LogoLogo
  • Overview
  • publisher
    • Introduction
    • Getting Started
      • Logging in to Publisher
    • Data Sources
      • Connecting a Data Source
      • Managing a Data Source
      • Connectors
        • AWS S3 Permissions
        • Connecting to AWS S3 Storage
        • Google Cloud Storage (GCS) Permissions
        • Connecting to Google Cloud Storage
        • PostgreSQL Permissions
        • Connecting to PostgreSQL
        • PostgreSQL on Azure Permissions
        • Microsoft Azure Blob Storage Permissions
        • Connecting to Microsoft Azure Blob Storage
        • Connecting to HTTPS
        • Connecting to other sources via Trino
          • BigQuery
    • Collections
      • Creating a Collection
      • Sharing a Collection
      • Collection Filters
      • Editing Collection Metadata
      • Updating Collection Contents
    • Access Policies
      • Creating an Access Policy
      • Managing Access Policies
    • Questions
      • Adding Questions
      • Example Question
    • Settings
      • Viewing Current and Past Administrators
      • Adding an Administrator
      • Removing an Administrator
      • Setting Notification Preferences
  • Explorer
    • Introduction
    • Viewing a Collection
    • Browsing Collections
    • Asking Questions
    • Accessing a Private Collection
      • Requesting Access to a Private Collection
    • Filtering Data in Tables
      • Strings
      • Dates
      • Numbers
  • Workbench
    • Introduction
    • Getting Started
      • Logging into Workbench
      • Connecting an Engine
      • Finding or Importing a Workflow
      • Configuring Workflow Inputs
      • Running and Monitoring a Workflow
      • Locating Outputs
    • Engines
      • Adding and Updating an Engine
        • On AWS HealthOmics
        • On Microsoft Azure
        • On Google Cloud Platform
        • On Premises
      • Parameters
        • AWS HealthOmics
        • Google Cloud Platform
        • Microsoft Azure
        • On-Premises
        • Cromwell
        • Amazon Genomics CLI
    • Workflows
      • Finding Workflows
      • Adding a Workflow
      • Supported Languages
      • Repositories
        • Dockstore
    • Instruments
      • Getting Started with Instruments
      • Connecting a Storage Account
      • Using Sample Data in a Workflow
      • Running Workflows Using Samples
      • Family Based Analysis with Pedigree Information
      • Monitor the Workflow
      • CLI Reference
        • Instruments
        • Storage
        • Samples
        • OpenAPI Specification
    • Entities
    • Terminology
  • Passport
    • Introduction
    • Registering an Email Address for a Google Identity
  • Command Line Interface
    • Installation
    • Usage Examples
    • Working with JSON Data
    • Reference
      • workbench
        • runs submit
        • runs list
        • runs describe
        • runs cancel
        • runs delete
        • runs logs
        • runs tasks list
        • runs events list
        • engines list
        • engines describe
        • engines parameters list
        • engines parameters describe
        • engines health-checks list
        • workflows create
        • workflows list
        • workflows describe
        • workflows update
        • workflows delete
        • workflows versions create
        • workflows versions list
        • workflows versions describe
        • workflows versions files
        • workflows versions update
        • workflows versions delete
        • workflows versions defaults create
        • workflows versions defaults list
        • workflows versions defaults describe
        • workflows versions defaults update
        • workflows versions defaults delete
        • namespaces get-default
        • storage add
        • storage delete
        • storage describe
        • storage list
        • storage update
        • storage platforms add
        • storage platforms delete
        • storage platforms describe
        • storage platforms list
        • samples list
        • samples describe
        • samples files list
      • publisher
        • datasources list
  • Analysis
    • Python Library
    • Popular Environments
      • Cromwell
      • CWL Tool
      • Terra
      • Nextflow
      • DNAnexus
Powered by GitBook

© DNAstack. All rights reserved.

On this page
  • Concepts
  • Minimal Configuration
  • Creating Credentials
  • Creating a Custom Role in Data Project
  • Data Project

Was this helpful?

  1. publisher
  2. Data Sources
  3. Connectors

Google Cloud Storage (GCS) Permissions

PreviousConnecting to AWS S3 StorageNextConnecting to Google Cloud Storage

Last updated 3 months ago

Was this helpful?

Configuring Google Cloud Storage (GCS) permissions establishes secure access between and your cloud storage resources. These permissions define how Publisher can interact with your buckets and objects, using service accounts and custom roles to ensure controlled access.

This guide outlines the minimum permissions needed to connect Publisher to specific GCS resources, including credential creation and bucket-level access configuration.

Concepts

  • Service Account (SA): This is an identity generated in Google Cloud that can be used to interact with GCP services. Each SA has a unique email (identity) and one or more JSON keys.

  • Data Project: A project that houses the target dataset.

  • Quota project: A project that you would like to bill BigQuery to and consume quota resources.

  • Permission: Granular actions that a user can perform on a given resource.

  • Role: A collection of permissions typically needed for specific interactions against one or more resources: “Data Viewer,” “Storage Reader,” etc.

Minimal Configuration

This setup represents the minimal permissions needed to interact with a SPECIFIC BigQuery DataSource without creating custom roles. It conceptually segregates the Quota Project and Data Project, but they can be the same project.

Creating Credentials

Create a new Service Account (SA) in any project.

For more information on creating a new service account within GCS, please refer to Google's .

gcloud iam service-accounts create publisher-connectors \ 
    --display-name="Publisher Data Connections"

Generate a new JSON key and download it.

gcloud iam service-accounts keys create \
  publisher-connectors-key.json \
--iam-account=publisher-connectors@${PROJECT}.iam.gserviceaccount.com

Creating a Custom Role in Data Project

Create a role that has permission to list buckets:

gcloud iam roles create "StorageBucketLister" \
  --project=${PROJECT} \
  --title="Storage Bucket Lister" \
  --description="Required for Publisher to list buckets" \
  --permissions="storage.buckets.list,storage.buckets.get" \
  --stage=GA

Assign that role to the SA you created in "Creating Credentials":

gcloud projects add-iam-policy-binding ${PROJECT} \ 
--member="serviceAccount:publisher-connectors@${PROJECT}.iam.gserviceaccount.com" \
--role="projects/${PROJECT}/roles/StorageBucketLister"

Data Project

gcloud storage buckets add-iam-policy-binding gs://${BUCKET} \
--member="serviceAccount:publisher-connectors@${PROJECT}.iam.gserviceaccount.com" \
--role=roles/storage.objectViewer \
--project=${PROJECT}

For each bucket that you want to connect to , assign the Storage Object Viewer policy to the service account:

Publisher
IAM Guide
Publisher