google-cloud-platformgoogle-cloud-data-fusiongoogle-cloud-dlp
Using GCP DLP with DataFusion, unable to find template
I have created a DLP Identification template named DLPTest in Project X.
My Datafusion resources are hosted in Project Y.
Issue is when I use the Redact plugin in Datafusion, and provide the template ID or path in the form -
projects/X/locations/{LOCATION}/inspectTemplates/DLPTest or
projects/X/inspectTemplates/DLPTest
All permissions have been provided to datafusion SA, compute engine SA, DLP Service Account. Datafusion fails to find the template, as it keeps searching for template in Project Y.
> Error logs - > Caused by:com.google.api.gax.rpc.InvalidArgumentException: io.grpc.StatusRuntimeException: INVALID_ARGUMENT: Invalid path:
Datafusion is expecting template in location projects/Y/inspectTemplates/projects/DLPTest
How do I enable DF to look for template in the correct location in separate project? Thanks.
My Datafusion resources are hosted in Project Y.
Issue is when I use the Redact plugin in Datafusion, and provide the template ID or path in the form -
projects/X/locations/{LOCATION}/inspectTemplates/DLPTest or
projects/X/inspectTemplates/DLPTest
All permissions have been provided to datafusion SA, compute engine SA, DLP Service Account. Datafusion fails to find the template, as it keeps searching for template in Project Y.
> Error logs - > Caused by:com.google.api.gax.rpc.InvalidArgumentException: io.grpc.StatusRuntimeException: INVALID_ARGUMENT: Invalid path:
Datafusion is expecting template in location projects/Y/inspectTemplates/projects/DLPTest
How do I enable DF to look for template in the correct location in separate project? Thanks.
Solution
When you want Project Y (where your data fusion is in) to use resources from Project X (where the DLP is in) is to add the data fusion and compute engine service accounts of Project Y to Project X.
Notes:
- Data Fusion service account: [email protected]
- Default compute engine service account: [email protected]
Project Y:
- Go to IAM & Admin -> IAM
- Click View by: "Members"
- Tick checkbox "Include Google-provided role grants"
- Look for service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com and (project number of Project Y)[email protected]
- Add role "DLP Administrator" for service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com
Project X:
- Go to IAM & Admin -> IAM
- Click Add
- Under New Members, put service-(project number of Project Y)@gcp-sa-datafusion.iam.gserviceaccount.com
- Grant role of "DLP Admininistrator"
- Repeat step 2 to step 4 but this time put in (project number of Project Y)[email protected]
Now that you are able to set the permissions, Go back to Project Y and update your Redact to point to Project X.
- Go to Data Fusion -> Studio
- Click Redact-> Properties
- Put the template ID you created in Project X, in my sample it is "test_template"
- Under Project ID, put the Project ID of Project X
- Run your Data Fusion pipeline
- Cloud Run: mounting volume timed out: The NFS server may not be reachable or may not exist
- Migration from Container Registry to Artifact Registry for App Engine Standard Deployments
- Google Cloud: Access to image has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Im creating a VM using terraform code in GCP. I would like to inject a script that runs when the vm is created upon startup
- QUOTA_EXCEEDED : Exceeded daily quota for email sign-in in spite of using my SMTP settings
- How do I add share drive access to a google service account
- google.cloud namespace import error in __init__.py
- difference between docker BRIDGE and HOST driver?
- How can I connect an externally hosted MySQL database to BigQuery?
- Issue when trying to register an app for consent screen in google oauth
- Google Cloud Platform Trace from Cloud Function Invocation to Cloud Run HttpRequest
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Firebase Firestore timestamp not allowed inside array
- Why am I not able to get the env var values from google secret manager?
- changing image repository from Container Registry to Artifact Registry
- ALS (Alternating Least Square) algorithm in multiple rankings for a user
- Unable to connect to Gemini / Vertex AI
- How can I get Firebase Authentication ID tokens to work with Google Cloud Identity Platform so they get validated?
- How to identify the storage space left in a persistent volume claim?
- Cloud Run container stops processing when running parallel FastAPI background tasks
- GCP Cloud Storage - Golang aws sdk2 - Upload file with s3 INTEROPERABILITY Creds
- Creating folders using GCP PHP Client Libraries
- GKE Fluent bit partial logs
- Data loading and transformation from gcs to bigquery
- How to forcefully stop an operation on GKE cluster and thereby delete GKE cluster?
- Apache Beam with Dataflow: flag 'ignore_unknown_columns' for WriteToBigQuery not working
- Google Speech to Text - Not Getting the transcription | SOLVED
- Deploying firebase cloud fails because of some build errors
- Why does Cloud Deploy not support multiple target types in one pipeline?
- CloudBuild pull status from latest run, from a specific build trigger using via CloudBuild API?