Create Cloud Storage Bucket and Service Account
This page describes the procedure for creating and configuring the root storage for your Bring-Your-Own-Cloud (BYOC) project with proper permissions.
Zilliz BYOC is currently available in General Availability. For access and implementation details, please contact Zilliz Cloud sales.
Best practices for the Cloud Storage bucket
The bucket you specify during the project deployment will be used as the root storage for the clusters created in the project. Before you create a Cloud Storage bucket, review the following best practices:
-
The bucket must be in the same Google Cloud Platform (GCP) region as the project deployment.
-
All clusters in a project share the Cloud Storage bucket created during the project deployment. Zilliz Cloud recommends using a Cloud Storage bucket dedicated to the project and not sharing it with other services and resources.
Procedure
You can use the GCP dashboard to create the bucket and service account. Alternatively, you can use the Terraform script Zilliz Cloud provides to bootstrap the infrastructure for your Zilliz Cloud project on GCP. For details, refer to Terraform Provider.
Step 1: Create a Cloud Storage bucket
In this step, you will create a Cloud Storage bucket on GCP for the BYOC project deployment. If you prefer to use an existing bucket, ensure that the bucket is in the same region as the BYOC project. Once it is created, enter the bucket name in Storage settings on the Zilliz Cloud console.
The steps to create a bucket are as follows:
-
On the GCP console, find and click Cloud Storage.
-
Click Create bucket.
In this demo, you can set it to
zilliz-byoc-your-org-bucket, or follow your naming conventions. -
Set a descriptive name for the bucket to create.
-
Select Region in Location type to ensure the lowest latency within the single region, and select the region of your BYOC project in the drop-down list that appears.
In this demo, you can set it to
us-west (Oregon). Ensure that this value is the same as the one of your BYOC project. -
Click Continue.
-
In Access control, select Fine-grained to enable fine-grained public access prevention.
-
Click Continue.
-
Keep the default settings, and click Create.
-
Click Confirm in the prompted dialog box to confirm the prevention of public access to the bucket to create.
Step 2: Create a service account to access the bucket
In this step, you will create a service account, associate several roles with the service account, and provide the service account to Zilliz Cloud so that Zilliz Cloud can access the bucket created above.
The steps to create the storage service account are as follows:
-
On the GCP console, find and click IAM & Admin.
-
Choose Service Accounts in the left navigation pane.
-
Click Create service account.
-
Set a name for the service account to create.
In this demo, you can set it to
your-org-storage-sa. The service account ID should be the first 18 characters of the service account name. You can manually set it to a proper value. -
Click Create and continue.
-
In Permissions, add two roles with conditions.
-
Select Storage Object Admin from the drop-down list.
-
Click Add IAM condition, set the condition title, and put the following condition in the Condition builder.
Condition type
Operator
Value
Name
Starts with
projects/_/buckets/YOUR_BUCKET_NAME📘NotesYou should replace
YOUR_BUCKET_NAMEwith the name of the bucket created in the previous step. -
Click Save.
-
Click Add another role.
-
Select Storage Bucket Viewer from the drop-down list.
-
Click Add IAM condition, set the condition title, and put the following condition in the Condition editor.
resource.name.startsWith("projects/_/buckets/YOUR_BUCKET_NAME")📘NotesCondition builder and Condition editor are equivalent ways to set conditions. In either case, you should replace
YOUR_BUCKET_NAMEwith the name of the bucket created in the previous step. -
Click Save
-
-
Click Done.