Google Cloud Storage Setup (for CloudM Archive and CloudM Backup) – CloudM

Prior to attempting these steps, please ensure that you have purchased and configured Cloud Storage, to meet your storage requirements, in accordance with instructions provided by Google (including creating a Storage Bucket) here

Also, see here for more information on Cloud Storage pricing.

You should also make sure you have followed all of our Archive Prerequisites stated for Google.

Powershell Method
Manual Method

Powershell Method

This method uses a Powershell script to automate the majority of the process.

It is easier and quicker than the full manual process, and less prone to error.

Before you start, you will need:

An account in GCP with permissions to create a project (resourcemanager.projects.create role) or owner on existing project,
The ability to run Powershell Script as Administrator,
A browser window open and authenticated into the GCP tenant. This must be the last browser tab you have used.

To run the Powershell:

Install Google Cloud SDK using the instructions provided by Google here,
Ensure that the Google Cloud SDK is initialized by running the “gcloud init” command, and follow the instructions.
Once Google Cloud SDK has finished initializing, download the GCP_Storage_Configuration.ps1 file to your desktop.
- You can also copy the script into a Notepad++, saving it as GCP_Storage_Configuration and applying the Windows Powershell file type to it.
Click on your Desktop Search icon (next to the Start Icon) and search for Windows Powershell.
Select Run as Administrator.
On the GCP_Storage_Configuration.ps1 file, select Shift and right click. Select Copy as Path.
In the Windows Powershell window, enter CD and a space, paste the path into the Powershell script, then click the up button on your keyboard until you see the first half of the file path and select enter. It will look similar to:
- CD C:\Users\(your name)\Desktop
On the next line, click the up button on your keyboard until you see & ‘.\GCP_Storage_Configuration.ps1 and press enter.

On the Project ID line, enter a unique Project ID name.
- ProjectId must be a unique string of 6 to 30 lowercase letters, digits, or hyphens. It must start with a lower case letter, followed by one or more lower case alphanumerical characters that can be separated by hyphens. It cannot have a trailing hyphen.
On the Service Account ID line, enter a unique Service Account name. You can use the same name as the Project ID, or use the same naming conventions.
On the Region line, enter either us-central1 or europe-west1, depending on the region that you want to store your data in.
On the BucketName line, enter a name for your storage bucket, adhering to the naming conventions outlined in this article from Google. You will need to remember the Bucket Name later to configure the Archive features within CloudM Manage.
The Powershell script will now create the Service Account and Bucket. This may take a few minutes.
Once the Powershell has stopped, you can add a KeyName. This step is optional, but, if you do enter a Key Name, it must be between 6 and 30 letters, digits, hyphens or underscores. It must start with a lower case letter, followed by one or more alphanumerical characters that can be separated by hyphens or underscores. It cannot have a trailing hyphen or underscore.
Optionally, set the StorageClass for the Bucket Storage. It must be one of ‘STANDARD’, ‘NEARLINE’, ‘COLDLINE’ or ‘ARCHIVE’.
Optionally, set the ServiceAccountKeyType. It must be either ‘json’ or ‘p12’.
Now, on the Output Path line, specify where the JSON Key and Log will be exported to on your computer (e.g. C:\\CloudM GCPConfig). The path will default to USERHOME GCPConfig.
The Powershell will run and provide the following details (that you should note down)
- Service Account Email Address
- Path to Service Account Json key
- Bucket Url
- KMs Key Path

Manual Process

Obtaining the Service Account Key File

Go to https://console.cloud.google.com/
Ensure your project is set at the top of the screen.
To create the Service Account Key File, go to IAM & Admin > Service Accounts from the left menu
Go to any active service account (preferable) or create a new one.
Select the Keys tab.
Select Add Key > Create New Key > JSON

You will need to upload the Service Account JSON key file later when configuring the Archive feature in CloudM Manage. Keep the file confidential as it allows full access to your archive.

Creating a Key Ring and Key (optional)

Search for KMS in the search field, or select Security > Key Management
Select Create Key Ring. The name can be set to the same as the bucket name.
Ensure the keyring location matches the bucket location (europe-west1 or us-central1), and remember which location you set as you will need it when configuring Archive in CloudM Manage
Click Next,
On the Create Key screen, use the same Key name as the Key ring name (optional),
Leave all the other settings as default except Rotation Period,
Set Rotation Period to Never (manual rotation) and select Create.
Copy the Resource name of the KMS key that you have just created (by selecting the 3 dot ellipsis under Actions and clicking Copy resource name)

You will asked for the Resource name later to configure the Archive feature within CloudM Manage (if you create a Key Ring and Key)

The key ring and key are used to encrypt the blob storage and should not be removed or deleted at any point. If they are removed or deleted, the blobs in the storage bucket will become inaccessible.

Creating a Bucket

From the Navigation menu (accessed by selecting the "Hamburger" Menu icon in the top left of the screen), go to Cloud Storage > Bucket and select Create Bucket > Set to specific region (europe-west1 or us-central1), as set in step 3 of the Creating a Key Ring section above (if completed).
Make sure to use the “archive” prefix for the bucket name (e.g. archive-test) so that you can quickly identify the bucket.

You will need the bucket name later to configure the Archive feature within CloudM Manage,

Leave all settings to default except for Advanced Settings,
Under Advanced Settings, select Google-managed key in the Encryption section,
Click Save to create the Bucket.

Adding permissions to the Service Account

The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.

Go to IAM & Admin > Service Accounts and select the service account that you created the Service Account JSON key file on,
Copy the Email address in the Service Account Details section,
Go to Cloud Storage > Bucket and then select the bucket you created earlier,
Click on the Permissions tab and select Add a permission,
Paste the email from step 1 in to the members field,
Add Storage Admin and Storage Object Admin roles and Save,
For CloudM Backup, you will need add an extra role (Monitoring Viewer) to the Service Account.
- Go to IAM & Admin > IAM,
- Select the edit icon next to the required Service Account,
- Add the Monitoring Viewer role, if it does not already exist.
- Select Save to confirm.

Adding permissions to the Storage Bucket and KMS CryptoKey (optional)

The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.

Go to Cloud Storage > Settings,
Copy the Service Account email (under the Cloud Storage Service Account section) and add the roles in the previous step to this email as well,
Click on the KMS key you created in Security > Cryptographic Keys. On the next page, where only the specified KMS Key should be listed, click on it again.
Click on Permissions > Add Member, in the panel on the right side of the screen.

Click on the Show Info Panel option if you cannot see the panel.

The Storage Service Account email will also need to be added here as a member,
Add the role Cloud KMS CryptoKey Encrypter/Decrypter and select Save.