Google Object storage setup

Overview

This storage can be used from Web Catalogs and Version Control. 

Setup

We use workload identity federation to give access to Connecter. The steps for providing access to Connecter for a bucket are:

  1. Create a Service account for Connecter
  1. Create a Workload identity pool with all the necessary APIs enabled
  1. Configure Workload identity federation for the https://teamwork.connecterapp.com/openid/v1 as an OIDC provider to the pool. To do this, click on the ADD PROVIDER button and add a Provider with the following setup:

  1. Grant access to the service account for Connecter to the workload identity pool
  1. Create a bucket (if it’s not created). For Web Catalogs, configure the bucket to have its Public access set to Subject to object ACLs. This setting can be changed later.
  1. Give access to the service account for Connecter to access the bucket. You need to give permissions to Connecter to perform all necessary operations on objects inside the bucket for everything to work correctly:
  1. storage.objects.create
  1. storage.objects.delete
  1. storage.objects.get
  1. storage.objects.getIamPolicy
  1. storage.objects.list
  1. storage.objects.setIamPolicy
  1. Storage.objects.update
  1. storage.multipartUploads.create
  1. storage.multipartUploads.abort
  1. storage.multipartUploads.listParts
  1. storage.multipartUploads.list
  1. Set up a storage provider for Google Object Storage in https://teamwork.connecterapp.com with the necessary credentials.
  1. Bucket Name - this is the name of your bucket.
  1. Service account id - This is the id of the service account. You can find it on the service account info page.
  1. Service account email - this is the email of the service account. You can find it on the service account info page.
  1. Audience - The audience should be constructed like this: //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID