Prepare Your Google Cloud Storage Connection

Before you can connect your Google Cloud Storage (GCS) to Data 360, gather the required information and complete the necessary actions in Google Cloud Storage.

  1. Identify or create the GCS bucket that stores your data.
  2. Identify the folder within the GCS bucket that contains the data to connect. The root directory can’t serve as the parent directory.

These steps involve third-party products so we can’t guarantee the accuracy of the steps involving Google Cloud Console.

Interoperability access and secret keys are credentials Salesforce uses ‌to identify and access your GCS bucket. Add a service account as a principal in your GCS bucket, set the bucket permissions, and create interoperability keys for the service account. If your GCS instance restricts access by IP address, add the Data Cloud IP addresses to your allowlist.

Interoperability keys, also called HMAC (Hash-based Message Authentication Code) keys, are credentials that you associate with a Google Cloud service or user account. We recommend using a Google Cloud service account with HMAC keys for production workloads.

To create an HMAC key for service account:

  1. In Google Cloud Storage Platform click Cloud Storage.

  2. Under Cloud Storage, click Settings.

  3. On the Interoperability tab, click Service account HMAC.

  4. Click Create a Key.

Add a service account as principal to your Google Cloud Storage bucket.

  1. In Google Cloud Storage Platform click Cloud Storage.

  2. Under Cloud Storage, click Browser.

  3. Click your bucket name, and click the Permissions tab.

  4. Under Permissions, for View by, select PRINCIPALS.

    For source connection, add the service account with these roles as principals:

    • Storage Legacy Bucket Reader

    • Storage Legacy Object Reader

    For target connection, assign these roles to the service account:

    • Storage Bucket Viewer

    • Storage Object Viewer

    Then grant the service account these roles on the bucket:

    • Storage Legacy Bucket Owner

    • Storage Legacy Object Owner

    If you use a Customer Managed Key (CMK), also add these permissions to the service account:

    • cloudkms.cryptoKeyVersions.useToEncrypt

    • cloudkms.cryptoKeyVersions.useToDecrypt

    If you use VPC Service Controls, allowlist the permissions that these roles grant.

Set up permissions on your Google Cloud Storage bucket.

  1. In Google Cloud Storage Platform click Cloud Storage.

  2. Under Cloud Storage, click Browser.

  3. Click your bucket name, and click the Permissions tab.

  4. Configure the permissions for the bucket and save.

    We support these permission configurations for a bucket.

    • Public Access - Subject to object ACLs
    • Access Control - Fine Grained/Uniform

After gathering this information and completing these actions in Google, you can connect your GCS instance to Salesforce.

Set Up a Google Cloud Storage Connection

Create a Google Cloud Storage Data Stream