Dataplex: Create a Google Cloud Platform connection to Edge or Collibra Cloud site

For Collibra Data Lineage to connect to and retrieve metadata from Google Dataplex, create a GCP connection.

Do you use a vault?

You can use a vault to add your data source information to your Edge site connection.

Check the connection property table below to see which information is available for your vault.

Vaults are not available for Collibra Cloud site sites.
No vault
AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault
  
To use your vault, do the following:
  1. In the Value Type field, select Vault Key.
  2. Enter the query value to identify the secret in your vault.
    Example 
    Note The Query must be a string containing the properties required to identify the secret. Each property must be separated by a semicolon (;). For example: Safe=<SafeName>;Folder=<FolderName>;Object=<ObjectName>

    If a property is a folder with sub-folders, use a backslash (\) to define the folder path. For example: Folder=Root\Top Secrets\More Secrets

    For more information about query formats and supported properties, go to the CyberArk Credential Provider documentation.

To use your vault, do the following:
  1. In the Value Type field, select Vault Key.
  2. Enter the required information:
    Secret Engine Type
    Select one of the following:
    • Key Value
    • Database
    Engine Path
    The engine path to your vault where the value is stored.
    Secret Path
    The secret path to your vault where the value is stored.
    Field
    If your Secret Engine Type is Key Value, enter the name of the field to your vault where the value is stored.
    Role
    If your Secret Engine Type is Database, enter the role specified in the Database engine.
    Example 

To use your vault, do the following:
  1. In the Value Type field, select Vault Key.
  2. Enter the required information:
    Vault Name
    The name of your Azure Key Vault in your Azure Key Vault service where the value is stored.
    Secret Name
    The name of the secret in your vault where the value is stored.
    Example 

To use your vault, do the following:
  1. In the Value Type field, select Vault Key.
  2. Enter the required information:
    Secret Name
    The name of the secret in your vault where the value is stored.
    Field
    If the secret stored in your AWS Secrets Manager is a JSON value, for example {"pass1": "my-password", "pass2": "my-password2"}, then you need to specify the Field to point to the exact JSON value that should be used. For example, Secret Name: edge-db-customer; Field: pass.
    Note If the secret stored in your AWS Secrets Manager is a plain string value, for example my-password, then you do not need to specify the Field.
    Example 

To use your vault, do the following:
  1. In the Value Type field, select Vault Key.
  2. Enter the name of the secret in your vault where the value is stored.
    Example 

Prerequisites

Steps

  1. Open a site.
    1. On the main toolbar, click Products iconCogwheel icon Settings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens and shows a table with an overview of your sites.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
  2. In the Connections section, click Create connection.
    The Create connection page appears.
  3. Select the GCP connection to connect to Google Cloud Platform.
  4. Enter the required information.
    FieldDescriptionRequired
    Name

    The name of the Edge or Collibra Cloud site connection for Google Cloud Platform.

    		 Yes
    Description

    The description of the connection.

    		 No
    Vault The vault where you store your data source values. No
    Connection typeThe authentication method for your GCP connection. Select one of the following options:
    Service account
    Use a Google service account for authentication.
    Workload Identity Federation (WIF)
    Use Workload Identity Federation to authenticate without a service account key.
    Workload Identity Federation (WIF) using GKE
    Use Workload Identity Federation in Google Kubernetes Engine (GKE) to authenticate.
    Important 
    • When using a cloud provider for WIF, such as AWS or GCP, your Edge site must be deployed on the same cloud provider. For example, if the Edge site is installed on GCP, you cannot use AWS as the WIF provider.
    • Automatic token generation for WIF is supported if your Edge site is installed on AWS using K3s or GCP using GKE. If your Edge site is installed using K3s on any cloud provider other than AWS, automatic token generation is not supported.
    •  If you select Workload Identity Federation (WIF) using GKE, the following rules apply:
      • Only select this connection type if you have created a separate edge site on a GKE cluster in Google Cloud.
      • The Project IDs field is required when configuring synchronization.
      • Proxies are not supported.
      • Column-level lineage is not supported.
    		 Yes
    Service Account / Workload Identity Federation (WIF)Enter one of the following values:
    • For the Service Account authentication method, add the full content of the service account key JSON file. 
      {
      "type": "service_account",
      "project_id": "PROJECT_ID",
      "private_key_id": "KEY_ID",
      "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
      "client_email": "SERVICE_ACCOUNT_EMAIL",
      "client_id": "CLIENT_ID",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://accounts.google.com/o/oauth2/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"}

      Ensure the service account has the required permissions, as defined in the prerequisites.
      For more information about service account keys, go to the Google documentation.

    • For the Workload Identity Federation (WIF) authentication method, enter the token URL or the token if you're using WIF with a file-based credential source.
    • For the Workload Identity Federation (WIF) using GKE authentication method, you can ignore this field.
    		 Yes if you selected the Service Account or Workload Identity Federation (WIF) authentication method
    Property

    If your connection to GCP requires any additional parameters, click Add Property.

    		No
  5. Click Create.
    The connection is added to the Edge or Collibra Cloud site.

What's next

Add the Technical Lineage for Google Dataplex capability to your Edge or Collibra Cloud site.