Installing GCP Service Account Key

Overview

To support integration with GCP Pub/Sub Service, first create a service account in the API Console and then import a created key into ATSD keystore.

Create Service Account

Create a service account with 'Pub/Sub Publisher' role as described in this document.

  1. Open the Service accounts page. If prompted, select a project.
  2. Click Create service account.
  3. In the Create service account window, enter a name for the service account, select a Pub/Sub Publisher role and select Furnish a new private key with P12 key type. Then click Create.

For example, create a service account with name publisher:

When a service account is created, the account's private key is saved on your computer.

Import Account's Private Key

Import the saved private key into the ATSD keystore.

keytool -v -importkeystore -srckeystore {P12_FILE_NAME} -srcstoretype PKCS12 -alias privatekey -srcstorepass notasecret -destkeystore /opt/atsd/atsd/conf/server.keystore -deststoretype JKS -destalias {GCP_KEY_ALIAS} -destkeypass {KEY_PASSWORD}

Replace {P12_FILE_NAME} with saved file name.
Replace {GCP_KEY_ALIAS} with your alias. The alias must start with gcp prefix.
Replace {KEY_PASSWORD} with your key manager password (The property https.keyManagerPassword in the /opt/atsd/atsd/conf/server.properties file. Before using the value of property, deobfuscate it).

Check the contents of the keystore:

keytool -list -keystore /opt/atsd/atsd/conf/server.keystore

The output must contain at least two certificate entries for the atsd and gcp aliases.

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

atsd, Dec 5, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): ...
gcp_publisher, Dec 28, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): ...

Restart ATSD

/opt/atsd/atsd/bin/stop-atsd.sh
/opt/atsd/atsd/bin/start-atsd.sh