Integrations
Integrations
Breadcrumbs

GCP Storage

Introduction

This plugin is used to extract metadata, obtain data samples, and grant and revoke access (in conjunction with the GCP IAM plugin) to assets in GCP Storage.

Integration model

Metadata extraction

The methods provided by the Google driver are used to access the various resources.

It extracts the following attributes, which must be named the same in the attribute_definition table, in the name field, in order to appear in the template.

  • schema with the bucket value.

  • physicalName and name with the same value, the name of the corresponding blob.

  • path with the bucket path and the resource name if it is a file.

  • infrastructure with the selected value

  • technology with the selected value

  • zone with the selected value

It will also send attributes related to the fields of the requested resource, always depending on the content and type of the resource. For more information https://wiki.anjanadata.com/es/integraciones/25.2/extraccion-de-metadata-de-ficheros.

At the end of the creation workflow, when an object is governed, all available metadata for that object is sent to Tot, that is, all existing attributes of the created object.


Data sampling

To perform data sampling, the corresponding blob is queried, obtaining the data according to the content specified in the object to be sampled and according to a limited number of records specified by configuration. The content of the relevant column is obfuscated if necessary.


Active governance

Access management requires the “Tot plugin GCP IAM” plugin to generate the custom roles (functions) representing the DSAs.


Certain restrictions can be applied to the number of users related to each resource. These limitations can be consulted at https://cloud.google.com/iam/quotas


Object editing

For object editing it requires the “Tot plugin GCP IAM” plugin, responsible for identity and access management, to retrieve (and create if necessary) the groups. Once retrieved, this plugin will be responsible for granting the appropriate access to users on the requested resources.

Currently, activation/deactivation of entities and editing of DSAs are supported


Required credentials

The required credentials must be configured in the yaml file in the “credentialsContent” section of each configured instance.

Create the service account

For GCP it will be necessary to create a service account in IAM for each plugin individually and then assign the necessary permissions for the execution of the specific tasks of each plugin.


att_1_for_171933815.png


To customize permissions more appropriately, it will be necessary to create custom roles in which the permissions that will later be associated with the service accounts are grouped.


att_4_for_171933815.png

Metadata extraction

The permissions used are the following:

  • storage.objects.get

  • storage.objects.list


Data sampling

The permissions used are the following:

  • storage.objects.get

  • storage.objects.list


Active governance

Access management requires the “Tot plugin GCP IAM” plugin to generate the custom roles (functions) representing the DSAs.

The permissions used are the following:

  • storage.buckets.getIamPolicy

  • storage.buckets.setIamPolicy

  • storage.objects.get

  • storage.objects.list

In summary, the permissions used for the custom role will be the following:

att_2_for_171933815.png

To assign permissions to the storage service account we will need to:

att_5_for_171933815.png

Object editing

Object editing requires the “Tot plugin GCP IAM” plugin to generate the custom roles (functions) representing the DSAs.

The permissions used are the following:

  • storage.buckets.getIamPolicy

  • storage.buckets.setIamPolicy

  • storage.objects.get

  • storage.objects.list