Using GCP DLP with DataFusion, unable to find template
I have created a DLP Identification template named DLPTest in Project X.
My Datafusion resources are hosted in Project Y.
Issue is when I use the Redact plugin in Datafusion, and provide the template ID or path in the form -
projects/X/locations/{LOCATION}/inspectTemplates/DLPTest or
projects/X/inspectTemplates/DLPTest
All permissions have been provided to datafusion SA, compute engine SA, DLP Service Account. Datafusion fails to find the template, as it keeps searching for template in Project Y.
> Error logs - > Caused by:com.google.api.gax.rpc.InvalidArgumentException: io.grpc.StatusRuntimeException: INVALID_ARGUMENT: Invalid path:
Datafusion is expecting template in location projects/Y/inspectTemplates/projects/DLPTest
How do I enable DF to look for template in the correct location in separate project? Thanks.
My Datafusion resources are hosted in Project Y.
Issue is when I use the Redact plugin in Datafusion, and provide the template ID or path in the form -
projects/X/locations/{LOCATION}/inspectTemplates/DLPTest or
projects/X/inspectTemplates/DLPTest
All permissions have been provided to datafusion SA, compute engine SA, DLP Service Account. Datafusion fails to find the template, as it keeps searching for template in Project Y.
> Error logs - > Caused by:com.google.api.gax.rpc.InvalidArgumentException: io.grpc.StatusRuntimeException: INVALID_ARGUMENT: Invalid path:
Datafusion is expecting template in location projects/Y/inspectTemplates/projects/DLPTest
How do I enable DF to look for template in the correct location in separate project? Thanks.
Solution
When you want Project Y (where your data fusion is in) to use resources from Project X (where the DLP is in) is to add the data fusion and compute engine service accounts of Project Y to Project X.
Notes:
- Data Fusion service account: service-xxxxxxx@gcp-sa-datafusion.iam.gserviceaccount.com
- Default compute engine service account: xxxxx-compute@developer.gserviceaccount.com
Project Y:
- Go to IAM & Admin -> IAM
- Click View by: "Members"
- Tick checkbox "Include Google-provided role grants"
- Look for service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com and (project number of Project Y)-compute@developer.gserviceaccount.com
- Add role "DLP Administrator" for service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com
Project X:
- Go to IAM & Admin -> IAM
- Click Add
- Under New Members, put service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com
- Grant role of "DLP Admininistrator"
- Repeat step 2 to step 4 but this time put in (project number of Project Y)-compute@developer.gserviceaccount.com
Now that you are able to set the permissions, Go back to Project Y and update your Redact to point to Project X.
- Go to Data Fusion -> Studio
- Click Redact-> Properties
- Put the template ID you created in Project X, in my sample it is "test_template"
- Under Project ID, put the Project ID of Project X
- Run your Data Fusion pipeline
- How to authenticate Google APIs (Google Drive API) from Google Compute Engine and locally without downloading Service Account credentials?
- Exporting from Cloud SQL to CSV with column headers
- python 3: Using pisa for creating pdf with multiple image urls in html content, rendering images incorrectly
- schedule autoscaler in terraform for GCP?
- Multiple STRING_AGG in one query
- Why aren't nacked messages ending up in my dead letter topic?
- Handle 503 error when making jobs.insert call
- Use http Google Cloud Functions "Require Authentication" with Firebase
- Google App Engine slow cold boot time (Flask app)
- gcloud SSH in same terminal window
- Cannot enable API on GCP (User role=Owner && Billing account is linked)
- Select All Columns Except Some in Google BigQuery?
- Why does my flex env google app engine instance have a minimum of 2 instances running, even when there is no traffic?
- How Does GCP Global Application Load Balancer Select the Closest Backend?
- How to use Google Search Grounding with Dynamic Retrieval Configuration
- Google Stackdriver Logging add comments to advanced filter
- BigQuery Date-Partitioned Views
- Check TPU workload/utilization
- Google Forms API raises google.auth.exceptions.RefreshError: 'No access token in response.'
- How can I see request count (not rate) for a Google Cloud Run application?
- I can write to my Firebase Firestore database, but am unable to read from it (Android Studio using Java)
- How to get task count in GCP cloud task
- Programmatically get current Service Account on GCP
- How to Access GKE Private Master from VPN in Hub VPC with Peering
- My gcp service account with "artifact registry admin" account was not able to push the docker image to repo
- GCP API Gateway: Cannot use path params
- Flask api on gcloud's URL keeps on loading
- GCP CloudBuild substitution fails in pipeline
- Is it secure to use an .env file to store API keys in Firebase Cloud Functions instead of Google Secret Manager?
- How do I keep a long-running background task from stopping on Google Cloud Run?