GCP Authentication for Edge Delta
3 minute read
Overview
Edge Delta integrates with several Google Cloud services, including BigQuery, Cloud Storage, Cloud Logging, Google SecOps, and Pub/Sub. Each integration requires the agent to authenticate with the target service.
There are three ways to provide GCP authentication:
| Method | Environment | Key benefit |
|---|---|---|
| Service account JSON key | Any | Works everywhere |
| GKE Workload Identity | GKE | No key files to manage |
| Compute Engine default credentials | GCE VMs | Automatic, no configuration |
Required IAM Roles
Each destination requires specific IAM roles on the GCP service account. Grant only the roles your pipeline needs.
| Destination | Required IAM roles | Setup guide |
|---|---|---|
| BigQuery | roles/bigquery.dataEditor, roles/bigquery.jobUser | Send Data to BigQuery |
| Cloud Storage | Storage Admin + Storage HMAC Key Admin | Send Data to GCS |
| Cloud Logging | roles/logging.logWriter | Send Data to Cloud Logging |
| Google SecOps | Chronicle ingestion permissions | Google SecOps Destination |
Option 1: Service Account JSON Key
Use a JSON key file when the agent runs outside GKE, or when Workload Identity is not available.
The general workflow is:
- Create a GCP service account in the project that owns the target resource.
- Grant the service account the IAM roles listed in the table above for your destination.
- Generate and download a JSON key file for the service account.
- Make the key file accessible to the Edge Delta agent:
- Kubernetes — store the file as a Kubernetes secret and mount it into the agent pod.
- Linux / VM — place the file on disk with restricted permissions (
chmod 600).
- Set the
credentials_pathparameter in your destination node configuration to point to the key file.
nodes:
- name: my_destination
type: <destination_type>
credentials_path: /etc/credentials/my-gcp-creds.json
# ... other destination parameters
Each destination’s setup guide includes detailed steps for creating secrets and mounting credentials. See the links in the Required IAM Roles table.
Security: Rotate service account keys periodically and avoid storing them in version control. For Kubernetes deployments, use Kubernetes Secrets or an external secrets manager.
Option 2: GKE Workload Identity (Recommended)
If the agent runs in Google Kubernetes Engine (GKE), Workload Identity lets pods authenticate as a GCP service account without key files. The Kubernetes service account is bound to a GCP IAM service account, and credentials are provided automatically by the GKE metadata server.
The general workflow is:
- Enable Workload Identity on your GKE cluster.
- Create a GCP service account with the required IAM roles.
- Bind the Edge Delta Kubernetes service account to the GCP service account using an IAM policy binding.
- Annotate the Kubernetes service account with the GCP service account email.
- Omit the
credentials_pathparameter in the destination node configuration.
nodes:
- name: my_destination
type: <destination_type>
# credentials_path is omitted — Workload Identity provides credentials
# ... other destination parameters
See Google’s Workload Identity documentation for the detailed GKE setup steps. The Send Data to BigQuery and Send Data to Cloud Logging pages include Edge Delta-specific examples.
Option 3: Compute Engine Default Credentials
When the agent runs on a GCE VM, it can use the VM’s attached service account automatically. No credentials file or special configuration is required, as long as the VM’s service account has the IAM roles needed by your destination.
Omit credentials_path in the destination node configuration. The agent uses Application Default Credentials (ADC), which automatically discover the VM’s identity.