Skip to main content
By default, GCS authentication uses role-based access. You create a service account in your own GCP project that holds the read permissions described below. Our service account is then granted permission to impersonate yours using short-lived tokens. No private key is shared, and you can revoke access at any time through your IAM settings.

Step 1: create a service account

1

Open the Service Accounts menu

In the GCP console, in the same project as your bucket, navigate to the IAM & Admin menu, open the Service Accounts tab, and click Create service account.
Create service account menu
2

Name the service account

Give the service account a descriptive name and click Create and Continue. Click Continue and Done through the remaining optional steps without assigning any roles.
3

Note the email

Open the service account in the list and make a note of its email, which looks like service-account-name@project-id.iam.gserviceaccount.com. You will provide this email in Step 5.

Step 2: grant read access to the bucket

1

Open the bucket permissions

Navigate to the Cloud Storage page, click the bucket you want to read from, select the Permissions tab, and click Grant access.
2

Grant the read roles

Add the service account you created in Step 1 as a principal and assign both the Storage Legacy Bucket Reader and Storage Legacy Object Reader roles, then click Save. Together these grant the storage.buckets.get, storage.objects.list, and storage.objects.get permissions used to read your data.

Step 3: authorize authentication

Choose the authentication method that fits your security policy.

Step 4: find your bucket region

Navigate to the Cloud Storage page, click the bucket you want to read from, and make a note of its Location, such as us or us-central1. You will provide this value as the region in Step 5.

Step 5: submit your connection details

Provide the following details to complete the source setup:
  1. The name is a descriptive name of the source.
  2. The bucket name of the bucket you want to read from.
  3. The region (the bucket location) from Step 4.
  4. The authentication credentials from Step 3:
    • If using impersonation: the service account email from Step 1.
    • If using HMAC keys: the access key and the secret.
    • If using a service account key: the service account email from Step 1 and the JSON key you downloaded.