Add a provider to pool” select “AWS” from the drop-down. Under provider details you can enter a name and ID to identify this provider within the account as being for InfoSum. Under AWS account ID enter “134928160093”. This is the AWS account ID that will be granted access to the service account and must be entered exactly.
Under “Configure provider attributes” you can leave the default values. These should be:
google.subject = assertation.arn
attribute.aws_role = assertion.arn.contains('assumed-role') ? assertion.arn.extract('{account_arn}assumed-role/') + 'assumed-role/' + assertion.arn.extract('assumed-role/{role_name}/') : assertion.ar
Once the pool is created you need to grant it permission to assume the service account.
Under “Workload Identity Federation” you should see the pool you have just created.
Copy the “IAM principal”, which will be in the following format
principal://iam.googleapis.com/projects/[PROJECT_ID]/locations/global/workloadIdentityPools/
[POOL_NAME}/subject/SUBJECT_ATTRIBUTE_VALUE
At the start of the line replace “principal” with “principalSet”
At the end of the line replace “/subject/SUBJECT_ATTRIBUTE_VALUE” with “/*”
That should result in an IAM principal in this format
principalSet://iam.googleapis.com/projects/[PROJECT_ID]/locations/global/workloadIdentityPools/
[pool_name]/*
This is the IAM principle you need to set in the service account permissions.
Under “IAM and Admin” select “Service Accounts” then the service account you created earlier. Select “Grant Access”
Add the principle for the workload identity pool you copied earlier and select the role
“Workload Identity User”, then save.
Finally navigate back to “Workload Identity Federation” and click on the name of the workload pool. On the right click on “Connected Service Accounts”. Next to the name of your service account click the small down arrow and you will see “Entire Pool”. Now the Client Library Configuration can be downloaded. Click “Download” to download the client config json.
That should download a JSON document like this. You can then put this into the destination configuration in the InfoSum platform.
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/.............",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/..........",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}
}
Completing the Infosum Google Cloud Storage data connector fields
You can complete the InfoSum Google Cloud Storage data connector fields using the downloaded JSON key file and bucket name provided in Google Cloud Platform.
Copy and paste your credentials (json) into the Google Cloud Storage ICC Connector or GCS Destination.