You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »


Creation of Groups for Project Access

Prior to making a request for GCP projects, it is first necessary to request access groups to be able to attribute access to the projects.  Typically the Application owner should be making the request for groups.  This person will become the manager of each group and be able to assign, or delegate assess to those working on, and using the project.

The permissions to be requested for the project will vary depending on the types of access on the project.

It is not necessary to provide an exhaustive list of groups when requesting a project, as further access can be requested and granted later, but at least one group should be provided at the beginning for the data engineers and architects to being working on the project.  A generic group for technical users (data architects and engineers) can follow the format of gcp-sl-data-{product_name}-nonprod@solvay.com and gcp-sl-data-{product_name}-prod@solvay.com


In keeping with the architecture of the Data Ocean, when requesting a GCP projects, the following request should be made to the Cloud Operations Team in Service One.

When requesting a name for Project ID in Google Cloud Platform, use the format of prj-data-{product_name/usecase}

The request should be for 4 GCP projects, dev, test, preprod, prod


Product Project Configuration and Resources

All buckets can be in the location of europe-west1 with standard class (unless otherwise required for legal reasons)

Lifecycle and object versioning to be determined at a later date or enabled manually if possible

  • cs-ew1-{gcp_project_id}-dm
  • cs-ew1-{gcp_project_id}-staging
  • cs-ew1-{gcp_project_id}-wdl
  • cs-ew1-{gcp_project_id}-temp
  • cs-ew1-{gcp_project_id}-bigquery-state



  • API Activation
    • In addition to the standard APIs, the following APIs should be activated.
      • BigQuery 
        • BigQuery API
        • BigQuery Storage API
        • BigQuery Data Transfer API
        • BigQuery Connection API
        • BigQuery Data Policy API
      • Cloud Storage
        • Cloud Storage
        • Storage Transfer API
        • Cloud Storage JSON API
      • Google Sheets API
      • Google Drive API
      • Cloud Build
      • Data Catalog API
      • Data Lineage API

Product Project Permissions for Groups


gcp-sl-data-{product}-prod@solvay.com & gcp-sl-data-{product}-nonprod@solvay.com.  The distinction is that groups suffixed with prod are reserved for prod and pre-prod GCP projects, while groups suffixed with non-prod are reserved for dev and test GCP projects.

In the dev and test environment, both groups will require the following permissions

  • BigQuery User & BigQuery Data Editor (Only in DEV environment. In other environments, Bigquery admin will be reserved for service accounts)
  • Cloud Storage: permission granted at bucket level - not at project level, as follows:
    • Storage Object Admin (on all requested buckets)
    • GCS Developer (Solvay) - custom role
  • Permissions to view all project logs (Private Log Viewer)
  • Viewer - at project level
  • Error Reporting Access
  • Cloud Monitoring Viewer
  • Cloud Build (usage)


  • Product GCP Project Resources: 
    • Service Accounts & Key Files
      • talend (sa-talend)
        • Keys
          • JSON & P12
        • Project Permissions
          • BigQuery Admin
          • Cloud Storage Role to list all buckets and have full permissions inside buckets
      • cicd (sa-cicd)
        • Keys
          • JSON
        • Project Permissions
          • BigQuery Admin
          • Service Usage Consumer
          • Necessary permissions for access to build & state buckets
    • Google Cloud Storage Buckets
  • No labels