Prerequisites for BigQuery Connector - Access Management¶
GCP BigQuery connector with Privacera requires the following prerequisites:
Mandatory Prerequisites¶
Prerequisites | Detail |
---|---|
IAM Role Permissions for managing BigQuery Refer | This is used to create Permissions for GCP IAM Role. |
Create PrivaceraPolicySyncRole IAM Role for Project Refer | This is used create GCP IAM role at project-level for service account. |
Create PrivaceraPolicySyncRole IAM Role for organization Refer | This is used to create GCP IAM role at organization-level for service account. |
Attach IAM Role to Service Account Refer | This is used to connect policysync with GCP bigquery. |
Configure Logs for Auditing Refer | This is used to store audits logs of GCP BigQuery to load by policysync. |
Optional Prerequisites¶
Prerequisites | Detail |
---|---|
Basic Authentication for PolicySync Refer (optional) | This is used optionally enable basic authenticate for PolicySync to Google BigQuery. |
Note
If you have multiple projects within your GCP organization and wish to manage them with a single BigQuery connector, please repeat the steps below for each project. Assign the role to the same service account that will be utilized across multiple projects.
IAM Role Permissions for managing BigQuery
Create Project-level Access IAM Role for Service Account
Create Organization-level IAM Role for Service Account
Attach IAM Role to Service Account
Appendix¶
IAM Role Permissions for managing BigQuery¶
You need to give Privacera PolicySync basic access to GCP. To grant that access, create PrivaceraPolicySyncRole IAM role in your GCP project or GCP organization using the following commands on Google Cloud's shell (gcloud). The shell can be installed and accessed locally or through Google Console.
Run the following command to create the file containing the permissions required for the PrivaceraPolicySyncRole role:
Create Project-level Access IAM Role for Service Account¶
To create the PrivaceraPolicySyncRole in your GCP project, execute the following command. Replace <GCP_PROJECT_ID>
with your actual GCP project ID:
PROJECT_ID="<GCP_PROJECT_ID>"
To create PrivaceraPolicySyncRole role in your GCP project, run the following command.
Text Only | |
---|---|
Create Organization-level IAM Role for Service Account¶
To create the PrivaceraPolicySyncRole role in your GCP organization, run the following command. Replace <GCP_ORGANIZATION_ID>
with your GCP organization ID:
ORGANIZATION_ID="<GCP_ORGANIZATION_ID>"
To create PrivaceraPolicySyncRole role in your GCP organization, run the following command.
Text Only | |
---|---|
Attach IAM Role to Service Account¶
To attach the PrivaceraPolicySyncRole IAM role created above, please follow the below steps:
-
Log in to your GCP console.
-
Navigate to IAM & admin > Service accounts, and click + CREATE SERVICE ACCOUNT.
-
Enter the required values in the fields and click CREATE.
-
In the Grant this service account access to project section, select the role
PrivaceraPolicySyncRole
. -
On the Service Account Page, locate the newly created service account and copy its email address for use in a later step.
-
If you are using a Google VM instance to configure Google BigQuery for PolicySync, you may attach the service account created above to your VM instance and skip the following steps.
-
On the Service Account Page, navigate to the Keys tab, click Add Key, and then select Create New Key.
-
Select the JSON key type and click CREATE. A JSON key file will be downloaded to your system. Please store the file in an accessible location, as it will be used to configure PolicySync in Privacera Manager.
For more detailed information on creating a service account, see the Google documentation.
Configure Logs for Auditing¶
A sink is required to collect all logs from Google BigQuery. To create a sink, please follow the below steps:
-
In the search bar, type Logging, then click on Logs Router and select Create Sink.
-
Enter the sink name as
PolicySyncBigQueryAuditSink
, and then click Next. -
Enter the sink destination.
-
In the Select sink service section, choose BigQuery.
-
In the Select BigQuery dataset section, click Create new BigQuery dataset.
-
Enter the Dataset ID as
bigquery_audits
and click Create Dataset. -
Click Next.
-
Add the BigQuery logs in the sink:
- In the Build an inclusion filter, add the following line:
Text Only
- In the Build an inclusion filter, add the following line:
-
Click Create Sink.
For more detailed information on creating a sink, see the Google documentation.
Basic Authentication for PolicySync (Optional)¶
To optionally enable basic authentication for PolicySync with Google BigQuery, you may create a JSON file in the subdirectory of your connector instance. The name of the file must be XXX.json.
An example of the contents of XXX.json.
- Prev topic: Push Mode Overview
- Next topic: Setup