Authenticate to Google Cloud Storage
Authenticate to Google Cloud Storage
Authentication methods
From v3.0 onwards, StarRocks supports using one of the following authentication methods to access Google Cloud Storage (GCS):
- VM-based authenticationUse the credential attached to Google Cloud Compute Engine to authenticate GCS.
- Service account-based authenticationUse a service account to authenticate GCS.
- Impersonation-based authenticationMake a service account or virtual machine (VM) instance impersonate another service account.
Scenarios
StarRocks can authenticate to GCS in the following scenarios:
- Batch load data from GCS.
- Back up data from and restore data to GCS.
- Query Parquet and ORC files in GCS.
- Query Hive, Iceberg, Hudi, and Delta Lake tables in GCS.
In this topic, Hive catalog, file external table, and Broker Load are used as examples to show how StarRocks integrates with GCS in different scenarios. For information about StorageCredentialParams
in the examples, see the "Parameters" section of this topic.
NOTE
StarRocks supports loading data or directly querying files from GCS only according to the gs protocol. Therefore, when you load data or query files from GCS, you must include
gs
as a prefix in the file path.
External catalog
Use the CREATE EXTERNAL CATALOG statement to create a Hive catalog named hive_catalog_gcs
as follows, in order to query files from GCS:
CREATE EXTERNAL CATALOG hive_catalog_gcs
PROPERTIES
(
"type" = "hive",
"hive.metastore.uris" = "thrift://34.132.15.127:9083",
StorageCredentialParams
);
File external table
Use the CREATE EXTERNAL TABLE statement to create a file external table named external_table_gcs
as follows, in order to query a data file named test_file_external_tbl
from GCS without any metastore:
CREATE EXTERNAL TABLE external_table_gcs
(
id varchar(65500),
attributes map<varchar(100), varchar(2000)>
)
ENGINE=FILE
PROPERTIES
(
"path" = "gs:////test-gcs/test_file_external_tbl",
"format" = "ORC",
StorageCredentialParams
);
Broker load
Use the LOAD LABEL statement to create a Broker Load job whose label is test_db.label000
, in order to batch load data from GCS into the StarRocks table target_table
:
LOAD LABEL test_db.label000
(
DATA INFILE("gs://bucket_gcs/test_brokerload_ingestion/*")
INTO TABLE target_table
FORMAT AS "parquet"
)
WITH BROKER
(
StorageCredentialParams
);
Parameters
StorageCredentialParams
represents a parameter set that describes how to authenticate to GCS with different authentication methods.
VM-based authentication
If your StarRocks cluster is deployed on a VM instance hosted on Google Cloud Platform (GCP) and you want to use that VM instance to authenticate GCS, configure StorageCredentialParams
as follows:
"gcp.gcs.use_compute_engine_service_account" = "true"
The following table describes the parameters you need to configure in StorageCredentialParams
.
Parameter | Default value | Value example | Description |
---|---|---|---|
gcp.gcs.use_compute_engine_service_account | false | true | Specifies whether to directly use the service account that is bound to your Compute Engine. |
Service account-based authentication
If you directly use a service account to authenticate GCS, configure StorageCredentialParams
as follows:
"gcp.gcs.service_account_email" = "<google_service_account_email>",
"gcp.gcs.service_account_private_key_id" = "<google_service_private_key_id>",
"gcp.gcs.service_account_private_key" = "<google_service_private_key>"
The following table describes the parameters you need to configure in StorageCredentialParams
.
Parameter | Default value | Value example | Description |
---|---|---|---|
gcp.gcs.service_account_email | "" | " | The email address in the JSON file generated at the creation of the service account. |
gcp.gcs.service_account_private_key_id | "" | "61d257bd8479547cb3e04f0b9b6b9ca07af3b7ea" | The private key ID in the JSON file generated at the creation of the service account. |
gcp.gcs.service_account_private_key | "" | "-----BEGIN PRIVATE KEY----xxxx-----END PRIVATE KEY-----\n" | The private key in the JSON file generated at the creation of the service account. |
Impersonation-based authentication
Make a VM instance impersonate a service account
If your StarRocks cluster is deployed on a VM instance hosted on GCP and you want to make that VM instance impersonate a service account, so as to make StarRocks inherit the privileges from the service account to access GCS, configure StorageCredentialParams
as follows:
"gcp.gcs.use_compute_engine_service_account" = "true",
"gcp.gcs.impersonation_service_account" = "<assumed_google_service_account_email>"
The following table describes the parameters you need to configure in StorageCredentialParams
.
Parameter | Default value | Value example | Description |
---|---|---|---|
gcp.gcs.use_compute_engine_service_account | false | true | Specifies whether to directly use the service account that is bound to your Compute Engine. |
gcp.gcs.impersonation_service_account | "" | "hello" | The service account that you want to impersonate. |
Make a service account impersonate another service account
If you want to make a service account (temporarily named as meta service account) impersonate another service account (temporarily named as data service account) and make StarRocks inherit the privileges from the data service account to access GCS, configure StorageCredentialParams
as follows:
"gcp.gcs.service_account_email" = "<google_service_account_email>",
"gcp.gcs.service_account_private_key_id" = "<meta_google_service_account_email>",
"gcp.gcs.service_account_private_key" = "<meta_google_service_account_email>",
"gcp.gcs.impersonation_service_account" = "<data_google_service_account_email>"
The following table describes the parameters you need to configure in StorageCredentialParams
.
Parameter | Default value | Value example | Description |
---|---|---|---|
gcp.gcs.service_account_email | "" | " | The email address in the JSON file generated at the creation of the meta service account. |
gcp.gcs.service_account_private_key_id | "" | "61d257bd8479547cb3e04f0b9b6b9ca07af3b7ea" | The private key ID in the JSON file generated at the creation of the meta service account. |
gcp.gcs.service_account_private_key | "" | "-----BEGIN PRIVATE KEY----xxxx-----END PRIVATE KEY-----\n" | The private key in the JSON file generated at the creation of the meta service account. |
gcp.gcs.impersonation_service_account | "" | "hello" | The data service account that you want to impersonate. |