Prior to attempting these steps, please ensure that you have purchased and configured Cloud Storage, to meet your storage requirements, in accordance with instructions provided by Google here.
Obtaining the Service Account Key File
- Go to https://console.cloud.google.com/
- Ensure your project is set at the top of the screen.
- To create the Service Account Key File, go to IAM & Admin > Service Accounts from the left menu
- Go to any active service account (preferable) or create a new one.
- Select Add Key > Create New Key > JSON
- You will need to upload the Service Account JSON key file later when configuring the Archive feature in CloudM Manage. Keep the file confidential as it allows full access to your archive.
Creating a Key Ring and Key
- Search for KMS in the search field, or select Security > Cryptographic Keys
- Create a new Key Ring. The name can be set to the same as the bucket name.
- Ensure the keyring location matches the bucket location (europe-west1 or us-central1), and remember which location you set as you will need it when configuring Archive in CloudM Manage
- Click Next,
- On the Create Key screen, use the same Key name as the Key ring name (optional),
- Leave all the other settings as default except Rotation Period,
- Set Rotation Period to Never (manual rotation) and select Create.
- Copy the Resource name of the KMS key that you have just created (by selecting the 3 dot ellipsis under Actions and clicking Copy resource name)
- You will need the Resource name later to configure the Archive feature within CloudM Manage.
The key ring and key are used to encrypt the blob storage and should not be removed or deleted at any point. If they are removed or deleted, the blobs in the storage bucket will become inaccessible.
Creating a Bucket
- From the left menu, go to Storage > Browser and select Create Bucket > Set to specific region (europe-west1 or us-central1), as set in step 3 of the Creating a Key Ring section above.
- Make sure to use the “archive” prefix for the bucket name (e.g. archive-test) so that you can quickly identify the bucket.
- You will need the bucket name later to configure the Archive feature within CloudM Manage,
Adding permissions to the Bucket
The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.
- Go to IAM & Admin > Service Accounts and select the service account that you created the Service Account JSON key file on,
- Copy the Email address in the Service account details section,
- Go to Storage > Browser and then select the bucket you created earlier,
- Click on the Permissions tab and select Add a permission,
- Paste the email from step 1 in to the members field,
- Add Storage Admin and Storage Object Admin roles and Save,
- Go to Storage > Settings,
- Copy the Service Account email (under the Cloud Storage Service Account section) and add the roles in the previous step to this email as well,
- Click on the KMS key you created in Security > Cryptographic Keys. On the next page, where only the specified KMS Key should be listed, click on it again.
- Click on Permissions > Add Member, in the panel on the right side of the screen.
- Click on the Show Info Panel option if you cannot see the panel.