Documentation
BlogsCreate Account

Integration Provider - GCP

Suggest Edits

TrueFoundry supports integrating with multiple GCP services like GCS, GKE, GCR, GSM, GCP Models etc.

To integrate any of the above services, you simply need to add your GCP account as a provider account and add integrations for the same as shown below:

Share access with users, teams or everyone in your TrueFoundry account

As shown in the previous slides, you can share access of each integration with users, teams or everyone in your TrueFoundry account. This would allow them to view and use the integration. Only tenant-admins can edit the integrations.

Google Cloud Storage(GCS) Integration

Follow the steps below to connect GCS storage to TrueFoundry:

  1. Create a GCP bucket.
    • Make sure to add the lifecycle configurations on the bucket to delete multipart upload after 7 days.
    • For this go to GCP bucket -> Lifecycle -> Add a rule
    • Select Delete multi-part upload for 7 days
  2. We also need to add the CORS policy to the GCP bucket. Right now adding the CORS policy to the GCP bucket is not possible through the console so for this, we will use gsutil
    1. Create a file called cors.json using the below command 
    cat > cors.json <<EOF
[
    {
      "origin": ["*"],
      "method": ["GET", "POST", "PUT"],
      "maxAgeSeconds": 3600
    }
]
EOF
    1. Attach the above CORS policy to the service account by running the following command using gsutils
    gsutil cors set cors.json  gs://BUCKET_NAME
  3. Create an IAM serviceaccount named tfy-<short-region-name>-<name>-platform-role, if not created before.
  4. Create a custom IAM role with the following permissions: 
    [
    "storage.objects.create",
    "storage.objects.delete",
    "storage.objects.get",
    "storage.objects.list",
    "storage.objects.update",
    "storage.buckets.create",
    "storage.buckets.get",
    "storage.buckets.list",
    "storage.buckets.create",
    "storage.buckets.update",
    "storage.multipartUploads.create",
    "storage.multipartUploads.list",
    "storage.multipartUploads.listParts",
    "storage.multipartUploads.abort",
    "resourcemanager.projects.get"
  ]
    1. Navigate to IAM & Admin -> Roles.
    2. Click + CREATE ROLE.
    3. Enter the name a description, and set the stage to General Availability.
    4. Click ADD PERMISSIONS and add the permissions listed above
    5. Click CREATE.
  5. Attach the custom IAM role to the service account
    1. In the IAM section, locate the service account created ealier.
    2. Click the Edit icon next to the service account.
    3. Click ADD ROLE and select the custom role you created
    4. Next to the Role, click on ADD IAM CONDITION
    5. Type a title, under CONDITION EDITOR tab, type in this condition
      resource.name.startsWith('projects/_/buckets/<bucket name>}')
    6. Click on SAVE.
  6. Once the IAM serviceaccount is created, make sure to create a key in JSON format.
  7. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your storage.

Google Container Registry(GCR) Integration

  1. Create an IAM serviceaccount named tfy-<short-region>-<name>-platform-role, if not created before. Attach the IAM role with the following permissions:
    1. Artifact Registry Administrator
    2. Service Account Token Creator
  2. Once the IAM serviceaccount is created, make sure to create a key in JSON format.
  3. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your artifact registry.

Google Secrets Manager(GSM) Integration

Follow the steps below to connect your Google Secrets Manager to TrueFoundry:

  1. Create an IAM serviceaccount named tfy-<short-region-name>-<name>-platform-role, if not created before.
    1. Create a custom IAM role with the following permissions: 
      [
    "secretmanager.secrets.get",
    "secretmanager.secrets.list",
    "secretmanager.secrets.create",
    "secretmanager.secrets.delete",
    "secretmanager.secrets.update",
    "secretmanager.versions.access",
    "resourcemanager.projects.get",
  ]
      1. Navigate to IAM & Admin -> Roles.
      2. Click + CREATE ROLE.
      3. Enter the name a description.
      4. Click ADD PERMISSIONS and add the permissions listed above
      5. Click CREATE.
    2. Attach the custom IAM role to the service account
      1. In the IAM section, locate the service account created ealier.
      2. Click the Edit icon next to the service account.
      3. Click ADD ROLE and select the custom role you created
      4. Next to the Role, click on ADD IAM CONDITION
      5. Type a title, under CONDITION EDITOR tab, type in this condition
        resource.name.startsWith('projects/<GCP Project Number>/secrets/tfy')
      6. Click on SAVE.
  2. Once the IAM serviceaccount is created, make sure to create a key in JSON format.
  3. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your secret manager.

Updated about 2 months ago