Configure your Google Cloud project for data export from Cloud Storage to appliance using the setup application

This document describes configuring Google Cloud permissions and Cloud Storage using the Appliance Cloud Setup Application.

The Appliance Cloud Setup Application prompts you for information, such as your transfer session ID, Cloud Storage bucket and Cloud Key Management Service (Cloud KMS) preferences. Using the information you provide, the Appliance Cloud Setup Application configures your Google Cloud permissions, preferred Cloud Storage bucket, and Cloud KMS key for your transfer.

Before you begin

Ensure that you have the following:

  • The name of the project and the business location used for ordering the appliance.

  • The Appliance ID, session ID, bucket name, and encryption key specified when ordering the appliance. These can be found in the email titled Google Transfer Appliance Permissions.

  • The Storage Transfer Service service agent listed in the email titled Google Transfer Appliance Permissions. It looks similar to the following example:

    project-TENANT_IDENTIFIER@storage-transfer-service.iam.gserviceaccount.com

    In this example, TENANT_IDENTIFIER is a generated number specific to this particular project.

    We use Storage Transfer Service to transfer data between your Cloud Storage bucket and the appliance.

Assign IAM roles

You must have the correct IAM roles on the project and Cloud Storage bucket.

If you are the project owner, roles/owner is sufficient. Skip to the next section, Download the Appliance Cloud Setup Application.

If you don't have roles/owner you must have the following roles:

  • roles/storagetransfer.admin: To create the Storage Transfer Service service account.
  • roles/transferappliance.viewer: To fetch Cloud Storage bucket and Cloud Key Management Service key details.
  • roles/storage.admin: Can be granted at the project level if you haven't created a Cloud Storage bucket, or can be granted at the bucket level if you're using an existing Cloud Storage bucket.
  • roles/cloudkms.admin: Can be granted at the project level if you haven't created a Cloud KMS key, or can be granted at the key level if you're using an existing Cloud KMS key.

Viewing roles

To view IAM roles that your principals have for a project and its resources, do the following:

  1. In the Google Cloud console, go to the IAM page.

    Go to the IAM page

  2. The page displays all the principals that have IAM roles on your project.

Download the Appliance Cloud Setup Application

To download the Appliance Cloud Setup Application:

  1. Open the Google Cloud console Welcome page.

    Open the Google Cloud console Welcome page

  2. Verify that the name of the project used for the transfer is displayed in the project selector. The project selector tells you what project you are currently working in.

    Selecting a Google Cloud project from the project selector

    If you don't see the name of the project you are using for the transfer, click the project selector, then select the correct project.

  3. Click Activate Cloud Shell.

    Starting devshell from the menu bar.

  4. In Cloud Shell, use the wget command to download the Appliance Cloud Setup Application:

    wget https://storage.googleapis.com/transferappliance/cloudsetup/ta_cloudsetup_x86_64-linux -O ta_cloudsetup_x86_64-linux
    

Run the Appliance Cloud Setup Application

In Cloud Shell, run the following command to start the Appliance Cloud Setup Application:

chmod 0777 ta_cloudsetup_x86_64-linux && ./ta_cloudsetup_x86_64-linux

The app walks you through the steps required to configure your project.

Application output

The Appliance Cloud Setup Application completes the following actions:

  • Grants permissions to the Appliance service accounts used to export data from your Cloud Storage bucket.
  • Only customer-managed encryption key are supported to export data from your Cloud Storage bucket. Grant permission to the Appliance service accounts to access Cloud KMS key data.
  • Displays the following information:

    • The Google Cloud cryptographic key resource name
    • The Google Cloud Cloud Storage destination bucket name.

The information displayed is also stored within the home directory on Cloud Shell, named SESSION_ID-output.txt, where SESSION_ID is the session ID for this particular transfer.

The names of the service accounts granted permission for this particular transfer are stored within the home directory on Cloud Shell, named cloudsetup.log.

Send CMEK information to Google

Send us the key information by completing the form linked from the email titled Google Transfer Appliance Permissions.

Troubleshooting

Error 400: Service account does not exist

Issue:

Appliance Cloud Setup Application displays the following message:

Service account ta-SESSION_ID@transfer-appliance-zimbru.iam.gserviceaccount.com
does not exist.

Where SESSION_ID is the session ID provided to Appliance Cloud Setup Application.

Solution:

Verify the session ID for your transfer. The session ID is unique to each transfer session and shared by the Transfer Appliance Team. If you haven't received a session ID, contact data-support@google.com.

Error: Listing KMS locations

Issue:

Appliance Cloud Setup Application displays the following message:

Error: listing kms locations

Solution:

Do the following within Cloud Shell:

  1. Re-authenticate by running gcloud auth login.

  2. Retry Appliance Cloud Setup Application.

If the error persists, contact the Transfer Appliance Team at data-support@google.com.

Error: Creating Cloud KMS key constraint error

Issue:

Appliance Cloud Setup Application displays a message similar to the following:

Error: creating cloud kms key violates constraint error: code = FailedPrecondition
desc= europe-west6 violates constraint 'constraints/gcp.resourceLocations' on
the resource 'projects/test/locations/europe-west6'

Solution:

Your Google Cloud project may have organization policies that disallow creating Cloud Key Management Service keys in certain locations. The following are possible solutions:

  • Choose a different location to create the Cloud Key Management Service key.
  • Update the organization policy to allow Cloud Key Management Service key creation in the location you desire.

For more information see Restricting Resource Locations.