Using GCP DLP with DataFusion, unable to find template
I have created a DLP Identification template named DLPTest in Project X.
My Datafusion resources are hosted in Project Y.
Issue is when I use the Redact plugin in Datafusion, and provide the template ID or path in the form -
projects/X/locations/{LOCATION}/inspectTemplates/DLPTest or
projects/X/inspectTemplates/DLPTest
All permissions have been provided to datafusion SA, compute engine SA, DLP Service Account. Datafusion fails to find the template, as it keeps searching for template in Project Y.
> Error logs - > Caused by:com.google.api.gax.rpc.InvalidArgumentException: io.grpc.StatusRuntimeException: INVALID_ARGUMENT: Invalid path:
Datafusion is expecting template in location projects/Y/inspectTemplates/projects/DLPTest
How do I enable DF to look for template in the correct location in separate project? Thanks.
My Datafusion resources are hosted in Project Y.
Issue is when I use the Redact plugin in Datafusion, and provide the template ID or path in the form -
projects/X/locations/{LOCATION}/inspectTemplates/DLPTest or
projects/X/inspectTemplates/DLPTest
All permissions have been provided to datafusion SA, compute engine SA, DLP Service Account. Datafusion fails to find the template, as it keeps searching for template in Project Y.
> Error logs - > Caused by:com.google.api.gax.rpc.InvalidArgumentException: io.grpc.StatusRuntimeException: INVALID_ARGUMENT: Invalid path:
Datafusion is expecting template in location projects/Y/inspectTemplates/projects/DLPTest
How do I enable DF to look for template in the correct location in separate project? Thanks.
Solution
When you want Project Y (where your data fusion is in) to use resources from Project X (where the DLP is in) is to add the data fusion and compute engine service accounts of Project Y to Project X.
Notes:
- Data Fusion service account: service-xxxxxxx@gcp-sa-datafusion.iam.gserviceaccount.com
- Default compute engine service account: xxxxx-compute@developer.gserviceaccount.com
Project Y:
- Go to IAM & Admin -> IAM
- Click View by: "Members"
- Tick checkbox "Include Google-provided role grants"
- Look for service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com and (project number of Project Y)-compute@developer.gserviceaccount.com
- Add role "DLP Administrator" for service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com
Project X:
- Go to IAM & Admin -> IAM
- Click Add
- Under New Members, put service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com
- Grant role of "DLP Admininistrator"
- Repeat step 2 to step 4 but this time put in (project number of Project Y)-compute@developer.gserviceaccount.com
Now that you are able to set the permissions, Go back to Project Y and update your Redact to point to Project X.
- Go to Data Fusion -> Studio
- Click Redact-> Properties
- Put the template ID you created in Project X, in my sample it is "test_template"
- Under Project ID, put the Project ID of Project X
- Run your Data Fusion pipeline
- How to remove a value from an array within a batched write in Firestore?
- Can't Access GCP Docker container
- Google Firebase: How do I "work around" an invalid "issuer" value in my client's OIDC discovery document?
- Firebase Phone authentication test num working but real phone num showing [BILLING_NOT_ENABLED]
- How do I list the roles associated with a gcp service account?
- Cannot connect to kafka hosted in cloud from spring boot application
- Downloading google calendar event attachment
- How to include DeltaLake Files from GCS to BigQuery
- Google Cloud translate JSON file
- Why does GCP Pub/Sub publish a message twice?
- Is it possible to create daily budget alerts in GCP?
- Firebase Cloud Functions cannot read nitro generated index.mjs file
- Beam Dataflow Reshuffle Failing
- How to Access GKE Private Master from VPN in Hub VPC with Peering
- Google Cloud API Gateway static URL
- What are different between GCP service and GCP resources?
- What is the best way to determine the maximum concurrent requests per instance for your App Engine or Cloud Run app?
- Cloud Run Jobs events to trigger Cloud Function with EventArc
- Getting 403 from Google Cloud Monitoring API using a service account and JWT auth
- Do Google Cloud Task requests count towards concurrent requests in Google App Engine?
- Created scheduled backups using Spanner's new built-in feature don't trigger the actual backup
- GCP pub sub ordering with concurrency in the subscriber
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- How to drop multiple tables in Big query using Wildcards TABLE_DATE_RANGE()?
- How to list all projects in GCP that belongs to a specific organization
- Constantly getting DEVELOPER_ERROR in Android Simulator using Firebase Authentication
- Google OAuth 2.0 authentication not working in React app: what am I doing wrong?
- How to SSH to docker container in kubernetes cluster?
- How to use google cloud load balance with cloudflare DNS proxy
- How to write data from apache beam using gcp dataflow to bigquery table?