Set up Google Cloud Dataplex

Configure Google Cloud Dataplex authentication by creating a service account with the required permissions. Atlan uses this service account to extract metadata from Dataplex through read-only access.

Prerequisites

Before you begin, make sure you have:

• Google Cloud administrator access to create roles and service accounts
• Access to the Google Cloud project where Dataplex is configured
• Either Google Cloud console access or Google Cloud CLI installed and initialized

Create service account

Create a service account with the required Dataplex permissions. You can use either the Google Cloud console or Google Cloud CLI.

Create custom role

Create a custom role and grant the following permissions to enable Atlan to extract metadata from Dataplex.

Google Cloud console

1. Open the Google Cloud console.
2. From the left menu under IAM and admin, click Roles.
3. Using the dropdown list at the top of the page, select the project where you want to create the role.
4. From the upper left of the Roles page, click Create Role.
5. In the Create role page, enter the following details:
   1. For Title, enter a meaningful name for the custom role - for example, Atlan Dataplex Role.
   2. (Optional) For Description, enter a description for the custom role.
   3. For ID, the Google Cloud console generates a custom role ID based on the custom role name. Edit the ID if necessary - the ID can't be changed later.
   4. (Optional) For Role launch stage, assign a stage for the custom role - for example, Alpha or General Availability.
   5. Click Add permissions to select the permissions you want to include in the custom role. In the Add permissions dialog, click the Enter property name or value filter and add the following permissions:
      • dataplex.entryTypes.list - Enables Atlan to list entry types
      • dataplex.entryTypes.get - Enables Atlan to retrieve entry type metadata
      • dataplex.entryGroups.list - Enables Atlan to list entry groups
      • dataplex.entryGroups.get - Enables Atlan to retrieve entry group metadata
      • dataplex.entries.list - Enables Atlan to list entries
      • dataplex.entries.get - Enables Atlan to retrieve entry metadata
      • dataplex.aspectTypes.list - Enables Atlan to list aspect types
      • dataplex.aspectTypes.get - Enables Atlan to retrieve aspect type metadata
   6. Click Create to finish custom role setup.

Google Cloud CLI

1. Run the following command to create a custom role with the required permissions:

   gcloud iam roles create atlanDataplexRole --project=<project_id> \
       --title="Atlan Dataplex Role" --description="Atlan Dataplex Role to extract metadata" \
       --permissions="dataplex.entryTypes.list,dataplex.entryTypes.get,dataplex.entryGroups.list,dataplex.entryGroups.get,dataplex.entries.list,dataplex.entries.get,dataplex.aspectTypes.list,dataplex.aspectTypes.get" \
       --stage=ALPHA

   Replace <project_id> with the project ID of your Google Cloud project.

   The permissions granted are:

   • dataplex.entryTypes.list and dataplex.entryTypes.get - Enable Atlan to list and retrieve entry type metadata
   • dataplex.entryGroups.list and dataplex.entryGroups.get - Enable Atlan to list and retrieve entry group metadata
   • dataplex.entries.list and dataplex.entries.get - Enable Atlan to list and retrieve entry metadata
   • dataplex.aspectTypes.list and dataplex.aspectTypes.get - Enable Atlan to list and retrieve aspect type metadata

Create service account

Google Cloud console

1. Open the Google Cloud console.
2. From the left menu under IAM and admin, click Service accounts.
3. Select a Google Cloud project.
4. From the upper left of the Service accounts page, click Create Service Account.
5. For Service account details, enter the following details:
   1. For Service account name, enter a service account name to display in the Google Cloud console.
   2. For Service account ID, the Google Cloud console generates a service account ID based on this name. Edit the ID if necessary - the ID can't be changed later.
   3. (Optional) For Service account description, enter a description for the service account.
   4. Click Create and continue to proceed to the next step.
6. For Grant this service account access to the project, enter the following details:
   1. Click the Select a role dropdown and then select the custom role you created in the previous step - for example, Atlan Dataplex Role.
   2. Click Continue to proceed to the next step.
7. Click Done to finish the service account setup.

Google Cloud CLI

1. Run the following command to create a service account:

   gcloud iam service-accounts create atlanDataplex \
       --description="Atlan Service Account to extract metadata" \
       --display-name="Atlan Dataplex User"

2. Run the following command to grant the custom role to your service account:

   gcloud projects add-iam-policy-binding <project_id> \
       --member="serviceAccount:atlanDataplex@<project_id>.iam.gserviceaccount.com" \
       --role="atlanDataplexRole"

   Replace <project_id> with the project ID of your Google Cloud project.

Create service account key

Google Cloud console

1. Open the Google Cloud console.
2. From the left menu under IAM and admin, click Service accounts.
3. Select the Google Cloud project for which you created the service account.
4. On the Service accounts page, click the email address of the service account that you want to create a key for.
5. From the upper left of your service account page, click the Keys tab.
6. On the Keys page, click the Add Key dropdown and then click Create new key.
7. In the Create private key dialog, for Key type, click JSON and then click Create. This creates a service account key file. Download the key file and store it in a secure location - you won't be able to download it again.

Google Cloud CLI

1. Run the following command to create a service account key:

   gcloud iam service-accounts keys create <key_file_path> \
       --iam-account=atlanDataplex@<project_id>.iam.gserviceaccount.com

   • Replace <key_file_path> with path to a new output file for the private key - for example, ~/atlanDataplex-private-key.json.
   • Replace <project_id> with the project ID of your Google Cloud project.

Next steps

• Crawl Dataplex assets: Configure and run the crawler to extract metadata from Dataplex