Skip to main content

GCS as Private Data Storage

Follow this guide to configure your Alteryx Analytics Cloud (AAC) workspace to replace Alteryx Data Storage (ADS) with an instance of Google Cloud Storage (GCS) that you own.

Nota

In the future, organizations that want to apply their own authentication security policies to individual workspaces can enable Single-Sign On on a workspace-by-workspace basis. Currently, Google Service Accounts provisions Google Cloud Storage as Alteryx Private Data Storage in Workspace Mode. Workspace Mode enables all users to access the data assets they create, maintain, and use on the AACAAC workspace. Users can change the default upload and output paths for all data assets they work with in the Default Bucket. This enables all users on the workspace to access GCP storage and execute credential passthrough to other compatible connections.

Limitations

Connectivity

  • No connectivity to Amazon Redshift.

  • Workspaces provisioned with GCS as Private Date Storage don't support Snowflake Connections.

  • For Google Cloud Platform (GCP), AACAAC only allows 1 GCP project per workspace with pushdown to the same Big Query connection (with the same project and service account).

Engine Availability

  • Workspaces provisioned with GCS as Private Date Storage don't support EMR Spark as an engine or re-sampling capabilities.

  • Alteryx engines don't support job runtimes greater than 1 hour.

Platform

  • Once you set up GCS as Private Data Storage, you can't switch between Private Data Storage options (for example, GCS to S3).

  • Workspaces provisioned with GCS as Private Date Storage don't support Machine Learning.

Prerequisites

  • Be a user on a Professional or Enterprise AACAAC plan.

  • Have a Workspace Admin role assigned to you in AACAAC.

  • Have administrative access to the target GCP project.

  • Have a GCS bucket created in GCP.

Google Cloud Storage on AACAAC Setup Guide

To set up GCS as private data storage, first you must choose which GCS authentication method you want to use. Then, enable GCS as private data storage in your workspace.

Configure GCS Authentication

Establish a secure connection between AACAAC and your GCS location. You have 2 options to authenticate GCS for your private data storage...

  • Cloud Authorization: Use Cloud Authorization to leverage your Google IAM to fetch on-demand scoped user credentials for accessing Google Storage.

  • Service Account Key: Service Account Keys authenticate applications, scripts, or services with Google APIs. AACAAC uses the service account to fetch workspace-level credentials using a Google Service Account.

Cloud Authorization

Step 1: Set Up Single Sign-On (SSO)

Follow the Google Cloud Platform SSO Setup Guide (OIDC) to configure SSO for your workspace.

Step 2: Configure Internal GCP Application
  1. Go to APIs & Services in the GCP console.

  2. Go to the OAuth consent screen.

  3. Select Internal and then select Create.

  4. In the Name field, enter a name for your app. For example, the name of your AAC workspace.

  5. Under Authorized Domains, select Add Domain and then enter alteryxcloud.com.

  6. Select Save and Continue.

  7. Add these scopes:

    openid

    https://www.googleapis.com/auth/userinfo.email

    https://www.googleapis.com/auth/userinfo.profile

    https://www.googleapis.com/auth/devstorage.read_write

    https://www.googleapis.com/auth/bigquery

  8. Select Register.

  9. Select Credentials.

  10. Select Create Credentials and then choose OAuth client ID.

  11. Select Web Application from the Application type dropdown.

  12. In the Name field, enter a name for your app. For example, the name of your AAC workspace.

  13. Under Authorized Redirect URLs, select the Add URI button and then enter the production and test Callback URL. Follow this template…

    1. Production: https://{platformEnvironment}/workspace/${workspaceName}/sso/googleCallback

    2. Test: https://{platformEnvironment}/workspace/test/${workspaceName}/sso/googleCallback.

    3. For example...

      https://us1.alteryxcloud.com/workspace/YOUR-WORKSPACE-NAME/sso/googleCallback
      https://us1.alteryxcloud.com/workspace/test/YOUR-WORKSPACE-NAME/sso/googleCallback

    Nota

    These changes might take a few minutes to take effect.

  14. Select Save.

  15. Note and copy your Client ID and Client Secret. You will use these later in Step 3.

Step 3: Configure Cloud Authorization on AAC
  1. Return to your AACAAC workspace.

  2. Go to Profile menu > Workspace Admin > Private Data Handling > Cloud Authorization and then select Google Cloud Platform.

  3. Enter the GCP Client ID you copied in Step 2 after creating credentials in the GCP console.

  4. Enter the GCP Client Secret you copied in Step 2 after creating credentials in the GCP console.

  5. Select Save.

  6. AACAAC directs you to sign out and then sign back in before proceeding.

Service Account Key

  1. Go to the Google Cloud Console and then sign in with your Google account.

  2. If you have an existing project, select the project where you want to create the Service Account Key. If you don't have a project, create a project now.

  3. On the left pane, select IAM & Admin and then select Service Accounts.

  4. Select Create Service Account.

  5. Enter Service Account Details:

    1. Enter a name for your service account.

    2. [Optional] Enter a description. For example, the name of your AACAAC workspace.

    3. Choose a role for the service account. For example, Project > Editor or specific API roles depending on your needs. Note that AACAAC requires these permissions:

      storage.buckets.get

      storage.buckets.list

      storage.objects.create

      storage.objects.delete

      storage.objects.get

      storage.objects.list

    4. Select Continue.

  6. In the Keys section, select Create Key and then select the JSON key type.

  7. Select the JSON key type and then select Create. The private key automatically generates and downloads to your computer. You will use this key later in Step 2.

    Cuidado

    Keep the JSON key file secure as it provides access to your service account.

Set Up GCS as Private Data Storage

  1. Sign in to your AACAAC workspace.

  2. Go to Profile menu > Workspace Admin > Private Data Handling > Storage and then select Google Cloud Storage.

  3. If you created a Service Account Key, under Service Account Key, copy and paste the entire JSON key you created previously. Skip this step if you set up Cloud Authorization.

  4. Under Default Bucket, enter the GCS bucket name.

  5. [Optional] Enter a Project ID. Note that this overrides the project ID from the Service Account Key.

  6. Select Save to provision your AACAAC workspace with GCS as Private Data Storage.

Nota

AACAAC automatically creates a default path when a user signs in to a workspace for the first time after GCS has been set up as the base storage.

Change Upload and Output Directory Locations

Users can update their workspace preferences to a target Output and Upload location in the provisioned Default Bucket. To change location preferences, follow these steps:

  1. Sign in to your AACAAC workspace.

  2. Go to Profile menu > Preferences > Storage.

  3. Select Edit next to the Output or Upload directory. You can also create new directories within the Default Bucket.

    Nota

    By default, the upload directory is gs://${defaultBucket}/${workspaceId}/${personId}/uploads and the output directory is gs://${defaultBucket}/${workspaceId}/${personId}/queryResults.

Browse Datasets from Google Cloud Storage on AACAAC

After enabling GCS as a Private Data Storage, users can browse and import datasets from the Default Bucket provisioned by the Admin. To browse data, follow these steps:

  1. Sign in to your AACAAC workspace.

  2. Go to the Data page.

  3. Select Import Data. On the left pane, you should see Google Cloud Storage as an Import Data option.

  4. Select Google Cloud Storage to access your data.