This article explains a bit of the "under the hood" workings that enable you to interact with GCP Storage and GCP Compute without directly interfacing with the Google Cloud Platform console. Most users don't need this level of detail for working in Terra, but if you need to grant access to data that is on Google Cloud but outside of a Terra workspace, read on...
- Overview: How Terra interfaces with GCP
- "Service (aka "pet") accounts
- Proxy Groups
- Best Practices - Use a human-friendly Terra group in lieu of proxies
- Create an easy to manage Terra group in four steps
- Pro-tip: Granting permission to groups of Terra users
- Additional Resources
Overview: How Terra interfaces with GCP
In order to maintain the high security required for working with controlled-access data in the cloud, Terra creates and uses additional Google accounts (specific to you). Terra also puts all of these "pet service accounts" into a convenience Google Group (specific to you) called a "Proxy Group.
Service accounts (aka "pet" service accounts)
In addition to the user account you have registered with Terra, you also have one or more service accounts that Terra creates for you. A service account is a special type of Google account that lets Terra act directly with GCP on your behalf - so your workflows and notebooks can access your data in Google Cloud.
Your pet service account has the format:
To manage these accounts and simplify access control, everyone registered in Terra has a unique group, called a "proxy group" that contains your registered user account and your service accounts. Your proxy group includes everything needed to grant access to cloud resources outside of Terra (such as a GCS bucket or BigQuery dataset) inside GCP console.
Your Proxy group has the format:
Find your Proxy group
You'll see your proxy group listed near the bottom:
Best Practices: Use a Terra group
While it's necessary for accessing resources that exist outside of Terra, the pre-defined
If you're looking at a list of users with access to an external GCS bucket, seeing that
Instead, you can create a Terra group (with a sensible name) as a proxy for your proxy.
Note that this approach extends to when you actually do want to make grants to groups of
Create your personal Terra group in four steps
- Go to your Groups page ("Main menu" --> "Groups" from the top left of any page in Terra)
- In the "Create a New Group" card, click on the blue "+" icon
- Enter your human-friendly user-ID (can be the same as your Terra login) and click the "Create Group" button
Terra creates a mirrored Google group that includes your Proxy (which already includes your user ID). When you (or the owner/admin) grant access on a GCP resource to the <terra-group>@firecloud.org group, both your end-user credentials and your pet service accounts have access to the GCP resource.
- To access external resources, owners can now grant permission to your Terra group (i.e. email@example.com) in GCP console
Using "firstname.lastname@example.org," makes it easier to see who has access permissions!
You can extend this to groups of Terra users, by first setting up a group for each person's
Then create a managed group (i.e.
To give permission to everyone in the group, you would grant access to
Want to learn more about how to access advanced GCP features (things not yet available
See this article.