Configure Google Cloud Storage

1. Create a Google Cloud project if you haven’t already. For details, see Creating and managing projects.
2. Open the Google Cloud console and create a service account for the Chrome OS Readiness Tool to use.
   1. On the top left of the Cloud Console, go to IAM & AdminService Accounts.
      Note: There are service accounts already listed here, but you should not use these for the trial machines as they have much higher privileges than necessary.
   2. At the top, click Create Service Account.
   3. Add the following roles in Grant this service account access to project:
      • Service Account Admin
      • Service Account Key Admin
      • Storage Admin
      If you have already created a service account, follow the steps for granting access to change roles in NavigationIAM. See Granting, changing, and revoking access to resources.
3. Go to Navigation APIs & ServicesLibrary and make sure you have enabled the IAM (Identity and Access Management) API.

You can also delete or deactivate a service account if necessary.

Now that your service account is configured, you must download the service account key for use with the setup wizard.

1. On the top left of the Google Cloud console, go to IAM & AdminService Accounts.
2. Select your service account.
3. Under Keys, select Add key and create a new JSON key.

Note: This downloads the key to your machine. It is not possible to get this key again, so if you lose the key, you must create a new one. You can delete a key to revoke it.

For full instructions, see Deploy the Chrome OS Readiness Tool, noting the Google Cloud Storage-specific steps in Deployment configuration.

In Step 1: Setup storage, you provide the setup wizard with your service account key .json file. Configure the settings as normally.

In Step 3: Generate a configuration script, you need to use the generated decryption key parameter in your deployment tooling.

For additional details see Target configuration overview to understand what infrastructure is created by the wizard.

First, create a service account that will have specific access to buckets

1. Create a Google Cloud project if you haven’t already. For details, see Creating and managing projects.
2. Open the Google Cloud console and create a service account to be used by the Chrome OS Readiness Tool.
   1. On the top left of the Cloud Console, go to IAM & AdminService Accounts.
      Note: There are service accounts already listed here, but you should not use these for the trial machines as they have much higher privileges than necessary.
   2. At the top, click Create Service Account.
3. Go to NavigationAPIs & ServicesLibrary and make sure you have enabled the following APIs:
   • Cloud Storage
   • Cloud Storage API
   • Google Cloud Storage JSON API

You can also delete or deactivate a service account if necessary.

Once you have created your service account, you must create the buckets used by the tool and grant the service account the appropriate level of access.

1. Create buckets assigned to the project:
   1. From the top-left menu in the Google Cloud console, select StorageBrowser.
      A list of all the buckets assigned to your project is displayed. It is empty if the project was newly created.
   2. Click Create Bucket again to create a reports bucket.
   3. (Optional) To use an edit set, click Create Bucket to create a configuration bucket. Confirm that the access is uniform.
2. If you want to use an edit set, add your edit set to the top level bucket of the configuration bucket. For more information about what this file is and how to create it, see What are the base library and edit set.
   1. In your bucket, click Upload Files. This uploads your edit set.
      Note: The edit set must be named edit_set.json. You can use the empty_edit_set_example.json from the bundle as an example. For details, see Download the tool software bundle.
   2. Alternatively, you can drag and drop the edit set into the bucket.
3. Assign appropriate rights to the buckets. The service account must only read from the configuration bucket and write to the reports bucket.
   1. On the Service account page from the first column in the list, copy the service account email.
   2. On the top-left from the list, select StorageBrowser and then select the reports or configuration bucket.
   3. Click PermissionsAdd.
   4. Under New Members, paste your service account’s email.
   5. In the Select a role field, do the following:
      1. For your reports bucket select Cloud StorageStorage Object Creator.
      2. For your configuration bucket, select Cloud StorageStorage Object Viewer.
4. Click Save.

Now that your service account is configured with appropriate bucket access, you must download the service account key.

1. On the top left of the Google Cloud console, go to IAM & AdminService Accounts.
2. Select your service account.
3. Under Keys, select Add key and create a new JSON key.

Note: This downloads the key to your machine. It is not possible to get this key again, so if you lose the key, you must create a new one. You can delete a key to revoke it.

The registry settings for the Chrome OS Readiness Tool needs to be updated with your bucket and service account key information.

For full instructions, see Configure Google Cloud Storage.

When using the helper tool to analyze results and generate reports, you need to provide a service account key path in the command line that can access results (read) and configuration buckets (read/write). See Generate reports.

If you have a Google account with those permissions, you can use that account to transfer files via the Google cloud CLI or Cloud Console to the admin machine, and run the helper tool on local data.

If you do not, create another service account with additional privileges:

1. Open the Google Cloud console and create a service account to be used by the Chrome OS Readiness Helper Tool.
   1. On the top left, go to IAM & AdminService Accounts.
   2. At the top, click Create Service Account.
2. Grant this service account bucket access to your reports and configuration buckets . For details, see Create and configure buckets.
3. Download the service account key for this service account. For details, see Download the service account key.
4. Provide the helper tool with the path to the service account key JSON file using the --gcs_service_account_key_path flag.

After you complete a trial, you can use tooling to remove the registry settings used for GCS configuration. After uninstalling the software using the uninstall mode of the service installer, run the configuration script with -mode remove for each client. For details, see also Reconfigure or uninstall an assessment.

You can also deactivate or delete the service accounts used, which revokes any service account keys, and deletes the buckets created if you do not intend to run a further assessment.

If you want to download reports without a service account key and then run analysis on the downloaded data locally, you can use the free gsutil tool. This is recommended if you are working with more than several thousand reports, as the helper tool downloads them slowly beyond that. First, download and install the Google Cloud SDK and initialize the SDK by running gcloud init.

You need an IAM account that has read/write permissions to the configuration bucket and at least read permissions to the results bucket. Run gsutil config and authenticate with this Google account. Then, run:

gsutil -m cp -r gs://my-bucket-name/reports_directory .

This downloads the contents of the entire reports directory from Google Cloud to a new directory in the current directory, indicated by the period at the end of the command. Alternatively, you can specify an existing directory as the download location. If your reports are located in the root directory of a bucket, you can just omit the directory name in the command.

The -m parameter specifies that multiple downloads should be done in parallel, which greatly increases the download speed.

After downloading, you can run the generate_report command as you would normally for a shared directory, specifying the local download location as the --shared_folder_path argument. For a full description of available commands and options, see Generate reports.