Everyone registered on Terra has a unique proxy group, displayed in the user profile page, that allows Terra's backend to act on your behalf at the API level. This proxy group contains a user's login identity and any service accounts Terra may make on their behalf. For example, you can use your proxy group to run a notebook (in the UI) on data in an external bucket (external to Terra): you work in the UI and Terra accesses the bucket behind the scenes.
This article walks through how to set up your Terra proxy group to allow Terra to access shared resources external to the Terra platform.
How to find your Terra proxy group
To manage access permission for external resources - such as project data stored in a shared, non-public external bucket (i.e. not a workspace bucket) - you may use a proxy group - a list that holds service accounts for one or more users. To find your proxy group address, go to the profile section under your name in the Terra UI:
You'll see your proxy group listed near the bottom:
An important use for the proxy group ID is to set up access to an external Google bucket using Access Control Lists (ACLs). An ACL allows you to be very specific when managing access to buckets (and to individual objects within buckets). Note that this method can work in tandem with Cloud Identity and Access Management (Cloud IAM).
How set up an Access Control List (ACL)
- Go to the Google storage browser, find the bucket to which you're granting access
- Select the object to share by clicking the three dots to the right of that object, then click "Edit permissions"
- Click "add" to create a new field, put in your proxy group ID, and select the appropriate entity and access level