Skip to main content
search icon

First Time Setup - Cloud Sync for Google Cloud Platform (GCP)

Rewind
Updated

How to set up Cloud Sync for GCP Storage

  1. In the Rewind Backups app (https://app.rewind.com), select the account for which you want to configure Cloud Sync and click on the cog () icon in the top right and then click on Manage Cloud Sync:
    1.png 

     

  2. In the Cloud Sync dialog, click on Google Cloud Platform:
    2.png 

     

  3. In the configuration page for Cloud Sync for GCP, take note of the Rewind AWS Account ID which will be used in the next few steps when configuring Workload Identity Federation.
    3.png 

     

  4. In Google Cloud Platform, create a new project dedicated to Rewind Cloud Sync and make note of the generated Project ID (not to be confused with the Project Name). This project will be used for all further configuration below.
  5. Under the IAM & Admin tab, create a role (e.g. rewind-cloud-sync-role) and assign it the following permissions:
    1. storage.buckets.get
    2. storage.multipartUploads.abort
    3. storage.multipartUploads.create
    4. storage.multipartUploads.list
    5. storage.multipartUploads.listParts
    6. storage.objects.create
    7. storage.objects.delete
    8. storage.objects.get


Please note that the storage.objects.delete permission is required to upload new versions of existing items as per the GCP Storage permission model. If you do not provide this permission, the sync of your data will not work as expected.

Also note that the storage.objects.get permission is required to delete the test files that Rewind will periodically add to your GCP Storage bucket in order to test connectivity to your bucket. This permission is not absolutely required, but omitting it will cause test files to be left behind and not get cleaned up. Rewind will never delete any other files apart from the test files created for the connection tests.

  1. Under the IAM & Admin tab, create a new Service Account and assign it the role created in step 5 (rewind-cloud-sync-role) and also grant it the Workload Identity User role.
  2. Under the Cloud Storage tab, create a new bucket by following this guide.
  3. Under the APIs & Services tab, enabled the following 4 APIs  - these are required to enable Workload Identity Federation:
    1. IAM Service Account Credentials API
    2. Security Token Service API
    3. Cloud Resource Manager API
    4. Identity and Access Management (IAM) API
  4. Under the IAM & Admin → Workload Identity Federation tab, create a new Pool and specify:
    1. Set the provider to AWS.
    2. Set the provider name to `Rewind Cloud Sync.
    3. Set the AWS account ID to be the ID shown in the Cloud Sync configuration modal in the Rewind Backups app.
    4. Change the existing mappings in Step 3: Configure provider attributes to be:
      1. attribute.account --> assertion.account
      2. google.subject --> assertion.arn
  5. Once the Workload Identity Pool has been created, click on the pool and click Grant Access and link the Service Account created in Step 6. For Principals, select Account and enter Rewind’s AWS account number in the text field and then download the Identity Federation configuration file.
  6. Upload the Workload Identity Pool configuration file from step 10 in the Cloud Sync configuration modal in the Rewind Backups app and enter your Project ID as well as your bucket name from step 7.
     

Related articles

Need to talk to us?

Submit a request for our Customer Support or Sales team below and we'll get back to you as soon as possible!

Submit a request Contact sales