Create a Google Cloud Platform connection to an Edge or Collibra Cloud site

Available vaults

Tip 

You can use a vault to add your data source information to your Edge site connection. Vaults are not available for Collibra Cloud site sites.	None AWS Secrets Manager Azure Key Vault CyberArk Vault Google Secret Manager HashiCorp Vault
	Select another vault I don't use a vault AWS Secrets Manager Azure Key Vault CyberArk Vault Google Secret Manager HashiCorp Vault

Prerequisites

• You either created and installed an Edge site or were granted a Collibra Cloud site.
  Note 

  If you have defined an outbound (forward) proxy on your Edge site, the integration will take that configuration into account when connecting to the data source. The following proxies are supported:

  • Pass through (No authentication)
  • Pass through (Basic authentication)
  • MITM (No authentication)
  • MITM (Basic authentication)
  • No proxy for noProxy hosts defined by Edge
• You have added a vault to your Edge site.
• Make sure you are on the latest UI, because the Dataplex Catalog ingestion is available only in the latest UI.
  
• You have a global role that has the Manage connections and capabilities global permission, for example, Edge integration engineer.
• You need a Google Cloud Platform Service Account that can read the Google Cloud Storage (GCS) file system that you want to integrate. This means the Service Account must have the permissions to list buckets (storage.buckets.list) and objects in a bucket (storage.objects.list). For information on GCP, go to the Google documentation.
• If you use Dataplex, the Service Account must be able to detect file schemas in GCS resources from Dataplex. This means the Service Account must have the following permissions dataplex.*.get and dataplex.*.list, for example, via the Dataplex Viewer role. For information on GCP service account, go to the Google documentation. For information on Dataplex roles, go to the Google documentation.
• If you want to have Project IDs available for selection when you add Project IDs on the Synchronize Metadata page, ensure that the service account has the resourcemanager.projects.get permission to GCP Projects where Dataplex is enabled. If the service account does not have this permission, you can enter the Project IDs manually on the Synchronize Metadata page.

Steps

1. Open a site.
   1. On the main toolbar, click → Settings.
      The Settings page opens.
   2. In the tab pane, click Edge.
      The Sites tab opens and shows a table with an overview of your sites.
   3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
2. In the Connections section, click Create connection.
   The Create connection page appears.
3. Select the GCP connection to connect to Google Cloud Platform.
4. Enter the required information.

   Field	Description	Required
   Name	The name of the Edge or Collibra Cloud site connection for Google Cloud Platform.	Yes
   Description	The description of the connection.	No
   Vault	The vault where you store your data source values.	No
   Connection type	The authentication method for your GCP connection. Select one of the following options: Service account Use a Google service account for authentication. Workload Identity Federation (WIF) Use Workload Identity Federation to authenticate without a service account key. Workload Identity Federation (WIF) using GKE Use Workload Identity Federation in Google Kubernetes Engine (GKE) to authenticate.	Yes
   Service Account / Workload Identity Federation (WIF)	Enter one of the following values: For the Service Account authentication method, add the full content of the service account key JSON file. Example { "type": "service_account", "project_id": "PROJECT_ID", "private_key_id": "KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n", "client_email": "SERVICE_ACCOUNT_EMAIL", "client_id": "CLIENT_ID", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"} Ensure the service account has the required permissions. For more information about service account keys, go to the Google documentation. For the Workload Identity Federation (WIF) authentication method, enter the token URL or the token if you're using WIF with a file-based credential source. For the Workload Identity Federation (WIF) using GKE authentication method, you can ignore this field. How to use your vault... To use your vault, do the following: In the Value Type field, select Vault Key. Enter the query value to identify the secret in your vault. Example  To use your vault, do the following: In the Value Type field, select Vault Key. Enter the required information: Name Description Secret Engine Type Select one of the following: Key Value Database Engine Path The engine path to your vault where the value is stored. Secret Path The secret path to your vault where the value is stored. Field The name of the field to your vault where the value is stored. Note Only available if you selected Key Value in the Secret Engine Type field. Role The role specified in the Database engine. Note Only available if you selected Database in the Secret Engine Type field. Example  To use your vault, do the following: In the Value Type field, select Vault Key. Enter the required information: Name Description Vault Name The name of your Azure Key Vault in your Azure Key Vault service where the value is stored. Secret Name The name of the secret in your vault where the value is stored. Example  To use your vault, do the following: In the Value Type field, select Vault Key. Enter the required information: Name Description Secret Name The name of the secret in your vault where the value is stored. Field If the secret stored in your AWS Secrets Manager is a JSON value, for example {"pass1": "my-password", "pass2": "my-password2"}, then you need to specify the Field to point to the exact JSON value that should be used. For example, Secret Name: edge-db-customer; Field: pass. Note If the secret stored in your AWS Secrets Manager is a plain string value, for example my-password, then you do not need to specify the Field. Example  To use your vault, do the following: In the Value Type field, select Vault Key. Enter the name of the secret in your vault where the value is stored. Example	Yes if you selected the Service Account or Workload Identity Federation (WIF) authentication method
   Property	If your connection to GCP requires any additional parameters, click Add Property.	No

5. Click Create.
   The connection is added to the Edge or Collibra Cloud site.