Attach your Google storage

Edit online

You can attach existing Google Cloud Storage (GCS) to your AoC organization using the Aspera transfer service available in Aspera on Cloud.

Once you attach the storage, you can create access keys to enable Aspera transfers to and from your Google storage. The storage is then available to support your organization workspace(s). You can make content in the storage available to your AoC users in the form of administratively shared folders (see Share a node folder with a workspace).

This procedure also creates access keys to the cloud storage that you can share with other users so that they can run Aspera transfers with the cloud storage from any Aspera client application. You can create multiple access keys to the same cloud storage to allow access to different areas of the storage. To do so, repeat the procedure in this topic, creating a transfer service node for each individual access key. The transfer service attaches the cloud storage to your organization and performs the transfers your users request.

Use this procedure when you have existing cloud storage but no Aspera transfer node associated with it, and want to use the transfer service to connect with it. If you already have an existing Aspera transfer node (which can be on-prem or in the cloud, and managed by you or by Aspera) with its Node URL and password, see Tether Your Aspera Transfer Server to Aspera on Cloud.

Note: Once you create the new transfer service node, you can use the Aspera GUI to transfer to the cloud storage; see Transfer to cloud with Desktop Client, HST Server, or HST Endpoint GUI.

Prerequisites

  • You must be a transfer service administrator (ATS admin) in Aspera on Cloud.
  • Your cloud storage must be in a region that is supported by the transfer service. To view the supported regions, to see IP addresses for whitelisting in your firewall configuration, and to retrieve your transfer service server URL, see https://ats.aspera.io/pub/v1/servers/Google.
  • Have the cloud storage credentials available.

Procedure

  1. In the Admin Management console, click Nodes and storage > Nodes > Create new.
  2. Click Attach my cloud storage.

    If you do not see this option at the top of the page, you do not have transfer service admin privileges and cannot perform this procedure.

  3. Enter a Node name for the transfer service node.

    If you are creating multiple access keys to the same storage for different users or groups of users, make the name descriptive enough to tell them apart.

  4. To apply a pre-configured network policy to this node, click the Network policy field and select the intended policy. For details, see Creating Network Policies.
  5. To apply a pre-configured node configuration policy to this node, click the Configuration policy field and select the intended policy. For details, see Creating Node Configuration Policies.
  6. Select the Google Cloud storage type.
  7. Select the region where the storage to attach exists.
  8. Provide a private key or OAuth token for authentication. Both require that you create a service account:
    1. Log in to Google Cloud Platform (GCP).
    2. Select the project that contains the storage that you want to add to AoC.
    3. Go to IAM & admin > Service accounts and click Create service account.
    4. Enter a Service account name, such as "ats-google-bucket_name-access". If desired, edit the Service account ID.
    5. Select the Project role. The minimum role required for Aspera to access the storage is Storage Object Admin.
    6. To use Private key authentication, select Furnish a new private key and leave JSON selected for the key type.
    7. Click Save. If you created a private key, store it according to local site practice.
    8. The private key ID is now listed in the table.

    To use Private key authentication:

    1. In the GCP console, copy the project ID (for example, "test-project-1234") and paste it into the Project ID field in the AoC UI.
    2. In the GCP console, copy the private key ID that is listed in the Service account keys table (for example, "4g444gd311ff277d34722gcgc5fbd51795b56fg4") and paste it into the Private key ID field in the AoC UI.
    3. Open the private key that you saved to your computer, copy the value for "private_key".
      For example:
      -----BEGIN PRIVATE KEY-----
MB91dowSoh\\nyUtv...Ttzr9u3s8cYyjE4bf4g=
-----END PRIVATE KEY-----
      Paste it into the Private key field in the AoC UI.
      Important: Replace the "\n" characters in the content you pasted with actual line breaks.
    4. In the GCP console, copy the email address of the service account (for example, "ats-google-bucket_name-access@test-project-1234.iam.gserviceaccount.com") and paste it into the Client ID field in the AoC UI.
    5. In the AoC UI, enter the Path that Aspera can access with the format "bucket_name/path". To allow access to the entire bucket, enter the bucket name.
  9. Click Save.

    If you see the error message, "Unable to create ATS access key and secret", see Trouble creating a new access key for a troubleshooting procedure.

  10. Download or copy and save the Aspera on Cloud access key and secret according to local site practice. These credentials allow you to access this node for content management and configuration activities. If you download, Aspera generates a text file with the default name KeySecret.txt. Aspera recommends that you rename this file to make it easier to track and manage.
    Important: Aspera on Cloud does not store the secret. Once you complete this step, you can no longer retrieve the secret. You must track these credentials according to your own local site security practices.
  11. To protect content on this node with Aspera encryption at rest, do one of the following:
  12. Click Save to complete creation of the new transfer service node.
This storage can now be used to support a workspace.