Improvado
Esc

Start typing to search.

Improvado
Sign In

Google Cloud Storage Destination

Updated on Feb 24, 2026

Note: This article covers the Google Cloud Storage Destination setup process. It doesn’t cover the DataPrep setup for GCS.

You can learn how to extract data from Google Cloud Storage data source here.

Description

Google Cloud Storage is a highly available and durable object storage service offered by Google Cloud Platform, designed to store and access large, unstructured data sets with high reliability, scalability, and performance.

Setup guide

Follow our setup guide to connect Google Cloud Storage to Improvado.

Generate a Service Account Key JSON file

In order to use Service Account Key authentication, first, you need to generate a JSON file via Google Cloud Console using official documentation or an interactive step-by-step guide provided by Google.

Alternatively, you can follow the instructions below:

  1. In Google Cloud Console, go to IAM & AdminService Accounts.
__wf_reserved_inherit
  1. Click on the Actions button for your Service account and select Manage keys.
__wf_reserved_inherit
  1. In the KEYS tab section, click ADD KEYCreate new key. Choose JSON as a key type and click Create.
__wf_reserved_inherit
  1. In the downloaded JSON file, copy your Project ID.

How to connect

You need to share access for your Google Cloud Storage bucket to Improvado Google Service account: improvado-gcs-loader@green-post-223109.iam.gserviceaccount.com with a role at GCS bucket: Storage Object Admin.

Learn more here.

Complete configuration

On the Google Cloud Storage connection page, fill in the following fields:

  1. Enter a name for your Destination connection in the Title.
  2. Enter the Bucket Name.
  1. Enter the Filename.
  1. Select the necessary File Format option from the dropdown.
  1. Select the necessary Separator option from the dropdown.
  1. Select the necessary GCS Region option from the dropdown.
  2. Select the necessary Partition by option from the dropdown.
  1. Select the necessary Encryption option from the dropdown.
  1. (Optional) Enter the Root Name.

Note

This field supports letters and numbers only, max 64 characters (no special characters or dynamic values).

  1. Select the necessary Use static IP option from the dropdown.
  1. Select Workload Identity Federation as the Authentication type (recommended).
  2. Upload your Service account key JSON file to the Service account key.
  3. Enter the Project ID.
  4. (Workload Identity Federation only) Enter the GCP Project Number.
  5. (Workload Identity Federation only) Enter the Workload Pool ID.
  1. (Workload Identity Federation only) Enter the AWS Provider ID.
  1. (Workload Identity Federation only) Enter the Service Account Email.
  1. Select the necessary Use load by accounts option from dropdown.
  2. Select the necessary Use binary strings option from the dropdown.

Secondary Authentication Option (Workload Identity Federation)

Note: We recommend using the Service Account Key as an authentication method.

With identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles, including the ability to impersonate service accounts. This approach eliminates the maintenance and security burden associated with service account keys.

Learn more about Identity Federation here: Workload identity federation | IAM Documentation | Google Cloud.

  1. Setup a Workload pool and Provider for your Google Cloud project.
  2. Specify the Improvado AWS account ID that you can find on Improvado UI:
__wf_reserved_inherit
  1. Paste Improvado AWS Account ID and configure Attribute mapping:
    1. Set attribute.aws_role attribute value to assertion.arn.extract('assumed-role/{role}/').
__wf_reserved_inherit
  1. Add a condition to allow only one AWS IAM role which is called: workload_identity_fed_file_sender.
    1. Set the Condition CEL to attribute.aws_role == "workload_identity_fed_file_sender".
__wf_reserved_inherit
  1. On the Workpool details page, click the Grant access button.
__wf_reserved_inherit
  1. Select principals (identities that can access the service account):
    1. Set aws_role attribute value to workload_identity_fed_file_sender.
__wf_reserved_inherit
  1. Make sure that your service account has atleast Service Account Admin role:
__wf_reserved_inherit
__wf_reserved_inherit
  1. Assign Storage Object Admin role to the service account for bucket access:
__wf_reserved_inherit
__wf_reserved_inherit
  1. In Complete configuration, enter your Workload Pool ID and AWS Provider ID to the corresponding fields in the Improvado UI.
__wf_reserved_inherit

Was this article helpful?