Configure VPC-SC Perimeter
Note
This feature may not be available in all product editions. For more information on available features, see Compare Editions.
Dataprep by Trifacta can be configured to work within your Virtual Private Cloud Service Controls (VPC SC) perimeter.
A VPC SC perimeter provide a security perimeter that limits the set of Google APIs that are permitted to be executed within it. For example, policies in the perimeter can be configured to prevent reading from Cloud Storage and writing to a publicly available BigQuery table. You can think of VPC SC as a firewall for Google APIs and therefore services.
A VPC SC defines the services that a user is permitted to use within an application. Associated with each service is a set of Access levels.
Note
A VPC SC can be used to define a wide range of access controls over Google products and services. Depending on how your perimeter is defined, some aspects of the Dataprep by Trifacta or the Google Console can appear to be broken.
For more information:
Prerequisites
Dataprep by Trifacta must be enabled in a project, and the product must be set up and working.
Enabling this integration requires a GCP account with the following roles:
Role: Access Context Manager
Role:Security Admin
Note
You must have these two roles in your account with View and Edit privileges. These roles are not typically assigned to a project owner. If you do not have these roles, parts of the Google Console may appear broken.
Check Permissions
You can use the following steps to verify if your account has the correct permissions.
Steps:
Select Left nav menu > Security > VPC Service Controls.
If it is not already selected, select the appropriate VPC SC from the drop-down.
You should see one or more perimeters in the list.
If you receive an error message, you may need to get the listed roles or permissions assigned to your account. You cannot proceed further until your account has these permissions. For more information, please contact your Google Cloud administrator.
Find Applicable Perimeter
Unfortunately, there is no easy way to see the projects that a perimeter protects.
Tip
Hopefully, the names of your organization's VPC SC perimeters indicate the project or projects that they protect.
Steps:
Select a project.
Check the entries under Projects to protect.
If your project is listed, then the selected perimeter is the one to review and modify.
If you cannot find your project under any perimeter, you may have to create a new one.
Review Perimeter
If you are creating or editing a perimeter, select Details. Review the following settings to verify that the perimeter is properly configured.
Setting | Description |
---|---|
Perimeter Name | Name of perimeter. Ideally, this name matches the project that it is securing. |
Projects | Select the project or projects to protect. Note In a shared VPC environment, both of the host project and the service project must be within the perimeter. |
Restricted Services | The list of Google services that are protected in this perimeter. |
VPC access services | The services accessible using Private Google Access, which allows VMs to connect to the set of external IP addresses. |
Access Levels | Select one or more access levels that can request resources protected by the perimeter. |
Ingress Policy | Define one or more policies for requests coming into the perimeter. These are applied to access levels. |
Egress Policy | Define one or more policies for requests coming out of the perimeter. These are applied to access levels. |
Configure Perimeter for Dataprep by Trifacta
Please complete the following steps to configure the perimeter to work with the product.
Steps:
In the Google Cloud toolbar, verify that the correct project is selected.
Note
You must be the project owner of the selected project to complete these configuration steps.
Select Left nav menu > IAM & Admin > IAM.
Select the Include Google-provided role grants checkbox.
Locate the service account created by Dataprep by Trifacta.
This service account contains the Dataprep Service Agent role in the Roles column.
Copy the name of this account.
From the Google Cloud toolbar at the top, open the Cloud Shell.
Note
Open the Cloud Shell in a new tab, and verify that you have specifically chosen the project in question. If you are not in the right project, the error messages may be confusing.
From Google Cloud Shell:
Create a new YAML file:
vi <project-name>.yaml
Create a new Access context in this YAML file. This context must include:
The service account that you copied
The userId of the project owner
Format:
- members: - serviceAccount:<dataprepServiceAccount> - user:<projectOwner>
Example:
- members: - serviceAccount:serviceAccount-service:1234567890@trifacta-gcloud-prod.iam.gserviceaccount.com - user:myLogin@example.com
Save this file.
Execute the following command to create a new Access Level:
gcloud access-context-manager levels create <accessLevelName> --basic-level-spec=<project-name>.yaml --title=<accessLevelName>
Note
If this command fails, you may need to enable the Access Context Manager API in your VPC SC.
Note
If you need the policy number, select Left nav menu > Security > Access Context Manager. The policy number is the value following
accessPolicies/
.
After the command has been successfully executed, verify the access level:
Select Left nav menu > Security > Access Context Manager.
You should see an Access Level entry with the access level name that you just created.
To attach the new Access Level to the perimeter that protects your project:
Select Left nav menu > Security > VPC Service Controls.
Edit the relevant perimeter, and add the access level to the perimeter. Save.
You can verify by running a job from Cloud Storage and/or BigQuery and writing results back.