With the Google® Cloud Storage connector, you can use commands in a chain to manage files and folders in Google Cloud Storage buckets.
Note: This connector is built by Workiva and connects to a third-party system. While our Support team can help configure this connector within your workspace, we are unable to troubleshoot or otherwise assist with any issues that originate outside of the Workiva platform.
Prerequisites
To enable the connection, the connector uses the Google Cloud Storage JSON API. To set up the connector, you'll need:
- A dedicated Google Cloud application for the connector
- The default Google Cloud Storage bucket to interact with
To secure the connection, the application can use OAuth consent or Application Default Credentials (ADC) for authentication. Depending on the authentication method, you'll also need:
- If OAuth consent, the application's client ID and secret
- If ADC with a CloudRunner, a dedicated service account for the application and its
application_default_credentials.json
credentials fileNote: If ADC with a GroundRunner on Google Compute Engine, Google Kubernetes Engine (GKE), App Engine, Cloud Run, or Cloud Functions, the connector can authenticate via the app's default service account.
Note: To make the connector available for use in your organization's chains, an org security administrator first enables it from Configuration.
Create a Google Cloud application
To set up the connector, first create a dedicated Google Cloud application for the connector. To connect to its application, the connector uses Google Cloud ADC or OAuth consent.
Step 1. Select or create a project
In the Google Cloud Platform (GCP) console, select or create a project to use with the connector. To create a project:
- In the toolbar, click Select a project or the current project's name, and then click New Project.
- In Project name, enter a unique name to help identify the integration.
- In Location, select your organization so others can use the project.
- Click Create.
Step 2. Enable service access
- From APIs & Services, select Library.
- Search for and select Cloud Storage, and click Enable.
Step 3. Create or retrieve the app's authentication credentials
To authenticate the application, create and retrieve its credentials for Google Cloud ADC or OAuth consent.
Google Cloud application default credentials (ADC)
If the application runs on a Google Cloud environment such as Compute Engine, Kubernetes Engine, App Engine, Cloud Run, or Cloud Functions, you can use its default service account for authentication. Otherwise, create a service account and download its credentials file for authentication:
- In the Google Cloud Platform (GCP) console, open Create service account key.
- In Service account, select New service account.
- Enter a unique name to help identify the service account.
- In Role, select Cloud Storage, Storage Object Admin.
- Under Key type, select JSON.
- Click Create. The service account's
application_default_credentials.json
file downloads. When you set up the connector, you'll upload this file as a resource.
OAuth consent
To authenticate the application using OAuth consent:
- From APIs & Services, select OAuth consent screen.
- On the OAuth consent screen tab, select Internal, and click Create.
- Under App information, enter the application's name and user support email address to help identify the app when authenticating the connector.
- Under App domain, add an authorized domain of
wdesk.com
.
- Under Developer contact information, enter the email address Google should send any updates regarding the project, and click Save and Continue.
- Under Scopes and Optional info, click Save and Continue without adding any scopes or optional information.
Note: No scopes or optional information are required for an application with internal users.
- Under Summary, review and edit the OAuth consent screen details as necessary, and click Back to Dashboard.
- On the Credentials tab, click Create credentials, and select OAuth client ID.
- Under Application type, select Web application.
- Enter a unique name to help identify the OAuth credentials.
- Under Authorized JavaScript origins:
- In North America, add
https://h.app.wdesk.com
. - In the European Union, add
https://h.eu.wdesk.com
.
- In North America, add
- Under Authorized redirect URIs:
- In North America, add
https://h.app.wdesk.com/s/wdata/oc/app/oauth/callback
. - In the European Union, add
https://h.eu.wdesk.com/s/wdata/oc/app/oauth/callback
.
- In North America, add
- Click Create, and note the client ID and secret.
Set up the Google Cloud Storage connector with application default credentials
- From Chain Builder, click Connections , and then Create at the top right.
- Under BizApp Connection, select Google Cloud Storage and the runner to use with the connector.
- Under Basic Info, enter a unique name and description to help identify the connector.
- In Authentication Type, select Standard.
- To authenticate with the application's credentials file:
- Under Resources, upload the credentials file for the connector's Google web application.
- Under Authentication, enter the name of the credentials file, such as
application_default_credentials.json
.
Note: To authenticate using a default service account, leave Resources and Authentication blank.
- Under Properties, enter the default Cloud Storage bucket to use with the connector if not specified by a command.
- Select the environments to use with the connection, and click Save.
- To test the connection, create and run a chain with the connector's List Objects command, and verify it returns a valid output.
Set up the Google Cloud Storage connector with OAuth consent
- From Chain Builder, click Connections , and then Create at the top right.
- Under BizApp Connection, select Google Cloud Storage and the default CloudRunner.
- Under Basic Info, enter a unique name and description to help identify the connector.
- In Authentication Type, select OAuth 2.0.
- Under OAuth, enter the client ID and secret for the connector's Google web application.
Note: All sensitive credentials are automatically encrypted and stored at Advanced Encryption Standard (AES)-256 encryption.
- Click Connect, and authorize the connector's access to your Google account.
Note: To ensure Google can authorize the connector's access, enable browser pop-ups.
- Under Properties, enter the default Cloud Storage bucket to use with the connector if not specified by a command.
- Select the environments to use with the connection, and click Save.
- To test the connection, create and run a chain with the connector's List Objects command, and verify it returns a valid output.
Troubleshooting
If the connection to Google Cloud Storage fails:
- Verify the Google web application's credentials file or OAuth credentials.
- Verify the application's authorized Javascript origin:
- In North America, add
https://h.app.wdesk.com
. - In the European Union, add
https://h.eu.wdesk.com
.
- In North America, add
- Ensure the application's redirect URI:
-
- In North America, add
https://h.app.wdesk.com/s/wdata/oc/app/oauth/callback
. - In the European Union, add
https://h.eu.wdesk.com/s/wdata/oc/app/oauth/callback
.
- In North America, add
-
- Verify the web application has access to the Google Cloud Storage API enabled.