Configuring Object Stores (optional)

Configuration to visualize your data (images) hosted on your own Object Store.

Google Cloud Storage

To view images in the UI (metadata.uri), GCS requires a service account (to create signed urls): https://cloud.google.com/iam/docs/service-accounts-create

Create a Service Account key

To grant the storage.buckets.get permission to a service account for a bucket in GCS, you can follow these steps:

1. Go to the Cloud Storage Buckets page in the Google Cloud console.

2. In the list of buckets, click the name of the bucket for which you want to grant the permission.

3. Select the Permissions tab near the top of the page.

4. Click the + Grant access button.

5. The Add principals dialog box appears.

6. In the New principals field, enter the service account email address.

7. Select the role (or roles) from the Select a role drop-down menu.

8. Click the Grant button.

Finally, download the service account key to a .json file from the console and export the location of the file with the standard env variable (this is the same file that can be pasted in the Dioptra integrations to view images from a restricted bucket).

export GOOGLE_APPLICATION_CREDENTIALS=/Users/xyz/.config/gcloud/service_account_credentials.json

Troubleshoot Permissions

If you encounter permission issues even after creating a Service Account Key (and adding it to the Integrations settings for viewing images in the UI), you can follow these steps:

1. Enable the Troubleshooting API: https://cloud.google.com/policy-intelligence/docs/troubleshoot-access
2. Runt he troubleshooter: https://console.cloud.google.com/iam-admin/troubleshooter