Planning your return to office strategy? See how Chrome OS can help.

Configure Google Cloud Storage

You can configure Cloud Storage to use as a data store when deploying your Chrome OS Readiness Tool.

Automatic or manual setup

There are two ways to set up Cloud Storage for a Chrome OS Readiness trial:

  • Automatic—Use the Chrome OS Readiness setup wizard to set up cloud buckets automatically. The only prerequisite is to create and download a service account key with sufficient privileges for use with the wizard. The wizard does everything else. For details, see Automatic setup.
  • Manual—Set up cloud buckets manually using the Google Cloud console or CLI. For details, see Manual setup.

Automatic setup

Create a privileged service account key for use with the wizard
  1. Create a Google Cloud project if you haven’t already. For details, see Creating and managing projects.
  2. Open the Google Cloud console and create a service account for the Chrome OS Readiness Tool to use.
    1. On the top left of the Cloud Console, go to IAM & Adminand thenService Accounts.
      Note: There are service accounts already listed here, but you should not use these for the trial machines as they have much higher privileges than necessary.
    2. At the top, click Create Service Account.
    3. Add the following roles in Grant this service account access to project:
      • Service Account Admin
      • Service Account Key Admin
      • Storage Admin
      If you have already created a service account, follow the steps for granting access to change roles in Navigationand thenIAM. See Granting, changing, and revoking access to resources.
  3. Go to Navigation and then APIs & Servicesand thenLibrary and make sure you have enabled the IAM (Identity and Access Management) API.

You can also delete or deactivate a service account if necessary.

Download the service account key

Now that your service account is configured, you must download the service account key for use with the setup wizard.

  1. On the top left of the Google Cloud console, go to IAM & Adminand thenService Accounts.
  2. Select your service account.
  3. Under Keys, select Add key and create a new JSON key.

Note: This downloads the key to your machine. It is not possible to get this key again, so if you lose the key, you must create a new one. You can delete a key to revoke it.

Use the setup wizard to finish the configuration

For full instructions, see Deploy the Chrome OS Readiness Tool, noting the Google Cloud Storage-specific steps in Deployment configuration.

In Step 1: Setup storage, you provide the setup wizard with your service account key .json file. Configure the settings as normally.

In Step 3: Generate a configuration script, you need to use the generated decryption key parameter in your deployment tooling.

Further information

For additional details see Target configuration overview to understand what infrastructure is created by the wizard.

Manual setup

The aim of this section is to manually arrive at the following target configuration.

Create a restricted service account key

First, create a service account that will have specific access to buckets

  1. Create a Google Cloud project if you haven’t already. For details, see Creating and managing projects.
  2. Open the Google Cloud console and create a service account to be used by the Chrome OS Readiness Tool.
    1. On the top left of the Cloud Console, go to IAM & Adminand thenService Accounts.
      Note: There are service accounts already listed here, but you should not use these for the trial machines as they have much higher privileges than necessary.
    2. At the top, click Create Service Account.
  3. Go to Navigationand thenAPIs & Servicesand thenLibrary and make sure you have enabled the following APIs:
    • Cloud Storage
    • Cloud Storage API
    • Google Cloud Storage JSON API

You can also delete or deactivate a service account if necessary.

Create and configure buckets

Once you have created your service account, you must create the buckets used by the tool and grant the service account the appropriate level of access.

  1. Create buckets assigned to the project:
    1. From the top-left menu in the Google Cloud console, select Storageand thenBrowser.
      A list of all the buckets assigned to your project is displayed. It is empty if the project was newly created.
    2. Click Create Bucket again to create a reports bucket.
    3. (Optional) To use an edit set, click Create Bucket to create a configuration bucket. Confirm that the access is uniform.
  2. If you want to use an edit set, add your edit set to the top level bucket of the configuration bucket. For more information about what this file is and how to create it, see What are the base library and edit set.
    1. In your bucket, click Upload Files. This uploads your edit set.
      Note: The edit set must be named edit_set.json. You can use the empty_edit_set_example.json from the bundle as an example. For details, see Download the tool software bundle.
    2. Alternatively, you can drag and drop the edit set into the bucket.
  3. Assign appropriate rights to the buckets. The service account must only read from the configuration bucket and write to the reports bucket.
    1. On the Service account page from the first column in the list, copy the service account email.
    2. On the top-left from the list, select Storageand thenBrowser and then select the reports or configuration bucket.
    3. Click Permissionsand thenAdd.
    4. Under New Members, paste your service account’s email.
    5. In the Select a role field, do the following:
      1. For your reports bucket select Cloud Storageand thenStorage Object Creator.
      2. For your configuration bucket, select Cloud Storageand thenStorage Object Viewer.
  4. Click Save.
Download the service account key

Now that your service account is configured with appropriate bucket access, you must download the service account key.

