If you use Google Cloud Storage to store data, if you submit tasks with attachments as
gs: protocol URIs, rather than
https:, we will use the Google Cloud Storage API to fetch your data. For example, instead of sending
https://storage.googleapis.com/bucket/key, you would send
We can either fetch your data using Service Account Impersonation (preferred, more secure) or Cross-project Access.
To access Cloud Storage data in your GCP project, Scale can impersonate a service account within that project, which has permission to access data in Cloud Storage.
To set up Service Account Impersonation:
Add Member, you may need to click "Show Info Panel" in the top right to see this option.
email@example.com the member, and
Service Account Token Creatoras the role.
Storage Object Data Readerpermissions for the requisite buckets to the newly created service account.
Note that if you enable the GCP integration for your account, we will not attempt to fetch attachments from the default service account (
firstname.lastname@example.org) directly; the policies described in GCP IAM Access will not work.
If Service Account Impersonation is not configured, we will directly fetch attachments from your GCS bucket, using the GCP service account
email@example.com. You can grant access to this service account on a per-object basis with ACLs, or on a per-bucket basis with Cloud IAM
Please note that this authentication mechanism suffers from the confused deputy problem — a third party that can guess your Cloud Storage URLs will be able to submit tasks with your data.