Create a Google Cloud Platform connection to an Edge site

Before you can synchronize Google Dataplex via Edge, you need to prepare your Edge or Collibra Cloud site. After you created and installed an Edge site, you can create a connection to Google Cloud Platform (GCP).

Do you use a vault?

You can use a vault to add your data source information to your Edge site connection.

Check the connection property table below to see which information is available for your vault.

Vaults are not available for Collibra Cloud site sites.

No vault

AWS Secrets Manager

Azure Key Vault

CyberArk Vault

Google Secret Manager

HashiCorp Vault

I don't use a vault
AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault

How to use your vault...

To use your vault, do the following:

In the Value Type field, select Vault Key.
Enter the query value to identify the secret in your vault.
Example
Note The Query must be a string containing the properties required to identify the secret. Each property must be separated by a semicolon (;). For example: Safe=<SafeName>;Folder=<FolderName>;Object=<ObjectName>
If a property is a folder with sub-folders, use a backslash (\) to define the folder path. For example: Folder=Root\Top Secrets\More Secrets
For more information about query formats and supported properties, go to the CyberArk Credential Provider documentation.

To use your vault, do the following:

In the Value Type field, select Vault Key.
Enter the required information:
Secret Engine Type
Select one of the following:
- Key Value
- Database
Engine Path
The engine path to your vault where the value is stored.
Secret Path
The secret path to your vault where the value is stored.
Field
If your Secret Engine Type is Key Value, enter the name of the field to your vault where the value is stored.
Role
If your Secret Engine Type is Database, enter the role specified in the Database engine.
Example

To use your vault, do the following:

In the Value Type field, select Vault Key.
Enter the required information:
Vault Name
The name of your Azure Key Vault in your Azure Key Vault service where the value is stored.
Secret Name
The name of the secret in your vault where the value is stored.
Example

To use your vault, do the following:

In the Value Type field, select Vault Key.
Enter the required information:
Secret Name
The name of the secret in your vault where the value is stored.
Field
If the secret stored in your AWS Secrets Manager is a JSON value, for example {"pass1": "my-password", "pass2": "my-password2"}, then you need to specify the Field to point to the exact JSON value that should be used. For example, Secret Name: edge-db-customer; Field: pass.
Note If the secret stored in your AWS Secrets Manager is a plain string value, for example my-password, then you do not need to specify the Field.
Example

To use your vault, do the following:

In the Value Type field, select Vault Key.
Enter the name of the secret in your vault where the value is stored.
Example

Prerequisites

In your Collibra environment

You have created and installed an Edge site.
Note
If you have defined an outbound (forward) proxy on your Edge site, the integration considers that configuration when connecting to the data source. The following proxies are supported for GCS:
- Pass through (No authentication)
- Pass through (Basic authentication)
- MITM (No authentication)
- MITM (Basic authentication)
- No proxy for noProxy hosts defined by Edge
You have added a vault to your Edge site.
You have a global role that has the Manage connections and capabilities global permission, for example, Edge integration engineer.

In your GCP environment

You need a Google Cloud Platform Service Account that can read the Google Cloud Storage (GCS) file system that you want to integrate. This means that the Service Account must have the permissions to list buckets (storage.buckets.list) and objects in a bucket (storage.objects.list). For information on GCP, go to the Google documentation.
If you use Dataplex, the Service Account must be able to detect file schemas in GCS resources from Dataplex. This means that the Service Account must have the following permissions dataplex.*.get and dataplex.*.list, for example, via the Dataplex Viewer role. For information on GCP service account, go to the Google documentation, and for information on Dataplex roles, go to the Google documentation.
If you want to have Project IDs available for selection when you add Project IDs on the Synchronize Metadata page, ensure that the service account has the resourcemanager.projects.get permission to GCP Projects where Dataplex is enabled. If the service account does not have this permission, you can enter the Project IDs manually on the Synchronize Metadata page.

Steps

Open a site.
1. On the main toolbar, click → Settings.
  The Settings page opens.
2. In the tab pane, click Edge.
  The Sites tab opens and shows a table with an overview of your sites.
3. In the table, click the name of the site whose status is Healthy.
  The site page opens.
In the Connections section, click Create connection.
The Create connection page appears.
Select the GCP connection to connect to Google Cloud Platform.

Enter the required information.

Field	Description	Required	Available for vaults?
Name	The name of the Edge or Collibra Cloud site connection for Google Cloud Platform.	Yes	No
Description	The description of the connection.	No	No
Vault	The vault where you store your data source values.	No	No
Connection type	Important Currently, only the Service Account authentication method is supported for this integration. The authentication method for your GCP connection. Select Service Account to use a Google service account for authentication.	Yes	No
Service Account / Workload Identity Federation (WIF)	Important Currently, only the Service Account authentication method is supported for this integration. The account to connect to GCP. Add the full content of the service account key JSON file. Copy Example { "type": "service_account", "project_id": "PROJECT_ID", "private_key_id": "KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n", "client_email": "SERVICE_ACCOUNT_EMAIL", "client_id": "CLIENT_ID", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL" } Ensure the service account has the required permissions, as defined in the prerequisites. For more information about service account keys, go to the Google documentation.	Yes	Yes
Property	If your connection to GCP requires any additional parameters, click Add Property.	No	No

Click Create.
The connection is added to the Edge or Collibra Cloud site.

What's next

You can now add the Google Dataplex Catalog synchronization capability to an Edge or Collibra Cloud site.