Getting started

edit

The plugin uses the Google Cloud Storage JSON API (v1) to connect to the Storage service. If this is the first time you use Google Cloud Storage, you first need to connect to the Google Cloud Platform Console and create a new project. Once your project is created, you must enable the Cloud Storage Service for your project.

Creating a Bucket

edit

Google Cloud Storage service uses the concept of Bucket as a container for all the data. Buckets are usually created using the Google Cloud Platform Console. The plugin will not automatically create buckets.

To create a new bucket:

  1. Connect to the Google Cloud Platform Console
  2. Select your project
  3. Go to the Storage Browser
  4. Click the "Create Bucket" button
  5. Enter the name of the new bucket
  6. Select a storage class
  7. Select a location
  8. Click the "Create" button

The bucket should now be created.

Service Authentication

edit

The plugin supports two authentication modes:

Using Compute Engine

edit

When running on Compute Engine, the plugin use Google’s built-in authentication mechanism to authenticate on the Storage service. Compute Engine virtual machines are usually associated to a default service account. This service account can be found in the VM instance details in the Compute Engine console.

This is the default authentication mode and requires no configuration.

The Compute Engine VM must be allowed to use the Storage service. This can be done only at VM creation time, when "Storage" access can be configured to "Read/Write" permission. Check your instance details at the section "Cloud API access scopes".

Using a Service Account

edit

If your Elasticsearch node is not running on Compute Engine, or if you don’t want to use Google’s built-in authentication mechanism, you can authenticate on the Storage service using a Service Account file.

To create a service account file:

  1. Connect to the Google Cloud Platform Console
  2. Select your project
  3. Got to the Permission tab
  4. Select the Service Accounts tab
  5. Click on "Create service account"
  6. Once created, select the new service account and download a JSON key file

A service account file looks like this:

{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "..."
}

This file must be stored in the elasticsearch keystore, under a setting name of the form gcs.client.NAME.credentials_file, where NAME is the name of the client configuration. The default client name is default, but a different client name can be specified in repository settings using client.

For example, if specifying the credentials file in the keystore under gcs.client.my_alternate_client.credentials_file, you can configure a repository to use these credentials like this:

PUT _snapshot/my_gcs_repository
{
  "type": "gcs",
  "settings": {
    "bucket": "my_bucket",
    "client": "my_alternate_client"
  }
}

Set Bucket Permission

edit

The service account used to access the bucket must have the "Writer" access to the bucket:

  1. Connect to the Google Cloud Platform Console
  2. Select your project
  3. Got to the Storage Browser
  4. Select the bucket and "Edit bucket permission"
  5. The service account must be configured as a "User" with "Writer" access