Create a Google Cloud Platform connection to an Edge or Collibra Cloud site

Important 

Choose an option below to explore the documentation for the latest user interface (UI) or the classic UI.

To register and synchronize Google Cloud Storage via Edge, you need to prepare your Edge or Collibra Cloud site. After you install an Edge site or are granted a Collibra Cloud site, you can create a connection to the Google Cloud Platform (GCP).

Complete the prerequisites in your Google Cloud Platform and Collibra environments to create a connection between the two. Once you have created a connection, you can then proceed with metadata ingestion.

Available vaults

Tip 

You can use a vault to add your data source information to your Edge site connection.

Vaults are not available for Collibra Cloud site sites.
None
AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault
  

Prerequisites

In your Collibra environment

  • You have created and installed an Edge site.
    Note 

    If you have defined an outbound (forward) proxy on your Edge site, the integration considers that configuration when connecting to the data source. The following proxies are supported for GCS:

    • Pass through (No authentication)
    • Pass through (Basic authentication)
    • MITM (No authentication)
    • MITM (Basic authentication)
    • No proxy for noProxy hosts defined by Edge
  • You have a global role that has the Manage connections and capabilities global permission, for example, Edge integration engineer.

In your GCP environment

For more information on Google Cloud Platform and service accounts, go to the Google documentation. For more information on Dataplex roles, go to the Google documentation on Dataplex roles.

  • You need a Google Cloud Platform service account that can read the Google Cloud Storage (GCS) file system that you want to integrate. This means that the service account must have the following permissions:
    • storage.buckets.list to list buckets
    • storage.objects.list to list objects in a bucket
  • If you use Dataplex, the service account must be able to detect file schemas in GCS resources from Dataplex. This means that the service account must have the following permissions, for example, via the Dataplex Viewer role:
    • dataplex.*.get
    • dataplex.*.list

Steps

  1. Open a site.
    1. On the main toolbar, click Products iconCogwheel icon Settings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens and shows a table with an overview of your sites.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
  2. In the Connections section, click Create connection.
    The Create connection page appears.
  3. Enter the required information.
    FieldDescriptionRequired

    Connection settings

    This section contains the general settings of your connection.

    Name

    The name of the Edge or Collibra Cloud site connection for Google Cloud Platform.

    		 Yes
    Description

    The description of the connection.

    		 No
    Connection provider

    The connection provider, which determines the available connection parameters.

    Select the GCP connection to connect to Google Cloud Platform.

    		Yes

    Connection parameters

    		This section contains the settings to connect to your data source.
    GCP Service Account

    The account to connect to GCP.
    Add the full content of the service account key JSON file.

    Copy
    Example
    {
      "type": "service_account",
      "project_id": "PROJECT_ID",
      "private_key_id": "KEY_ID",
      "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
      "client_email": "SERVICE_ACCOUNT_EMAIL",
      "client_id": "CLIENT_ID",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://accounts.google.com/o/oauth2/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
    }

    Ensure the service account has the required permissions.
    For more information about service account keys, go to the Google documentation.

    		 Yes
    Encryption options

    Select the type of encryption used to store the Secret Access Key.

    Default: To be encrypted by Edge management server.

    		 Yes

    Additional parameters

    Your connection to GCP does not require any additional parameters.

    Delete the existing blank property.

    		 No
  4. Click Create.
    The connection is added to the Edge or Collibra Cloud site.

What's next

You can now add the GCS synchronization capability to an Edge or Collibra Cloud site.

Prerequisites

In your Collibra environment

  • You either created and installed an Edge site or were granted a Collibra Cloud site.
    Note 

    If you have defined an outbound (forward) proxy on your Edge site, the integration considers that configuration when connecting to the data source. The following proxies are supported for GCS:

    • Pass through (No authentication)
    • Pass through (Basic authentication)
    • MITM (No authentication)
    • MITM (Basic authentication)
    • No proxy for noProxy hosts defined by Edge
  • You have added a vault to your Edge site.
    Note  Vaults are not supported on Collibra Cloud sites.
  • If your data source connection requires a file from your vault, the file must be encoded into Base64 and stored as a regular secret in your vault.
  • You have a global role that has the Manage connections and capabilities global permission, for example, Edge integration engineer.