  1. On the top left of the Google Cloud console, go to IAM & Adminand thenService Accounts.
  2. Select your service account.
  3. Under Keys, select Add key and create a new JSON key.

Note: This downloads the key to your machine. It is not possible to get this key again, so if you lose the key, you must create a new one. You can delete a key to revoke it.

Set registry values for service account

The registry settings for the Chrome OS Readiness Tool needs to be updated with your bucket and service account key information.

For full instructions, see Configure Google Cloud Storage.

(Optional) Create a privileged service account key for use with the helper tool

When using the helper tool to analyze results and generate reports, you need to provide a service account key path in the command line that can access results (read) and configuration buckets (read/write). See Generate reports.

If you have a Google account with those permissions, you can use that account to transfer files via the Google cloud CLI or Cloud Console to the admin machine, and run the helper tool on local data.

If you do not, create another service account with additional privileges:

  1. Open the Google Cloud console and create a service account to be used by the Chrome OS Readiness Helper Tool.
    1. On the top left, go to IAM & Adminand thenService Accounts.
    2. At the top, click Create Service Account.
  2. Grant this service account bucket access to your reports and configuration buckets . For details, see Create and configure buckets.
  3. Download the service account key for this service account. For details, see Download the service account key.
  4. Provide the helper tool with the path to the service account key JSON file using the --gcs_service_account_key_path flag.

Target configuration overview

No matter how you set up, the following infrastructure needs to be in place in order for the Chrome OS Readiness Tool to function correctly:

  • There is an admin machine on which you install the bundle and manage the trial.
  • There are one or more client machines to analyze with the Chrome OS Readiness Tool
  • There is an optional configuration bucket in Google Cloud used to customize the application library and a mandatory results bucket in Google Cloud used for client machine results.
  • The admin machine must have read/write access to the configuration bucket and read access to the results bucket.
  • The admin machine deploys a restricted service account key to client machines that grants them read access to the configuration bucket and write access to the results bucket. This account key can be created manually, though it is automatically created if configuring via the setup wizard. For details, see Create a restricted service account key.
  • If configuring via the setup wizard, there must be a privileged service account key on the admin machine. This service account key needs to have permissions to perform account setup for you. For details on what is required and how to create this account, see Create a privileged service account key for use with the wizard.

Additional topics

Post-trial cleanup

After you complete a trial, you can use tooling to remove the registry settings used for GCS configuration. After uninstalling the software using the uninstall mode of the service installer, run the configuration script with -mode remove for each client. For details, see also Reconfigure or uninstall an assessment.

You can also deactivate or delete the service accounts used, which revokes any service account keys, and deletes the buckets created if you do not intend to run a further assessment.

Downloading reports with gsutil

If you want to download reports without a service account key and then run analysis on the downloaded data locally, you can use the free gsutil tool. This is recommended if you are working with more than several thousand reports, as the helper tool downloads them slowly beyond that. First, download and install the Google Cloud SDK and initialize the SDK by running gcloud init.

You need an IAM account that has read/write permissions to the configuration bucket and at least read permissions to the results bucket. Run gsutil config and authenticate with this Google account. Then, run:

gsutil -m cp -r gs://my-bucket-name/reports_directory .

This downloads the contents of the entire reports directory from Google Cloud to a new directory in the current directory, indicated by the period at the end of the command. Alternatively, you can specify an existing directory as the download location. If your reports are located in the root directory of a bucket, you can just omit the directory name in the command.

The -m parameter specifies that multiple downloads should be done in parallel, which greatly increases the download speed.

After downloading, you can run the generate_report command as you would normally for a shared directory, specifying the local download location as the --shared_folder_path argument. For a full description of available commands and options, see Generate reports.

Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
410864
false