Setup guide

This article will describe the steps for a Provider to configure Bobsled access to a Google Cloud Storage bucket to be used as a source in Bobsled.

Prerequisites 

• To configure Bobsled access to the bucket, your account must have the sufficient permissions to create policies and assign roles in Google Cloud Storage.

• If your GCP restricts domains that can access resources, you must allow the Bobsled domain.

  • To add the Bobsled domain to your organization policy, you will need the Directory Customer ID from the Bobsled App, visit the Environment page and scroll to Google Cloud Storage setting details .

  • Please visit Add domain to organization in GCP ↗ and follow the steps to allow the Bobsled domain.

Setup instructions

Step 1: Create a Custom Role

1. Log in to the Google Cloud Platform Console as a project editor

2. From the Home dashboard, select IAM and admin > Roles

3. Click Create Role

4. Enter a role name and a description for the custom role(e.g. Bobsled GCS Access Role, Custom role for Bobsled to access the required data in GCS buckets)

5. Click Add permissions button, and add the following permissions:

   • storage.buckets.get

   • storage.objects.get

   • storage.objects.list

6. Click Create
   

Step 2: Assign Custom Role to Bobsled Service Account in the Bucket

Before you start this step, you’ll need the Bobsled Service Account Email. This can be found in:

• From the sidebar, click on Environment and scroll down to Google Cloud Storage setting details or,

• From the sidebar, click Sources > Add Source button > Follow the wizard by selecting Google Cloud Storage and your preferred region and click Continue.

  • If you’ve already created a source, simply click edit on the menu (ellipsis) from the same page.

1. Log in to the Google Cloud Platform Console as a project editor

2. From the Home dashboard, select Cloud Storage > Buckets

3. Find the bucket you want to grant Bobsled Access to and click on the ellipses to the right of the bucket's row. Select Edit Access 

4. Click the Add Principal button.

5. In the New principals field, paste in the Bobsled Service Account Email address and select it from the returned options.

6. Select the Role drop down. Under the Custom tab, choose the Bobsled custom role you created in the pervious section. (e.g. Bobsled GCS Access Role)

7. Click Save. You should see the role added under the Storage Object Viewer role dropdown.

Step 3: For KMS encrypted buckets only: Grant Bobsled Service Account permission on Cryptographic Keys

1. Log in to the Google Cloud Platform Console as a project editor

2. From the Home dashboard, select Security > Key Management

3. Select the key ring that is assigned to your GCS bucket.

4. Click Show Info Panel in the upper-right corner and click add principal button.

5. In the New principals field, search for the Bobsled service account

6. From the Select a role dropdown, select the Cloud KMS CrytoKey Encryptor/Decryptor role.

7. Click the Save button.

Step 4: Finish source configuration in Bobsled

1. In the Source page, add a new Google Cloud Storage by clicking the Add source button,

   • Enter a human readable name to describe the source.

   • Select Google Cloud Storage and the region of your source bucket. Click Continue to move to the next step.

     • If your source bucket is multi-region, you may select any region for your source location.

2. Enter the name of the bucket you’ve just granted access. (Optionally) You may also include the path to the root of your source.

3. Click Save

Once you’ve successfully configured your Source, you can add it to a Share, choose a Destination, and a create a transfer to start sharing your data.