Configure Cloud Settings

manufacturing connect can be configured to store updates, backups, and other data in an external storage location before you begin create a google service account with a google cloud project then, generate and retrieve a gcp service account key ( json ) file for manufacturing connect version 2 17 0 and later, you have two options for setting cloud credentials gcp sa key authentication and gcp workload identity federation (oidc) service account keys and workload identity federation explained review the following descriptions of service account keys and workload identity federation to determine which option is the best for your specific requirements service account keys each google service account is associated with a public/private rsa key pair the service account credentials api uses this internal key pair to create short lived service account credentials, and to sign blobs and json web tokens (jwts) this key pair is known as the google managed key pair in addition, you can create multiple public/private rsa key pairs, known as user managed key pairs , and use the private key to authenticate with google apis this private key is known as a service account key see https //cloud google com/iam/docs/service account creds#key types to learn more workload identity federation workload identity federation allows you to can grant on premises or multi cloud workloads access to google cloud resources without using a service account key you may select to use this option because service account keys are powerful credentials, so they can present a security risk if they are not managed correctly with identity federation, you can use identity and access management (iam) to grant external identities iam roles, including the ability to impersonate service accounts this approach eliminates the maintenance and security burden associated with service account keys workload identity pools a workload identity pool is an entity that lets you manage external identities you will review and have the option to customize this parameter when setting up these credentials workload identity pool providers a workload identity pool provider is the entity that describes the relationship between google cloud and your identity provider (idp) workload identity federation follows the https //tools ietf org/html/rfc8693 specification you provide a credential from your idp to the https //cloud google com/iam/docs/reference/sts/rest , which verifies the identity on the credential, and then returns a federated token in exchange see the following to learn more https //cloud google com/iam/docs/workload identity federation https //cloud google com/iam/docs/overview#roles option 1 configure gcp sa key authentication complete the following steps to configure gcp sa key authentication step a set gcp sa key cloud credentials to set cloud credentials with gcp sa key authentication click the generate key button a bash script with commands will be displayed click copy to clipboard to copy the bash script modify the following bash script's variables value as per your setup gcp project id mc sa name sa key file name run the bash script on google cloud console a file called mc sa key json (or whatever sa key file name 's value was) should be generated this is the gcp service account key file for the next step click the upload key button and navigate to the gcp service account key ( json ) file on your device likewise, you can also copy the file contents of the file into the gcp service account key in json format text box (optional) click the validate button to verify service account key file contents click save attempting to save will automatically perform a validate if the save is successful, the google cloud storage (gcs) radio button will be available for storage settings a green checkmark will display with a message confirming the file contents have been saved step b configure gcp sa key authentication parameters configure the remaining parameters for gcp sa key authentication pub/sub topic note this is available for manufacturing connect version 2 17 0 and later review the pub/sub topic that will be used for provisioning manufacturing connect edge devices you have the option to customize the topic name to your specific requirements gcp sa key rotation policy note this is available for manufacturing connect version 2 14 0 and later configure the rotiation interval, in days, that the gcp service account key is automatically rotated if 0 is entered, key rotation is disabled storage settings you can configure the storage settings by using local storage or google cloud storage (gcs) local is the default selection manufacturing connect will use its own local data space to store data on a google compute engine (gce) persistent disk if there are issues with manufacturing connect, backups and templates for manufacturing connect and manufacturing connect edge may be lost google cloud storage (gcs) stores data in a bucket that you will need to create the bucket is the name of a folder in the google cloud storage file system this selection is more reliable at storing data refer to the following google cloud documentation to learn more https //cloud google com/storage/docs https //cloud google com/vpc service controls/docs/supported products#table storage to set google cloud storage select google cloud storage (gcs) click the create bucket button a bash script with commands will be displayed click copy to clipboard to copy the bash script modify the following bash script's variables value as per your setup gcp project id sa name bucket name run the bash script on the google cloud console it will generate a gcs bucket and display the value of bucket name the default value for bucket name is litmus development mc data below the bucket name field, enter the bucket name from the step above (optional) click the validate button to verify the bucket name click save the connection will be validated option 2 gcp workload identity federation (oidc) note the ability to configure gcp workload identity federation (oidc) is available for manufacturing connect 2 17 0 and later complete the following steps to configure gcp workload identity federation (oidc) learn more about https //cloud google com/iam/docs/workload identity federation step a set workload identity federation cloud credentials to set cloud credentials with gcp workload identity federation in the cloud credentials section, click gcp workload identity federation (oidc) configure and review the following parameters gcp project id refer to your gcp project id see https //support google com/googleapi/answer/7014113?hl=en and https //cloud google com/resource manager/docs/creating managing projects to learn more gcp project number refer to your gcp project number see https //support google com/googleapi/answer/7014113?hl=en and https //cloud google com/resource manager/docs/creating managing projects to learn more workload identity pool name a default value is provided that you can customize provider name a default value is provided that you can customize service account name a default value is provided that you can customize edge device this value can't be customized you will need to manually grant iam roles on the google pub/sub topic connected to this device manufacturing connect instance this value can't be customized click download jwk file click generate script copy and execute the script manually grant the following roles on the relevant google pub/sub topic that is connected to the principle edge device (edge device parameter) see https //cloud google com/pubsub/docs/access control to learn more pubsub publisher pubsub subscriber pubsub viewer click validate if the validation is successful, save the configuration if the validation fails, review the error details step b customize and review workload identity federation parameters customize and review the remaining parameters for gcp workload identity federation (oidc) pub/sub topic review the pub/sub topic that will be used for provisioning manufacturing connect edge devices you have the option to customize the topic name to your specific requirements storage settings for storage settings, the only option is local manufacturing connect will use its own local data space to store data google cloud storage is not supported while using gcp workload identity federation credentials