Prerequisites

Learn how to collect the information you need to deploy the Google Drive to S3/ADLS ReadyFlow, and meet other prerequisites.

For your data ingest source

You have a Google Cloud account.If you do not have one, you can sign up for a free account here.
You have enabled Google Drive API in Google Cloud. For instructions, see Enable Google Workspace APIs.
You have granted access to the Google Drive folder.
1. In the Google Cloud Console, navigate to IAM & Admin > Service Accounts.
2. Copy the email address of the service account you are going to use.
3. Navigate to the folder to be listed in Google Drive.
4. Right-click the folder and select Share.
5. Enter the service account email.
You have your Google Drive folder ID.
Navigate to the folder to be listed in Google Drive and enter it. The URL in your browser includes the ID at the end of the URL. For example, if the URL is https://drive.google.com/drive/folders/1trTraPVCnX5_TNwO8d9P_bz278xWOmGm, the folder ID is 1trTraPVCnX5_TNwO8d9P_bz278xWOmGm.
You have data stored in the Google Drive folder that you want to move to an object store.

For DataFlow

You have enabled DataFlow for an environment.

For information on how to enable DataFlow for an environment, see Enabling DataFlow for an Environment.
You have created a Machine User to use as the CDP Workload User.
You have given the CDP Workload User the EnvironmentUser role.
1. From the Management Console, go to the environment for which DataFlow is enabled.
2. From the Actions drop down, click Manage Access.
3. Identify the user you want to use as a Workload User.
  note
  
  The CDP Workload User can be a machine user or your own user name. It is best practice to create a dedicated Machine user for this.
4. Give that user EnvironmentUser role.
You have synchronized your user to the CDP Public Cloud environment that you enabled for DataFlow.

For information on how to synchronize your user to FreeIPA, see Performing User Sync.
You have granted your CDP user the DFCatalogAdmin and DFFlowAdmin roles to enable your user to add the ReadyFlow to the Catalog and deploy the flow definition.
1. Give a user permission to add the ReadyFlow to the Catalog.
  1. From the Management Console, click User Management.
  2. Enter the name of the user or group you wish to authorize in the Search field.
  3. Select the user or group from the list that displays.
  4. Click Roles > Update Roles.
  5. From Update Roles, select DFCatalogAdmin and click Update.
    note
    If the ReadyFlow is already in the Catalog, then you can give your user just the DFCatalogViewer role.
2. Give your user or group permission to deploy flow definitions.
  1. From the Management Console, click Environments to display the Environment List page.
  2. Select the environment to which you want your user or group to deploy flow definitions.
  3. Click Actions > Manage Access to display the Environment Access page.
  4. Enter the name of your user or group you wish to authorize in the Search field.
  5. Select your user or group and click Update Roles.
  6. Select DFFlowAdmin from the list of roles.
  7. Click Update Roles.
3. Give your user or group access to the Project where the ReadyFlow will be deployed.
  1. Go to DataFlow > Projects.
  2. Select the project where you want to manage access rights and click More > Manage Access.
4. Start typing the name of the user or group you want to add and select them from the list.
5. Select the Resource Roles you want to grant.
6. Click Update Roles.
7. Click Synchronize Users.

For your S3 data ingest target

You have your source S3 path and bucket.

Perform one of the following to configure access to S3 buckets:
- You have configured access to S3 buckets with a RAZ enabled environment.
  It is a best practice to enable RAZ to control access to your object store buckets. This allows you to use your CDP credentials to access S3 buckets, increases auditability, and makes object store data ingest workflows portable across cloud providers.
  1. Ensure that Fine-grained access control is enabled for your DataFlow environment.
  2. From the Ranger UI, navigate to the S3 repository.
  3. Create a policy to govern access to the S3 bucket and path used in your ingest workflow.
    tip
    
    The Path field must begin with a forward slash ( / ).
  4. Add the machine user that you have created for your ingest workflow to the policy you just created.
  For more information, see Creating Ranger policy to use in RAZ-enabled AWS environment.
- You have configured access to S3 buckets using ID Broker mapping.
  If your environment is not RAZ-enabled, you can configure access to S3 buckets using ID Broker mapping.
  1. Access IDBroker mappings.
    1. To access IDBroker mappings in your environment, click Actions > Manage Access.
    2. Choose the IDBroker Mappings tab where you can provide mappings for users or groups and click Edit.
  2. Add your CDP Workload User and the corresponding AWS role that provides write access to your folder in your S3 bucket to the Current Mappings section by clicking the blue + sign.
    note
    You can get the AWS IAM role ARN from the Roles Summary page in AWS and can copy it into the IDBroker role field. The selected AWS IAM role must have a trust policy allowing IDBroker to assume this role.
  3. Click Save and Sync.

For your ADLS data ingest target

You have your ADLS container and path into which you want to ingest data.

You have performed one of the following to configure access to your ADLS folder:
- You have configured access to the ADLS folders with a RAZ enabled environment.
  It is a best practice to enable RAZ to control access to your object store folders. This allows you to use your CDP credentials to access ADLS folders, increases auditability, and makes object store data ingest workflows portable across cloud providers.
  1. Ensure that Fine-grained access control is enabled for your DataFlow environment.
  2. From the Ranger UI, navigate to the ADLS repository.
  3. Create a policy to govern access to the ADLS container and path used in your ingest workflow. For example: adls-to-adls-avro-ingest
    tip
    The Path field must begin with a forward slash ( / ).
  4. Add the machine user that you have created for your ingest workflow to ingest the policy you just created.
  For more information, see Ranger policies for RAZ-enabled Azure environment.
- You have configured access to ADLS folders using ID Broker mapping.
  If your environment is not RAZ-enabled, you can configure access to ADLS folders using ID Broker mapping.
  1. Access IDBroker mappings.
    1. To access IDBroker mappings in your environment, click Actions > Manage Access.
    2. Choose the IDBroker Mappings tab where you can provide mappings for users or groups and click Edit.
  2. Add your CDP Workload User and the corresponding Azure role that provides write access to your folder in ADLS to the Current Mappings section by clicking the blue + sign.
    note
    You can get the Azure Managed Identity Resource ID from the Azure Portal by navigating to Managed Identities > Your Managed Identity > Properties > Resource ID. The selected Azure MSI role must have a trust policy allowing IDBroker to assume this role.
  3. Click Save and Sync.