Skip to content
Docs
Deployment
Google Cloud

Deploying Netsy on Google Cloud (GCP)

Authentication

Prefer Application Default Credentials (ADC):

  • On GCE or GKE, use the attached service account or workload identity.
  • Outside GCP, set GOOGLE_APPLICATION_CREDENTIALS to a service-account JSON file.

Example:

export GOOGLE_APPLICATION_CREDENTIALS=/etc/netsy/gcp-service-account.json

Example Config 

{
  "cluster_id": "my-cluster",
  "storage": {
    "provider": "gcs",
    "bucket_name": "my-netsy-bucket",
    "key_prefix": "",
    "class": "STANDARD",
    "encryption": "customer-managed",
    "kms_key_id": "projects/my-project/locations/global/keyRings/netsy/cryptoKeys/main"
  }
}

Storage Semantics

  • storage.class uses GCS storage classes such as STANDARD, NEARLINE, COLDLINE, and ARCHIVE.
  • storage.encryption = "provider-managed" uses Google’s default server-side encryption.
  • storage.encryption = "customer-managed" requires storage.kms_key_id to be a full Cloud KMS key resource.
  • Conditional updates such as members.json and Node registration files should use GCS generation or metageneration preconditions rather than S3 If-Match headers.

Required Permissions

The Netsy service account should have permission to:

  • Read objects
  • Write objects
  • Delete objects
  • List objects in the bucket
  • Read object metadata
  • Use the configured Cloud KMS key when customer-managed encryption is enabled

Typical roles are a combination of bucket-scoped storage permissions plus roles/cloudkms.cryptoKeyEncrypterDecrypter for the KMS key.

AWSNstance