In order to function properly, SFTP Gateway needs permission to Google Storage. This is accomplished through a Service Account:
- Grant permissions to a Service Account
- Export the Service Account credentials to a JSON key
- Import the JSON key into an SFTP Gateway Cloud Connection
Through the use of the JSON key, SFTP Gateway has the same level of access to Google Storage as the Service Account.
Create a Service Account
First, create a Service Account.
Go to IAM & Admin > Service Accounts > +Create Service Account
There is no need to configure any Roles at this point (permissions will be configured at a later step). Keep accepting the defaults until the Service Account is created.
Configure permissions for your bucket
There are two approaches for assigning permissions to a Service Account.
- You can grant access directly to a Service Account. This approach works well for granting broad access, such as permission to all Google Storage buckets.
- From an individual bucket, you can add the Service Account as a principal. This approach works if you want to limit permissions to a single bucket.
In this section, we will use the latter approach.
First, go to the Cloud Storage bucket.
Click on the Permissions tab.
Click +Add. You will see the following pane open on the right.
Under New Principles, enter the name of a Service Account.
Under Role, select
Storage Admin. This grants Storage Admin access to that specific bucket.
Download the credentials (JSON key file)
In this section, you will download credentials in the form of a JSON key.
Navigate to your Service Account by going to: IAM & Admin > Service Accounts > your Service Account.
Go to the Keys tab, and click Add Key > Create New Key.
When prompted, choose JSON as the Key type, and click Create.
Import the JSON key file into SFTP Gateway
Log into the web admin portal of SFTP Gateway.
On the Settings page, you will see a section for Cloud Connections.
Create a Cloud Connection, which defines a connection to a Cloud Storage bucket. Enter the name of your Cloud Storage bucket.
Toward the bottom, you can upload a credential file. This is where you upload the JSON key you created earlier.
Here is a YouTube video of how to configure a service account: