GCS Notifier

The GCS (Google Cloud Storage) Notifier output connection will send submission data and state-change notifications to the GCS URI you specify.

If you would like to use the GCS Notifier connection in a SaaS instance and your service is not public, you should create a firewall pinhole for the connection. Contact your Hyperscience representative for more information.

Sample use cases

Send extracted information and submission metadata to a GCS bucket for downstream processing.
Configure monitoring of the output bucket and alert other systems to take action on submissions, if needed.

Block settings table

In addition to the settings outlined below, you can also configure the settings described in Universal Integration Block Settings.

Name	Required?	Description
GCS URI	Yes	The URI of the location where the data should be stored (in the format of `gs://<bucket_name>/<prefix>`).
GCP Service Account JSON	Yes, if Use Workload Identity is deselected	The service account JSON credential that allows access to the GCS bucket. To edit the JSON, click Edit value, modify the JSON, and then click Done.
Use Workload Identity	Must be selected if no value for GCS Service Account JSON is provided	Credentials are obtained by using Workload Identity Federation, which applies to Hyperscience installations inside GKE clusters. See Set up Workload Identity Federation for more information. The notifier output bucket should have IAM policy binding with the Workflow Identity Pool principal of the block’s namespace. Selected by default.

Name

Required?

Description

GCS URI

Yes

The URI of the location where the data should be stored (in the format of gs://<bucket_name>/<prefix>).

GCP Service Account JSON

Yes, if Use Workload Identity is deselected

The service account JSON credential that allows access to the GCS bucket.

To edit the JSON, click Edit value, modify the JSON, and then click Done.

Use Workload Identity

Must be selected if no value for GCS Service Account JSON is provided

Credentials are obtained by using Workload Identity Federation, which applies to Hyperscience installations inside GKE clusters. See Set up Workload Identity Federation for more information.

The notifier output bucket should have IAM policy binding with the Workflow Identity Pool principal of the block’s namespace.

Selected by default.

Set up Workload Identity Federation

For Workload Identity Federation-enabled Kubernetes clusters (both SaaS and on-premise deployments), the workloadIdentityPools principle should be IAM bound to the desired block’s bucket.

The bucket can be set up via the UI console or via the cli command:

gcloud storage buckets add-iam-policy-binding gs://BUCKET \

    --role=roles/storage.objectViewer \

    --member=principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/KSA_NAME \

    --condition=None

For more information, see Google’s Authenticate to Google Cloud APIs from GKE workloads.

Setting up the GCS Notifier

To set up the GCS Notifier, enter the settings as described in the Block settings table above.

Before deploying a flow with the GCS Notifier enabled, ensure that the credentials you’ve specified in the block settings have the storage.objects.create permission for the specified bucket.