Connectors samples

This page provides sample workflows that demonstrate using connectors within a workflow to access resources in other Google Cloud products.

Authentication

When using a connector to access resources in another Google Cloud product, your workflow must be associated with a service account that has sufficient privileges to access those resources. To learn more about granting roles to service accounts, see granting, changing, and revoking access to resources. To learn how to change the service account associated with a workflow, see updating a workflow. For more information about authentication, see making authenticated requests from within a workflow.

Each sample on this page provides guidance on a suitable role that will grant sufficient privileges to accomplish the tasks performed by that sample.

Using these samples

To use these samples, replace the values for the variables in the initVariables step with your own values as needed. ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")} pulls in your Google Cloud project ID and does not need to be replaced.

Compute Engine samples

The following samples demonstrate using a workflow to connect to a Compute Engine instance.

The service account associated with the workflow must be granted the Compute Instance Admin (v1) IAM role.

Stopping an instance

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - instance: "myinstance1"
      - zone: "us-central1-a"
- stopVM:
    try:
      call: googleapis.compute.v1.instances.stop
      args:
        project: ${project}
        instance: ${instance}
        zone: ${zone}
      result: stopVMResult
    except:
      as: e
      steps:
        - handleComputeEngineError:
            switch:
              - condition: ${e.code == 404}
                raise: "Compute Engine instance not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to Compute Engine"
        - unhandledException:
            raise: ${e}
- last:
    return: ${stopVMResult}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "instance": "myinstance1"
        },
        {
          "zone": "us-central1-a"
        }
      ]
    }
  },
  {
    "stopVM": {
      "try": {
        "call": "googleapis.compute.v1.instances.stop",
        "args": {
          "project": "${project}",
          "instance": "${instance}",
          "zone": "${zone}"
        },
        "result": "stopVMResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handleComputeEngineError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "Compute Engine instance not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to Compute Engine"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "last": {
      "return": "${stopVMResult}"
    }
  }
]

Starting an instance

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - instance: "myinstance1"
      - zone: "us-central1-a"
- startVM:
    try:
      call: googleapis.compute.v1.instances.start
      args:
        project: ${project}
        instance: ${instance}
        zone: ${zone}
      result: startVMResult
    except:
      as: e
      steps:
        - handleComputeEngineError:
            switch:
              - condition: ${e.code == 404}
                raise: "Compute Engine instance not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to Compute Engine"
        - unhandledException:
            raise: ${e}
- last:
    return: ${startVMResult}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "instance": "myinstance1"
        },
        {
          "zone": "us-central1-a"
        }
      ]
    }
  },
  {
    "startVM": {
      "try": {
        "call": "googleapis.compute.v1.instances.start",
        "args": {
          "project": "${project}",
          "instance": "${instance}",
          "zone": "${zone}"
        },
        "result": "startVMResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handleComputeEngineError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "Compute Engine instance not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to Compute Engine"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "last": {
      "return": "${startVMResult}"
    }
  }
]

Pub/Sub sample

The following sample demonstrates using a workflow to publish a message to a topic with Pub/Sub.

The service account associated with the workflow must be granted the Pub/Sub Publisher IAM role.

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - topic: "mytopic1"
      - message: "Hello world!"
- publish:
    try:
      call: googleapis.pubsub.v1.projects.topics.publish
      args:
        topic: ${"projects/" + project + "/topics/" + topic}
        body:
          messages:
            - data: ${base64.encode(text.encode(message))}
      result: publishResult
    except:
      as: e
      steps:
        - handlePubSubError:
            switch:
              - condition: ${e.code == 404}
                raise: "PubSub Topic not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to PubSub"
        - unhandledException:
            raise: ${e}
- last:
    return: ${publishResult}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "topic": "mytopic1"
        },
        {
          "message": "Hello world!"
        }
      ]
    }
  },
  {
    "publish": {
      "try": {
        "call": "googleapis.pubsub.v1.projects.topics.publish",
        "args": {
          "topic": "${\"projects/\" + project + \"/topics/\" + topic}",
          "body": {
            "messages": [
              {
                "data": "${base64.encode(text.encode(message))}"
              }
            ]
          }
        },
        "result": "publishResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handlePubSubError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "PubSub Topic not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to PubSub"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "last": {
      "return": "${publishResult}"
    }
  }
]

Secret Manager sample

The following sample demonstrates using a workflow to access a secret in Secret Manager.

The service account associated with the workflow must be granted the Secret Manager Secret Accessor role.

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_NUMBER")}
      - secret: "mysecret"
      - version: 1
- getSecret:
    try:
      call: googleapis.secretmanager.v1.projects.secrets.versions.access
      args:
        name: ${"projects/" + project + "/secrets/" + secret + "/versions/" + string(version)}
      result: secretResult
    except:
      as: e
      steps:
        - handleSecretManagerError:
            switch:
              - condition: ${e.code == 404}
                raise: "Secret not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to Secret Manager"
        - unhandledException:
            raise: ${e}
- storeSecret:
    assign:
      - secretValue: ${text.decode(base64.decode(secretResult.payload.data))}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_NUMBER\")}"
        },
        {
          "secret": "mysecret"
        },
        {
          "version": 1
        }
      ]
    }
  },
  {
    "getSecret": {
      "try": {
        "call": "googleapis.secretmanager.v1.projects.secrets.versions.access",
        "args": {
          "name": "${\"projects/\" + project + \"/secrets/\" + secret + \"/versions/\" + string(version)}"
        },
        "result": "secretResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handleSecretManagerError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "Secret not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to Secret Manager"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "storeSecret": {
      "assign": [
        {
          "secretValue": "${text.decode(base64.decode(secretResult.payload.data))}"
        }
      ]
    }
  }
]

Firestore samples

The following samples demonstrate using a workflow to connect to a Firestore instance.

