Like Jitsu? Give us a star on ⭐ GitHub!

πŸ“œ Configuration

Configuration UI

πŸ‘©β€πŸ”¬ Extending Jitsu

Overview
Destination Extensions
Source Extensions
API Specs

Jitsu Internals

Google Authorization

This page about Google Authorization configuration. Jitsu works with a number of services provided by Google. They all have the same authorization mechanics.

  • Service Account is a special account with id that look like NAME@PROJECT.iam.gserviceaccount.com. The account can have a key (or several keys) which is represented by JSON. Please note, to use Service Account as an authorization mechanism, the resource (google doc, analytics account, add account etc) should be shared with that account

Service account configuration

The easiest way to create Service Account is through Google Cloud Console: go to Navigation ("burger" at top right corner) β†’ IAM & Admin β†’ Service account. Create service account and download key JSON.

There a few other ways (including console utils), please see documentation

Service Account key can be referred in a few ways in Jitsu configuration:

As a JSON object
As a JSON string
As a path to file
auth:
  service_account_key: {
    "type": "service_account",
    "project_id": "<PROJECT_ID>",
    "private_key_id": "<PK_ID>",
    "private_key": "<PRIVATE_KEY>",
    "client_email": "<EMAIL>",
    "client_id": "CID",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "<CERT_URL>"
  }

GKE Workload Identity Configuration

Supported since jitsu v1.35.5

For Improved security and operability, Google developed a mechanism called Workload Identity that eliminates the need to pass around Service account JSON keys.

To configure Jitsu to use workload identity, provide the following magic string instead of the Service account JSON : workload_identity No quotes.

Like this:

image
image

It will cause google SDK to use the default k8s service account associated with the pod running Jitsu. This service account should be mapped to a Google Service Account that was assigned the required IAM roles. And workload identity should be enabled in the cluster.