Google Cloud Storage Connector
The C3 Agentic AI Platform has a built-in connector for integrating with Google Cloud Storage. To integrate with a Google Cloud Storage bucket, you must:
- If a Google Cloud Storage bucket does not already exist, create one with the appropriate bucket access policies.
- Create a mount path for the Google Cloud Storage bucket in the C3 Agentic AI Platform, if it does not already exist.
- Set the required credentials to access the contents of the Google Cloud Storage bucket.
- Validate the connection.
Create a Google Cloud Storage bucket
Before connecting to Google Cloud Storage, create or use an existing bucket in Google Cloud Storage configured for uniform access control. For more information on creating a Google Cloud Storage bucket, see Create storage buckets in the Google Cloud documentation.
To access the bucket from the C3 Agentic AI Platform, you must also create a credential with the appropriate IAM roles so that the platform can read from and write to the Google Cloud Storage bucket. For more information on creating and editing IAM roles for Google Cloud Storage, see the Overview of access control and IAM permissions for Cloud Storage topics in the Google Cloud documentation.
Minimum permissions needed for read-only access
To provide read-only access, assign the Storage Object Viewer role in the IAM policy. This role grants the user the minimum permissions needed to view and access objects stored in a Google Cloud Storage (GCS) bucket.
For more details on granting permissions, refer to the GCS Identity and Access Management (IAM) documentation.
Platform configurations
After you create a bucket and apply the appropriate IAM policies, apply the following configurations on the C3 Agentic AI Platform.
Enable the file system
Enable the Google Cloud Storage bucket by running the following:
FileSystem.gcs().enable();For more information on enabling remote file systems on the C3 Agentic AI Platform, see Work With File Systems.
Create the file system mount
Use the following to add a new file system mount path for the Google Cloud Storage bucket:
var mountName = "<mount_name>";
var bucketName = "<gcs_bucket_name>";
FileSystem.gcs().setMount(mountName, "gcs://" + bucketName, ConfigOverride.APP);Set credentials to access the Google Cloud Storage bucket
When setting the credentials to access the contents of your Google Cloud Storage bucket, the C3 AI Platform requires that you first generate a key on behalf of some principal that has the right level of access to the bucket, such as a Google Cloud Service Account. For more information about creating a key on behalf of a Service Account, see the Create and manage service account keys topic from the Google Cloud documentation.
After you have a .json file containing the key information, run the following commands to set the credential to authorize requests to the Google Cloud Storage bucket on behalf of the Service Account principal:
The following code is included for explanatory purposes only. In a production scenario, store keys in an enterprise vault system designed for managing secrets.
var key = <contents_of_json>;
var accessKey = key.private_key_id;
var secretKey = key.private_key;
var credentials = Gcp.inst()
.defaultCredentials()
.withAccessKey(key.private_key_id)
.withSecretKey(key.private_key)
.withAccountId(key.client_id)
.withAccountEmail(key.client_email);
GcpBucket.setCredentialsForResourceName(
bucketName,
credentials,
ConfigOverride.APP
);You can copy existing credentials from an existing Google Cloud Storage bucket to a new bucket using the following code:
var otherBucketName = "<name_of_the_existing_bucket>";
var bucketName = "<gcs_bucket_name>";
var credentials = GcpCredentials.make(
GcpBucket.forResourceName(otherBucketName).credentials
);
GcpBucket.setCredentialsForResourceName(
bucketName,
credentials,
ConfigOverride.APP
);To minimize security risk vectors, use a least-privileges approach when establishing IAM roles and setting credentials, especially in production environments.
Validate the connection
After you apply the required configurations, validate the Google Cloud Storage bucket has been correctly integrated by listing the files in the bucket:
var mountName = "<mount_name>";
FileSystem.gcs().listFiles(FileSystem.gcs().urlFromMount(mountName));This request succeeds if the configuration has been correctly applied, even if there are no files in the bucket.
Clear credentials
To clear credentials for a Google Cloud Storage bucket and delete the associated mount path, you can run the following:
var bucketName = "<gcs_bucket_name>";
var mountName = "<mount_name>";
GcpBucket.forResourceName(bucketName).clearConfigAndSecretAllOverrides();
FileSystem.gcs().removeMount(mountName, ConfigOverride.APP);