Prior to attempting these steps, please ensure that you have a valid Google Cloud Billing account and the permissions necessary to create or manage a GCP project.
See here for more information on Cloud Storage pricing.
Scripted Method
This method uses a Powershell script to automate the majority of the process required to configure a Google Cloud Storage bucket for use in CloudM Backup.
It is easier, quicker and less error prone than the full manual process (below).
Before you start, you will need:
- An account in Google Cloud with permissions to create a project (resourcemanager.projects.create role) or have the “owner” role on existing project,
- The ability to run a Powershell Script as Administrator,
- A browser window opened and authenticated into the Google Cloud tenant. This must be the last browser tab you have used.
To run the Powershell:
- Install Google Cloud SDK using the instructions provided by Google here,
- Ensure that the Google Cloud SDK is initialized by running the “gcloud init” command, and follow the instructions.
-
Once Google Cloud SDK has finished initializing, download the GCP_Storage_Configuration.ps1 file to a folder of your choosing.
- You can also copy the script into a text editor, saving it as GCP_Storage_Configuration and applying the Windows Powershell file type to it.
- Click on your Desktop Search icon (next to the Start Icon) and search for Windows Powershell.
- Select Run as Administrator.
- Locate the GCP_Storage_Configuration.ps1 file you previously downloaded and copy the folder path to the file.
-
In the Windows Powershell window, enter “CD” and a space, paste the folder path from the previous step. It will look similar to:
- CD C:\Users\(your name)\Downloads
- Enter the text .\GCP_Storage_Configuration.ps1 and press enter.
-
On the Project ID line, enter a unique Project ID name.
- ProjectId must be a unique string of 6 to 30 lowercase letters, digits, or hyphens. It must start with a lowercase letter, followed by one or more lowercase alphanumeric characters that can be separated by hyphens. It cannot have a trailing hyphen.
- On the Service Account ID line, enter a unique Service Account name. You can use the same name as the Project ID, or use the same naming conventions.
- On the Region line, enter a CloudM Backup supported region, depending on the region that you want to store your data in.
- On the BucketName line, enter a name for your storage bucket, adhering to the naming conventions outlined in this article from Google. You will need to remember the Bucket Name later to configure the Backup features within CloudM.
- The Powershell script will now create the Service Account and Bucket. This may take a few minutes.
- Once the Powershell has stopped, you can add a KeyName. This step is optional, but, if you do enter a Key Name, it must be between 6 and 30 letters, digits, hyphens or underscores. It must start with a lowercase letter, followed by one or more alphanumeric characters that can be separated by hyphens or underscores. It cannot have a trailing hyphen or underscore.
- Optionally, set the StorageClass for the Bucket Storage. It must be one of ‘STANDARD’, ‘NEARLINE’, ‘COLDLINE’, ‘ARCHIVE’ or 'AUTOCLASS'.
- Optionally, set the ServiceAccountKeyType. It must be either ‘json’.
- Now, on the Output Path line, specify where the JSON Key and Log will be exported to on your computer (e.g. C:\\CloudM GCPConfig). The path will default to “$Home\GCPConfig”.
-
The Powershell will run and provide the following details (that you should note down)
- Service Account Email Address
- Path to Service Account Json key
- Bucket Url
- KMS Key Path
- Follow the additional steps given in the output of the Powershell script.
Manual Method
Obtaining the Service Account Key File
- Go to https://console.cloud.google.com/
- Ensure your project is set at the top of the screen.
- To create the Service Account Key File, go to IAM & Admin > Service Accounts from the left menu
- Go to any active service account (preferable) or create a new one.
- Select the Keys tab.
- Select Add Key > Create New Key > JSON
- You will need to upload the Service Account JSON key file later when configuring the Backup feature in CloudM Automate. Keep the file confidential as it allows full access to your backups.
Creating a Key Ring and Key (optional)
- Search for KMS in the search field, or select Security > Key Management
- Select Create Key Ring. The name can be set to the same as the bucket name.
- Ensure the keyring location matches the bucket location (europe-west1 or us-central1), and remember which location you set as you will need it when configuring Backup in CloudM Automate
- Click Next,
- On the Create Key screen, use the same Key name as the Key ring name (optional),
- Leave all the other settings as default except Rotation Period,
- Set Rotation Period to Never (manual rotation) and select Create.
- Copy the Resource name of the KMS key that you have just created (by selecting the 3 dot ellipsis under Actions and clicking Copy resource name)
- You will asked for the Resource name later to configure the Backup feature within CloudM Automate (if you create a Key Ring and Key)
The key ring and key are used to encrypt the blob storage and should not be removed or deleted at any point. If they are removed or deleted, the blobs in the storage bucket will become inaccessible.
Creating a Bucket
- From the Navigation menu (accessed by selecting the "Hamburger" Menu icon in the top left of the screen), go to Cloud Storage > Bucket and select Create Bucket > Set to specific region (europe-west1 or us-central1), as set in step 3 of the Creating a Key Ring section above (if completed).
- Make sure to use the “backup” prefix for the bucket name (e.g. backup-test) so that you can quickly identify the bucket.
- You will need the bucket name later to configure the Backup feature within CloudM Automate,
Adding permissions to the Service Account
The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.
- Go to IAM & Admin > Service Accounts and select the service account that you created the Service Account JSON key file on,
- Copy the Email address in the Service Account Details section,
- Go to Cloud Storage > Bucket and then select the bucket you created earlier,
- Click on the Permissions tab and select Add a permission,
- Paste the email from step 1 in to the members field,
- Add Storage Admin and Storage Object Admin roles and Save,
-
You will need to add an extra role (Monitoring Viewer) to the Service Account.
- Go to IAM & Admin > IAM,
- Select the edit icon next to the required Service Account,
- Add the Monitoring Viewer role, if it does not already exist.
- Select Save to confirm.
Adding permissions to the Storage Bucket and KMS CryptoKey (optional)
The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.
- Go to Cloud Storage > Settings,
- Copy the Service Account email (under the Cloud Storage Service Account section) and add the roles in the previous step to this email as well,
- Click on the KMS key you created in Security > Cryptographic Keys. On the next page, where only the specified KMS Key should be listed, click on it again.
- Click on Permissions > Add Member, in the panel on the right side of the screen.
- Click on the Show Info Panel option if you cannot see the panel.
CloudM Backup GCS storage bucket requirements
Your CloudM Backup storage bucket needs to be either US or Europe and it has to be in the same region as your Google Workspace Tenant. It cannot be the same bucket that you use for CloudM Archive.
Supported GCS regions
US // multi-region
NAM4 // dual region
US-CENTRAL1
US-WEST1
US-WEST2
US-WEST3
US-WEST4
US-EAST1
US-EAST4
US-EAST5
US-SOUTH1
NORTHAMERICA-NORTHEAST1
NORTHAMERICA-NORTHEAST2
EU // multi-region
EUR4 // dual region
EUROPE-WEST1
EUROPE-WEST2
EUROPE-WEST3
EUROPE-WEST4
EUROPE-WEST6
EUROPE-WEST8
EUROPE-WEST9
EUROPE-WEST12
EUROPE-SOUTHWEST1
EUROPE-CENTRAL2
EUROPE-NORTH1