Documentation Index

Fetch the complete documentation index at: https://help.yahooinc.com/llms.txt

Use this file to discover all available pages before exploring further.

Google Cloud Platform Exposure Logs Destination

Prev Next

Set Up GCP Components on Client side

Grant Yahoo permission to read/write log files directly to a Google Cloud Storage (GCS) bucket securely without storing static credentials using Workload Identity Federation.

Step 1: Create Workload Identity Pool and Provider

  1. In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.

  2. Select  + Create Pool.

  3. Enter the Pool Details:

    • Name: <NAME>

    • Location: global

  4. Create a Provider by entering the following details.

    • Type: AWS

    • Provider ID: aws-provider

    • AWS Account ID: <Yahoo AWS Account ID>

Step 2: Create a Service Account

Create a service account. For example,aws-accessor-sa@PROJECT_ID.iam.gserviceaccount.com.

Step 3: Allow Yahoo AWS Role to Impersonate the Service Account

  1. Add the following principal in Service Account permissions. This principal is an example of what the format looks like.

    • principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL-NAME>/attribute.aws_role/<IAMRoleARN>

  2. Assign the role: Service Account Token Creator (roles/iam.serviceAccountTokenCreator)

  3. Add the IAM condition (recommended).

    attribute.aws_role == <IAMRoleARN>

  4. Add the Yahoo AWS Account Details.

    "arn:aws:iam::120569632695:role/dcs.tgt-anltcs-prd.cleanroom-api-service"
    
    "arn:aws:iam::394273476801:role/aolp.ds-prd.cleanroom-api-service"

Step 4: Grant Storage Permissions to the Service Account

  1. Go to Cloud Storage > to select a specific Bucket to share, then select  > Permissions > to add aws-accessor-sa@PROJECT_ID.iam.gserviceaccount.com.

  2. Assign Storage Object Admin or another suitable role.

Step 5: Send Details to Yahoo

Once configuration is complete, please provide the following details to your Yahoo representative so the Yahoo team can validate if they are able access/write to the GCS bucket.

  • GCS Bucket Name

  • GCS Bucket Path

  • GCP Project ID

  • GCP Workload Identity Audience

  • GCP Service Account Email