GCS as Private Data Storage
Follow this guide to configure your Alteryx Analytics Cloud (AAC) workspace to replace Alteryx Data Storage (ADS) with an instance of Google Cloud Storage (GCS) that you own.
Nota
In the future, organizations that want to apply their own authentication security policies to individual workspaces can enable Single-Sign On on a workspace-by-workspace basis. Currently, Google Service Accounts provisions Google Cloud Storage as Alteryx Private Data Storage in Workspace Mode. Workspace Mode enables all users to access the data assets they create, maintain, and use on the AACAAC workspace. Users can change the default upload and output paths for all data assets they work with in the Default Bucket. This enables all users on the workspace to access GCP storage and execute credential passthrough to other compatible connections.
Limitations
Connectivity
No connectivity to Amazon Redshift.
Workspaces provisioned with GCS as Private Date Storage don't support Snowflake Connections.
For Google Cloud Platform (GCP), AACAAC only allows 1 GCP project per workspace with pushdown to the same Big Query connection (with the same project and service account).
Engine Availability
Workspaces provisioned with GCS as Private Date Storage don't support EMR Spark as an engine or re-sampling capabilities.
Alteryx engines don't support job runtimes greater than 1 hour.
Platform
Once you set up GCS as Private Data Storage, you can't switch between Private Data Storage options (for example, GCS to S3).
Workspaces provisioned with GCS as Private Date Storage don't support Machine Learning.
Prerequisites
Be a user on a Professional or Enterprise AACAAC plan.
Have a Workspace Admin role assigned to you in AACAAC.
Have administrative access to the target GCP project.
Have a GCS bucket created in GCP.
Google Cloud Storage on AACAAC Setup Guide
To set up GCS as private data storage, first you must choose which GCS authentication method you want to use. Then, enable GCS as private data storage in your workspace.
Configure GCS Authentication
Establish a secure connection between AACAAC and your GCS location. You have 2 options to authenticate GCS for your private data storage...
Cloud Authorization: Use Cloud Authorization to leverage your Google IAM to fetch on-demand scoped user credentials for accessing Google Storage.
Service Account Key: Service Account Keys authenticate applications, scripts, or services with Google APIs. AACAAC uses the service account to fetch workspace-level credentials using a Google Service Account.
Cloud Authorization
Step 1: Set Up Single Sign-On (SSO)
Follow the Google Cloud Platform SSO Setup Guide (OIDC) to configure SSO for your workspace.
Step 2: Configure Internal GCP Application
Go to APIs & Services in the GCP console.
Go to the OAuth consent screen.
Select Internal and then select Create.
In the Name field, enter a name for your app. For example, the name of your AAC workspace.
Under Authorized Domains, select Add Domain and then enter
alteryxcloud.com
.Select Save and Continue.
Add these scopes:
openid
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/bigquery
Select Register.
Select Credentials.
Select Create Credentials and then choose OAuth client ID.
Select Web Application from the Application type dropdown.
In the Name field, enter a name for your app. For example, the name of your AAC workspace.
Under Authorized Redirect URLs, select the Add URI button and then enter the production and test Callback URL. Follow this template…
Production:
https://{platformEnvironment}/workspace/${workspaceName}/sso/googleCallback
Test:
https://{platformEnvironment}/workspace/test/${workspaceName}/sso/googleCallback
.For example...
https://us1.alteryxcloud.com/workspace/YOUR-WORKSPACE-NAME/sso/googleCallback https://us1.alteryxcloud.com/workspace/test/YOUR-WORKSPACE-NAME/sso/googleCallback
Nota
These changes might take a few minutes to take effect.
Select Save.
Note and copy your Client ID and Client Secret. You will use these later in Step 3.
Step 3: Configure Cloud Authorization on AAC
Return to your AACAAC workspace.
Go to Profile menu > Workspace Admin > Private Data Handling > Cloud Authorization and then select Google Cloud Platform.
Enter the GCP Client ID you copied in Step 2 after creating credentials in the GCP console.
Enter the GCP Client Secret you copied in Step 2 after creating credentials in the GCP console.
Select Save.
AACAAC directs you to sign out and then sign back in before proceeding.
Service Account Key
Go to the Google Cloud Console and then sign in with your Google account.
If you have an existing project, select the project where you want to create the Service Account Key. If you don't have a project, create a project now.
On the left pane, select IAM & Admin and then select Service Accounts.
Select Create Service Account.
Enter Service Account Details:
Enter a name for your service account.
[Optional] Enter a description. For example, the name of your AACAAC workspace.
Choose a role for the service account. For example, Project > Editor or specific API roles depending on your needs. Note that AACAAC requires these permissions:
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Select Continue.
In the Keys section, select Create Key and then select the JSON key type.
Select the JSON key type and then select Create. The private key automatically generates and downloads to your computer. You will use this key later in Step 2.
Cuidado
Keep the JSON key file secure as it provides access to your service account.
Set Up GCS as Private Data Storage
Sign in to your AACAAC workspace.
Go to Profile menu > Workspace Admin > Private Data Handling > Storage and then select Google Cloud Storage.
If you created a Service Account Key, under Service Account Key, copy and paste the entire JSON key you created previously. Skip this step if you set up Cloud Authorization.
Under Default Bucket, enter the GCS bucket name.
[Optional] Enter a Project ID. Note that this overrides the project ID from the Service Account Key.
Select Save to provision your AACAAC workspace with GCS as Private Data Storage.
Nota
AACAAC automatically creates a default path when a user signs in to a workspace for the first time after GCS has been set up as the base storage.
Change Upload and Output Directory Locations
Users can update their workspace preferences to a target Output and Upload location in the provisioned Default Bucket. To change location preferences, follow these steps:
Sign in to your AACAAC workspace.
Go to Profile menu > Preferences > Storage.
Select Edit next to the Output or Upload directory. You can also create new directories within the Default Bucket.
Nota
By default, the upload directory is
gs://${defaultBucket}/${workspaceId}/${personId}/uploads
and the output directory isgs://${defaultBucket}/${workspaceId}/${personId}/queryResults
.
Browse Datasets from Google Cloud Storage on AACAAC
After enabling GCS as a Private Data Storage, users can browse and import datasets from the Default Bucket provisioned by the Admin. To browse data, follow these steps:
Sign in to your AACAAC workspace.
Go to the Data page.
Select Import Data. On the left pane, you should see Google Cloud Storage as an Import Data option.
Select Google Cloud Storage to access your data.