The service account associated with the workflow must be granted the Cloud Datastore User role.

Reading a document from Firestore

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - collection: "peopleDatabase"
      - document: "smith.j"
- readFromFirestore:
    try:
      call: googleapis.firestore.v1.projects.databases.documents.get
      args:
        name: ${"projects/"+project+"/databases/(default)/documents/"+collection+"/"+document}
      result: readResult
    except:
      as: e
      steps:
        - handleFirestoreReadError:
            switch:
              - condition: ${e.code == 404}
                raise: "Firestore database or document not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to Firestore"
        - unhandledException:
            raise: ${e}
- last:
    return: ${readResult.fields}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "collection": "peopleDatabase"
        },
        {
          "document": "smith.j"
        }
      ]
    }
  },
  {
    "readFromFirestore": {
      "try": {
        "call": "googleapis.firestore.v1.projects.databases.documents.get",
        "args": {
          "name": "${\"projects/\"+project+\"/databases/(default)/documents/\"+collection+\"/\"+document}"
        },
        "result": "readResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handleFirestoreReadError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "Firestore database or document not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to Firestore"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "last": {
      "return": "${readResult.fields}"
    }
  }
]

Creating or updating a document in Firestore

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - collection: "peopleDatabase"
      - document: "smith.j"
      - valuesToWrite:
          FirstName:
            stringValue: "John"
          LastName:
            stringValue: "Smith"
          Age:
            integerValue: 32
- writeToFirestore:
    try:
      call: googleapis.firestore.v1.projects.databases.documents.patch
      args:
        name: ${"projects/"+project+"/databases/(default)/documents/"+collection+"/"+document}
        body:
          fields: ${valuesToWrite}
      result: writeResult
    except:
      as: e
      steps:
        - handleFirestoreWriteError:
            switch:
              - condition: ${e.code == 404}
                raise: "Firestore database or document not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to Firestore"
        - unhandledException:
            raise: ${e}
- last:
    return: ${writeResult.name}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "collection": "peopleDatabase"
        },
        {
          "document": "smith.j"
        },
        {
          "valuesToWrite": {
            "FirstName": {
              "stringValue": "John"
            },
            "LastName": {
              "stringValue": "Smith"
            },
            "Age": {
              "integerValue": 32
            }
          }
        }
      ]
    }
  },
  {
    "writeToFirestore": {
      "try": {
        "call": "googleapis.firestore.v1.projects.databases.documents.patch",
        "args": {
          "name": "${\"projects/\"+project+\"/databases/(default)/documents/\"+collection+\"/\"+document}",
          "body": {
            "fields": "${valuesToWrite}"
          }
        },
        "result": "writeResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handleFirestoreWriteError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "Firestore database or document not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to Firestore"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "last": {
      "return": "${writeResult.name}"
    }
  }
]

Tasks sample

The following sample demonstrates using a workflow to create tasks in Tasks.

The service account associated with the workflow must be granted the Cloud Tasks Enquerer role.

YAML

- initVariables:
    assign:
      - project: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - location: ${sys.get_env("GOOGLE_CLOUD_LOCATION")}
      - queue: "testqueue"
      - taskURL: "https://somewhere.com/apiendpoint"
      - method: "POST"
      - body: "Hello world!"
- startTask:
    try:
      call: googleapis.cloudtasks.v2.projects.locations.queues.tasks.create
      args:
        parent: ${"projects/" + project + "/locations/" + location + "/queues/" + queue}
        body:
          task:
            httpRequest:
              body: ${base64.encode(text.encode(body))}
              httpMethod: ${method}
              url: ${taskURL}
            scheduleTime:
              seconds: int(sys.now() + 60*60*24)
      result: taskResult
    except:
      as: e
      steps:
        - handleTasksError:
            switch:
              - condition: ${e.code == 404}
                raise: "Tasks queue not found"
              - condition: ${e.code == 403}
                raise: "Error authenticating to Cloud Tasks"
        - unhandledException:
            raise: ${e}

- last:
    return: ${taskResult.body}

JSON

[
  {
    "initVariables": {
      "assign": [
        {
          "project": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "location": "${sys.get_env(\"GOOGLE_CLOUD_LOCATION\")}"
        },
        {
          "queue": "testqueue"
        },
        {
          "taskURL": "https://somewhere.com/apiendpoint"
        },
        {
          "method": "POST"
        },
        {
          "body": "Hello world!"
        }
      ]
    }
  },
  {
    "startTask": {
      "try": {
        "call": "googleapis.cloudtasks.v2.projects.locations.queues.tasks.create",
        "args": {
          "parent": "${\"projects/\" + project + \"/locations/\" + location + \"/queues/\" + queue}",
          "body": {
            "task": {
              "httpRequest": {
                "body": "${base64.encode(text.encode(body))}",
                "httpMethod": "${method}",
                "url": "${taskURL}"
              },
              "scheduleTime": {
                "seconds": "int(sys.now() + 60*60*24)"
              }
            }
          }
        },
        "result": "taskResult"
      },
      "except": {
        "as": "e",
        "steps": [
          {
            "handleTasksError": {
              "switch": [
                {
                  "condition": "${e.code == 404}",
                  "raise": "Tasks queue not found"
                },
                {
                  "condition": "${e.code == 403}",
                  "raise": "Error authenticating to Cloud Tasks"
                }
              ]
            }
          },
          {
            "unhandledException": {
              "raise": "${e}"
            }
          }
        ]
      }
    }
  },
  {
    "last": {
      "return": "${taskResult.body}"
    }
  }
]