Google Cloud Platform (GCP) | Cloud Integration Setup

The process for authorizing Reboot Motion to deliver data directly to your organization's Google Cloud Storage is very straightforward: simply create a Service Account and ensure it has the appropriate permissions to read and write from the Cloud Storage bucket where you would like your data delivered.

Step 1: Create Service Account

To create a Service Account that Reboot Motion can use to deliver data to your Google Cloud Storage bucket, follow the steps outlined in Google Cloud's IAM > Documentation > Guides > Create service accounts article.

To share the credentials for this Service Account with Reboot Motion, click the three vertical dots next to the Service Account name (under the Actions column), and then select Manage keys from the menu that appears. Click Add Key > Create new key, and select JSON as the key type before clicking the CREATE button. A JSON file will be downloaded, which should be securely shared with us after completing Step 2. Additionally, take note of the email address GCP generates for this service account, as you'll need it in the next step.

Step 2: Create Custom Role

The permissions required for Reboot Motion to deliver data to your Google Cloud Storage bucket are not provided by any of GCP's pre-defined roles, so we need to create a custom one. Navigate to IAM & Admin > Roles and click the + CREATE ROLE button. Give it a title (i.e., Reboot Motion Data Delivery) and an ID. Optionally set a description and role launch stage. Next, click + ADD PERMISSIONS, and assign the following permissions.

storage.buckets.get
storage.managedFolders.create
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

These permissions effectively replicate the Storage Object User role provided by Google, with the addition of the storage.buckets.get permission. It is important that all of the above permissions are in place, including storage.objects.delete. We will never delete files from your bucket, but this permission is required by GCP when overwriting existing files (which may happen when updating reports or reprocessing data.)

Complete instructions for managing custom roles can be found in Google Cloud's IAM > Documentation > Guides > Create and manage custom roles article.

Step 3: Authorize Service Account to Access Bucket

Now that you've created a Service Account and a Custom Role, the Custom Role must be assigned to the Service Account to authorize access to your Google Cloud Storage bucket.

In your Google Cloud console, navigate to Cloud Storage > Buckets and ensure the correct project is selected. Click the bucket for which you intend to grant access, and then click the Permissions tab (alternatively, if you select the checkbox next to the bucket name, a Permissions button should appear towards the top of the screen.)

Under the View By Principals tab, click the + GRANT ACCESS button. Under the Add principals header, enter the full email of the Service Account you just created in the New principals text box. Under the Assign roles header, use the Select a role dropdown to select the custom role you created above (Reboot Motion Data Delivery), and click SAVE.

Step 4: Prepare for testing

At this point, everything should be set up and ready for us to test! Once you provide the name of your Google Cloud Storage bucket and the Service Account credentials you created above, we will test the connection from our environment to yours. Once this has been validated, we will work with you to customize the paths to which data will be delivered in your bucket.