In your GCP environment

For more information on Google Cloud Platform and service accounts, go to the Google documentation. For more information on Dataplex roles, go to the Google documentation on Dataplex roles.

  • You need a Google Cloud Platform service account that can read the Google Cloud Storage (GCS) file system that you want to integrate. This means that the service account must have the following permissions:
    • storage.buckets.list to list buckets
    • storage.objects.list to list objects in a bucket
  • If you use Dataplex, the service account must be able to detect file schemas in GCS resources from Dataplex. This means that the service account must have the following permissions, for example, via the Dataplex Viewer role:
    • dataplex.*.get
    • dataplex.*.list

Steps

  1. Open a site.
    1. On the main toolbar, click Products iconCogwheel icon Settings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens and shows a table with an overview of your sites.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
  2. In the Connections section, click Create connection.
    The Create connection page appears.
  3. Select the GCP connection to connect to Google Cloud Platform.
  4. Enter the required information.
    FieldDescriptionRequired
    Name

    The name of the Edge or Collibra Cloud site connection for Google Cloud Platform.

    		 Yes
    Description

    The description of the connection.

    		 No
    Vault The vault where you store your data source values. No
    Connection type
    Important  Currently, only the Service Account authentication method is supported for this integration.

    The authentication method for your GCP connection. Select Service Account to use a Google service account for authentication.

    		 Yes
    GCP Service Account / Workload Identity Federation (WIF)
    Important  Currently, only the Service Account authentication method is supported for this integration.

    The account to connect to GCP.
    Add the full content of the service account key JSON file.

    Copy
    Example
    {
      "type": "service_account",
      "project_id": "PROJECT_ID",
      "private_key_id": "KEY_ID",
      "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
      "client_email": "SERVICE_ACCOUNT_EMAIL",
      "client_id": "CLIENT_ID",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://accounts.google.com/o/oauth2/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
    }

    Ensure the service account has the required permissions, as defined in the prerequisites.
    For more information about service account keys, go to the Google documentation.

    To use your vault, do the following:
    1. In the Value Type field, select Vault Key.
    2. Enter the query value to identify the secret in your vault.
      Example 
      Note The Query must be a string containing the properties required to identify the secret. Each property must be separated by a semicolon (;). For example: Safe=<SafeName>;Folder=<FolderName>;Object=<ObjectName>

      If a property is a folder with sub-folders, use a backslash (\) to define the folder path. For example: Folder=Root\Top Secrets\More Secrets

      For more information about query formats and supported properties, go to the CyberArk Credential Provider documentation.

    To use your vault, do the following:
    1. In the Value Type field, select Vault Key.
    2. Enter the required information:
      Secret Engine Type
      Select one of the following:
      • Key Value
      • Database
      Engine Path
      The engine path to your vault where the value is stored.
      Secret Path
      The secret path to your vault where the value is stored.
      Field
      If your Secret Engine Type is Key Value, enter the name of the field to your vault where the value is stored.
      Role
      If your Secret Engine Type is Database, enter the role specified in the Database engine.
      Example 

    To use your vault, do the following:
    1. In the Value Type field, select Vault Key.
    2. Enter the required information:
      Vault Name
      The name of your Azure Key Vault in your Azure Key Vault service where the value is stored.
      Secret Name
      The name of the secret in your vault where the value is stored.
      Example 

    To use your vault, do the following:
    1. In the Value Type field, select Vault Key.
    2. Enter the required information:
      Secret Name
      The name of the secret in your vault where the value is stored.
      Field
      If the secret stored in your AWS Secrets Manager is a JSON value, for example {"pass1": "my-password", "pass2": "my-password2"}, then you need to specify the Field to point to the exact JSON value that should be used. For example, Secret Name: edge-db-customer; Field: pass.
      Note If the secret stored in your AWS Secrets Manager is a plain string value, for example my-password, then you do not need to specify the Field.
      Example 

    To use your vault, do the following:
    1. In the Value Type field, select Vault Key.
    2. Enter the name of the secret in your vault where the value is stored.
      Example 
    		 Yes
    Property

    If your connection to GCP requires any additional parameters, click Add Property.

    		No
  5. Click Create.
    The connection is added to the Edge or Collibra Cloud site.

What's next

You can now add the GCS synchronization capability to an Edge or Collibra Cloud site.