Adding a Google Cloud project as a source

As part of adding a Google Cloud project as a source to R‑Cloud, you enable the HMSA, a special type of account that is designed specifically for R‑Cloud to run data protection operations. The HMSA provides business continuity of your data protection environment by enforcing a single service account that cannot be deleted accidentally, and at the same time it also delivers enhanced security by uniquely identifying the service and using key rotation to limit risks associated with potential service account key leaks.

Prerequisites

• To add the HMSA to the Google Cloud project, your Google Cloud account must be granted the following permissions:

  • resourcemanager.projects.getIamPolicy

  • resourcemanager.projects.setIamPolicy

  Instead of granting the individual permissions, you can also assign your Google Cloud account one of the following roles: Project Owner, Project Editor, or IAM Admin.

• In Google Cloud, the Compute Engine default service account must be present in the project that you plan to add. If this service account is not available, you must set up a different service account. The name of the service account must be in the following format:
  hycu-<ProjectNumber>@<ProjectID>.iam.gserviceaccount.com.

• The Cloud Pub/Sub API must be enabled in the project that you plan to add. For details, see Google Cloud documentation.

• Only if you plan to add the Google Cloud project to a protection set other than the default one. The protection set must be created. For instructions, see Creating a protection set.

Considerations

• To define the location for creating data movers during the data protection operations, you can create a data mover configuration as part of adding a source to R‑Cloud or select the one that you already added. For details, see Creating a data mover configuration.

• Only if you plan to use a data mover configuration for the source. If you later assign a different data mover configuration to an entity that belongs to the source by specifying the configuration properties, that data mover configuration will be used instead of the one that was used for the source.

Recommendation

If you plan to store protected data on a target that is accessible exclusively from a private network, it is recommended that you enable the Use data mover configuration option. By doing so, you ensure that the data movers will have access to the target.

Procedure

1. In the Sources panel, click  Add.

2. Select Google Cloud, and then click Next.

3. Only if you are adding the Google Cloud project in the Subscription context. From the Protection Set drop-down menu, select the protection set to which you want to add the Google Cloud project.

4. Enter the Google Cloud project ID, and then click Add. The HMSA email is displayed.

5. Click  Copy to Clipboard to copy the HMSA email to the clipboard. You need the email address to assign permissions to the HMSA.

6. Click Grant Consent to open the HYCU Managed Service Account configuration wizard.

   The HYCU Managed Service Account configuration wizard guides you through all the required steps of enabling the HMSA for the Google Cloud project.

7. Return to the R‑Cloud web user interface.

8. Only if you want a data mover configuration to be assigned to all the entities that belong to this source. Enable the Use data mover configuration switch, and then, from the Data Movers drop-down menu, select the preferred data mover configuration.

   By clicking  Add New, you are automatically redirected to the dialog box that enables you to add a data mover configuration, if not already added. For details, see Creating a data mover configuration.

9. Click Save.

The Google Cloud project is added to the list of sources.

You can later remove the Google Cloud projects that you do not need anymore (click  Remove). Keep in mind that removing the Google Cloud project from R‑Cloud does not delete any IAM permissions that were created in the Google Cloud project.