How to access external Google Cloud resources

Lin Betancourt
  • Updated

Read on for step-by-step instructions on harnessing Terra's back-end infrastructure to access external buckets, Google Cloud virtual machines (VMs), machine-learning tools, and more. Use human-friendly IDs (Terra-managed groups) instead of strings of random variables to represent users. 

If you are looking for a conceptual explanation of best practices for accessing external resources, see Overview: Accessing external Google Cloud resources.

1. Set up a human-friendly group (four steps)

Groups for individual access

Always use Terra groups for accessing external resources, even for one user! A Terra group with a logical name is much easier to manage than a random string of numbers and letters.

Groups for team access

Managed groups are the best way to share resources (workspaces and billing as well as external resources) e.g., with everyone in a lab. Create a Terra user group with a human-friendly name that includes team members/collaborators who need access to Google Cloud (i.e., granting access to external buckets).

Step-by-step instructions

1.1. Go to your Groups page (Main menu --> Groups from the top left of any page in Terra)

Screenshot of Terra landing page with an arrow and number 1 pointing to the main menu at the top left and Groups in the Profile  section circled with a number 2 beside it.


1.2. In the Create a New Group card, click on the blue  + icon. 
Screenshot of the groups page with an arrow pointing to the plus icon in the Create Terra Group card at the top left.

1.3. Enter a name for your group of one and click the Create Group button.

Example: individual group name j_doe_at_someplace_org
Screenshot of teh Create new group popup with the name j_doe_at_someplace_org in the Enter a unique name field

 

1.4. For team groups, add individuals (Terra user IDs) in the collaborator group as members by first clicking on the group name, then clicking on Add User.

Example team group: my_lab_at_someplace_orgScreenshot of group management page

2. Grant permissions to the Terra Group

Before you start: Only resource owners or admins can grant access. If what you see on the console does not look like the screenshots, it is most likely because you do not have the right permissions for the Google bucket or other resources.

What to do
Ask the resource owner or admin to use this step-by-step guide to grant permission to your Terra group.

Step-by-step instructions

2.1. From the Google Cloud console, select the resource to be shared (i.e., a particular bucket in https://console.cloud.google.com/storage/browser).
Screenshot of storage browswer on GCP console with the bucket 'external-bucket' circled.

2.2. Go to Permissions.
Screenshot of permissions tab in the bucket details page for external-bucket on GCP console

2.3. View by Members and select the Add icon.
Screenshot of the View by members tab of the external-bucket permissions page on GCP console with an arrow pointing to the add people icon.

2.4. Add the full name of your individual or team group (i.e., j_doe_at_someplace_org@firecloud.org or my_lab_at_someplace_org) as a New Member.

2.5. Select the resource type(left column) and the appropriate roles (right column) from the menu.

Screenshot of Select roles options in the Add members popup with Cloud storage circled in the first column and Storage object viewer and storage object creator circled in the right column

"Storage Object Viewer" allows you to read from the bucket

"Storage Object Creator" allows you to write to the bucket

What to expect

You will see your Terra group and role in the Members tab.
Screenshot of the permissions page for external-bucket on GCP console with member J_does_at_someplace_org circled

 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.