Adding a Google Cloud project as a source

As part of adding a Google Cloud project as a source to R‑Cloud, you enable the HMSA, a special type of account that is designed specifically for R‑Cloud to run data protection operations. The HMSA provides business continuity of your data protection environment by enforcing a single service account that cannot be deleted accidentally, and at the same time it also delivers enhanced security by uniquely identifying the service and using key rotation to limit risks associated with potential service account key leaks.

Prerequisites

  • To add the HMSA to the Google Cloud project, your Google Cloud account must be granted the following permissions:

    • resourcemanager.projects.getIamPolicy

    • resourcemanager.projects.setIamPolicy

    Instead of granting the individual permissions, you can also assign your Google Cloud account one of the following roles: Project Owner, Project Editor, or IAM Admin.

  • In Google Cloud, the Compute Engine default service account must be present in the project that you plan to add. If this service account is not available, you must set up a different service account. The name of the service account must be in the following format:
    hycu-<ProjectNumber>@<ProjectID>.iam.gserviceaccount.com.

  • The Cloud Pub/Sub API must be enabled in the project that you plan to add. For details, see Google Cloud documentation.

  • Only if you plan to add the Google Cloud project to a protection set other than the default one. The protection set must be created. For instructions, see Creating a protection set.

Consideration

Only if you plan to use a data mover configuration for the source. If you later assign a different data mover configuration to an entity that belongs to the source, that configuration will be used instead of the one that was used for the source.

Recommendation

Using a data mover configuration with the source is recommended if you plan to assign its entities a policy that uses a target that is accessible exclusively from a private network.

Procedure

  1. In the Sources panel, click Add Add.

  2. Select Google Cloud, and then click Next.

  3. Only if you are adding the Google Cloud project in the Subscription context. From the Protection Set drop-down menu, select the protection set to which you want to add the Google Cloud project.

  4. Enter the Google Cloud project ID, and then click Add. The HMSA email is displayed.

  5. Click  Copy to Clipboard to copy the HMSA email to the clipboard. You need the email address to assign permissions to the HMSA.

  6. Click Grant Consent to open the HYCU Managed Service Account configuration wizard.

    The HYCU Managed Service Account configuration wizard guides you through all the required steps of enabling the HMSA for the Google Cloud project.

  7. Return to the R‑Cloud web user interface.

  8. Only if you want a data mover configuration to be automatically assigned to all the entities that belong to this source. Enable the Use data mover configuration switch, and then, from the Data Movers drop-down menu, select an existing data mover configuration.

    By clicking Add Add New, you are automatically redirected to the dialog box that enables you to add a new data mover configuration. For details, see Creating a data mover configuration.

  9. Click Save.

The Google Cloud project is added to the list of sources.

Note  If you do not complete the steps in the HYCU Managed Service Account configuration wizard or if you enter an incorrect Google Cloud project ID, adding a Google Cloud project as a source to R‑Cloud is suspended and the status of the source is Preparing. If this happens, remove the source, and then add it to R‑Cloud again.

You can later remove the Google Cloud projects that you do not need anymore (click Remove Remove). Keep in mind that removing the Google Cloud project from R‑Cloud does not delete any IAM permissions that were created in the Google Cloud project.