Cloud

litmus edge manager can be configured to store updates, backups, and other data in an external storage location before you begin create a google service account with a google cloud project then, generate and retrieve a gcp service account key ( json ) file for litmus edge version 2 17 0 and later, you have two options for setting cloud credentials gcp sa key authentication and gcp workload identity federation (oidc) service account keys and workload identity federation explained review the following descriptions of service account keys and workload identity federation to determine which option is the best for your specific requirements service account keys each google service account is associated with a public/private rsa key pair the service account credentials api uses this internal key pair to create short lived service account credentials, and to sign blobs and json web tokens (jwts) this key pair is known as the google managed key pair in addition, you can create multiple public/private rsa key pairs, known as user managed key pairs , and use the private key to authenticate with google apis this private key is known as a service account key see service account keys to learn more workload identity federation workload identity federation allows you to can grant on premises or multi cloud workloads access to google cloud resources without using a service account key you may select to use this option because service account keys are powerful credentials, so they can present a security risk if they are not managed correctly with identity federation, you can use identity and access management (iam) to grant external identities iam roles, including the ability to impersonate service accounts this approach eliminates the maintenance and security burden associated with service account keys workload identity pools a workload identity pool is an entity that lets you manage external identities you will review and have the option to customize this parameter when setting up these credentials workload identity pool providers a workload identity pool provider is the entity that describes the relationship between google cloud and your identity provider (idp) workload identity federation follows the oauth 2 0 token exchange https //tools ietf org/html/rfc8693 specification you provide a credential from your idp to the security token service https //cloud google com/iam/docs/reference/sts/rest , which verifies the identity on the credential, and then returns a federated token in exchange see the following to learn more workload identity federation iam roles option 1 configure gcp sa key authentication complete the following steps to configure gcp sa key authentication step a set cloud credentials to set cloud credentials with gcp sa key authentication in the cloud credentials section, click gcp sa key authentication click the generate key button a bash script with commands will be displayed click copy to clipboard to copy the bash script modify the following bash script's variables value as per your setup gcp project id sa name sa key file name run the bash script on google cloud console a file called sa key json (or whatever sa key file name 's value was) should be generated this is the gcp service account key file for the next step click the upload key button and navigate to the gcp service account key ( json ) file on your device likewise, you can also copy the file contents of the file into the gcp service account key in json format text box (optional) click the validate button to verify service account key file contents click save attempting to save will automatically perform a validate if the save is successful, the google cloud storage (gcs) radio button will be available for storage settings a green checkmark will display with a message confirming the file contents have been saved step b set gcp sa key rotation policy note this is available for litmus edge manager version 2 14 0 and later configure the rotiation interval, in days, that the gcp service account key is automatically rotated if 0 is entered, key rotation is disabled step c set storage settings you can configure the storage settings by using local storage or google cloud storage (gcs) if you select local , litmus edge manager will use its own local data space to store data a bucket name is not required if you select google cloud storage (gcs) , a bucket name is required, which is the name of a folder in the google cloud storage file system to set google cloud storage select google cloud storage (gcs) click the create bucket button a bash script with commands will be displayed click copy to clipboard to copy the bash script modify the following bash script's variables value as per your setup gcp project id sa name bucket name run the bash script on the google cloud console it will generate a gcs bucket and display the value of bucket name the default value for bucket name is litmus development data below the bucket name field, enter the bucket name from the step above (optional) click the validate button to verify the bucket name click save the connection will be validated option 2 gcp workload identity federation (oidc) note the ability to configure gcp workload identity federation (oidc) is available for litmus edge manager 2 17 0 and later complete the following steps to configure gcp workload identity federation (oidc) learn more about workload identity federation to set cloud credentials with gcp workload identity federation in the cloud credentials section, click gcp workload identity federation (oidc) configure and review the following parameters gcp project id refer to your gcp project id see locate the project id and creating and managing projects to learn more gcp project number refer to your gcp project number see locate the project id and creating and managing projects to learn more workload identity pool name a default value is provided that you can customize provider name a default value is provided that you can customize service account name a default value is provided that you can customize edge device this value can't be customized you will need to manually grant iam roles on the google pub/sub topic connected to this device litmus edge manager instance this value can't be customized click download jwk file click generate script copy and execute the script manually grant the following roles on the relevant google pub/sub topic that is connected to the principle edge device (edge device parameter) see access control with iam to learn more pubsub publisher pubsub subscriber pubsub viewer click validate if the validation is successful, save the configuration if the validation fails, review the error details for storage settings, the only option is local litmus edge manager will use its own local data space to store data google cloud storage is not supported while using gcp workload identity federation credentials