Configure Cloud Settings
Manufacturing Connect can be configured to store updates, backups, and other data in an external storage location.
Create a Google Service Account with a Google Cloud Project. Then, generate and retrieve a GCP service account key (.json) file.
For Manufacturing Connect version 2.17.0 and later, you have two options for setting Cloud Credentials: GCP SA Key Authentication and GCP Workload identity federation (OIDC)
Review the following descriptions of service account keys and workload identity federation to determine which option is the best for your specific requirements.
Each Google service account is associated with a public/private RSA key pair. The Service Account Credentials API uses this internal key pair to create short-lived service account credentials, and to sign blobs and JSON Web Tokens (JWTs). This key pair is known as the Google-managed key pair.
In addition, you can create multiple public/private RSA key pairs, known as user-managed key pairs, and use the private key to authenticate with Google APIs. This private key is known as a service account key.
See Service account keys to learn more.
Workload Identity Federation allows you to can grant on-premises or multi-cloud workloads access to Google Cloud resources without using a service account key. You may select to use this option because service account keys are powerful credentials, so they can present a security risk if they are not managed correctly.
With identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles, including the ability to impersonate service accounts. This approach eliminates the maintenance and security burden associated with service account keys.
A workload identity pool is an entity that lets you manage external identities. You will review and have the option to customize this parameter when setting up these credentials.
A workload identity pool provider is the entity that describes the relationship between Google Cloud and your identity provider (IdP).
Workload identity federation follows the OAuth 2.0 token exchange specification. You provide a credential from your IdP to the Security Token Service, which verifies the identity on the credential, and then returns a federated token in exchange.
See the following to learn more:
Complete the following steps to configure GCP SA Key Authentication.
To set cloud credentials with GCP SA Key Authentication:
- Click the Generate key button. A bash script with commands will be displayed. Click Copy to clipboard to copy the bash script.
- Modify the following bash script's variables value as per your setup:
- GCP_PROJECT_ID
- MC_SA_NAME
- SA_KEY_FILE_NAME
- Run the bash script on Google Cloud console. A file called mc_sa_key.json (or whatever SA_KEY_FILE_NAME's value was) should be generated. This is the GCP service account key file for the next step.
- Click the Upload Key button and navigate to the GCP service account key (.json) file on your device. Likewise, you can also copy the file contents of the file into the GCP service account key in JSON format text box.
- (Optional) Click the Validate button to verify service account key file contents.
- Click Save. Attempting to Save will automatically perform a Validate. If the save is successful, the Google Cloud Storage (GCS) radio button will be available for Storage Settings. A green checkmark will display with a message confirming the file contents have been saved.
Configure the remaining parameters for GCP SA Key Authentication.
Note: This is available for Manufacturing Connect version 2.17.0 and later.
Review the Pub/Sub topic that will be used for provisioning Manufacturing Connect Edge devices. You have the option to customize the topic name to your specific requirements.
Note: This is available for Manufacturing Connect version 2.14.0 and later.
Configure the rotiation interval, in days, that the GCP Service Account key is automatically rotated. If 0 is entered, key rotation is disabled.
You can configure the storage settings by using local storage or Google Cloud Storage (GCS).
- Local is the default selection. Manufacturing Connect will use its own local data space to store data on a Google Compute Engine (GCE) persistent disk. If there are issues with Manufacturing Connect, backups and templates for Manufacturing Connect and Manufacturing Connect Edge may be lost.
- Google Cloud Storage (GCS) stores data in a bucket that you will need to create. The bucket is the name of a folder in the Google Cloud Storage file system. This selection is more reliable at storing data.
- Refer to the following Google Cloud documentation to learn more:
To set Google Cloud Storage:
- Select Google Cloud Storage (GCS).
- Click the Create bucket button. A bash script with commands will be displayed. Click Copy to clipboard to copy the bash script.
- Modify the following bash script's variables value as per your setup:
- GCP_PROJECT_ID
- SA_NAME
- BUCKET_NAME
- Run the bash script on the Google Cloud console. It will generate a GCS bucket and display the value of BUCKET_NAME. The default value for BUCKET_NAME is litmus-development-mc-data.
- Below the Bucket Name field, enter the Bucket Name from the step above.
- (Optional) Click the Validate button to verify the Bucket Name.
- Click Save. The connection will be validated.
Note: The ability to configure GCP Workload identity federation (OIDC) is available for Manufacturing Connect 2.17.0 and later.
Complete the following steps to configure GCP Workload identity federation (OIDC).
Learn more about Workload Identity Federation.
To set cloud credentials with GCP Workload identity federation:
- In the Cloud Credentials section, click GCP Workload identity federation (OIDC).
- Configure and review the following parameters.
- GCP Project ID: Refer to your GCP Project ID. See Locate the Project ID and Creating and managing projects to learn more.
- GCP Project Number: Refer to your GCP Project Number. See Locate the Project ID and Creating and managing projects to learn more.
- Workload Identity Pool Name: A default value is provided that you can customize.
- Provider Name: A default value is provided that you can customize.
- Service Account Name: A default value is provided that you can customize.
- Edge Device: This value can't be customized. You will need to manually grant IAM roles on the Google Pub/Sub topic connected to this device.
- Manufacturing Connect instance: This value can't be customized.
- Click Download JWK file.
- Click Generate script.
- Copy and execute the script.
- Manually grant the following roles on the relevant Google Pub/Sub topic that is connected to the principle Edge device (Edge Device parameter). See Access Control with IAM to learn more.
- PubSub Publisher
- PubSub Subscriber
- PubSub Viewer
- Click Validate.
- If the validation is successful, save the configuration. If the validation fails, review the error details.
Customize and review the remaining parameters for GCP Workload identity federation (OIDC).
Review the Pub/Sub topic that will be used for provisioning Manufacturing Connect Edge devices. You have the option to customize the topic name to your specific requirements.
For storage settings, the only option is Local. Manufacturing Connect will use its own local data space to store data. Google Cloud Storage is not supported while using GCP Workload identity federation credentials.