Google Service Accounts

Google Service Accounts

The Google Service Accounts are primarily used whenever a Google account uses more than the 50 token limits set in place by Google. For example, someone may have Google Drive as a remote destination for 50 sites. Whenever they try to add a new site to use the Google Drive destination it will throw an error regarding the token limit. Using the Google Service Account requires having some knowledge of IAM and Google Drive's API. If you're running 50+ sites and want to use the Google Drive remote destination, then using the Service Account is something to consider.

Setting up Google Drive's Service Account

To begin using the Service Account for Google, navigate to BackupBuddy's remote destination page (BackupBuddy -> Remote Destinations). Click on the "+ Add New" button then select the Google Drive destination. Under Step 1, there will be an option to either "Open Google API Console in a new window" or use the Service Account. Since we're using the Service Account, click the "click here" link in parentheses:

BackupBuddy___Remote_Destinations___Tyler_s_Deployment_Site___WordPress.png

Note: You must already have a project created for where you will create the Service Account for, as it's considered a separate entity and not represented by its own project. After the project is created (You can call it something like "BackupBuddy"), then you can come back to this page and you will see the setup for a Service Account.

Under step 1, click the button, "Click here to launch the Create Service Account page" and it will bring you to a page where you must select a project to use the Service Account (the one we just made):

Service_accounts___IAM___admin___Google_Cloud_Platform.png

After the project is selected, then it will bring up a page for Service Accounts already made under the "BackupBuddy" project, but since we have none, no accounts will be displayed. Click the blue link that says, "+ Create Service Account".

This will bring up three steps (the last two are optional, but we want to configure the service account access).

1. Step 1 (Service account details): There are three fields for this step, for the Service account name you can enter something like "BackupBuddy Service Account". For the Service Account ID, it will automatically be generated respective to the name of your service account. The Service account description can be something like, "This service accounts works for BackupBuddy". Note: Save this Service account ID as it will be needed for BackupBuddy to properly connect to the service account.

Create_service_acco____IAM___admin___BackupBuddy___Google_Cloud_Platform.png

2. Step 2 (Grant this service account access to project): For this step, we will want to grant the service account access as a Storage Admin so it can properly use storage for Google Drive. Select the dropdown, "Select a role" and scroll down to the bottom and click "Storage". Under the Storage option, select the role of "Storage Admin". Continue on to the next step.

Create_service_acco____IAM___admin___BackupBuddy___Google_Cloud_Platform__1_.png

3. Step 3 (Grant users access to this service account): For this step, we can grant different users and/or groups access to the service account to perform different tasks. This granting users access section is optional, but we will want to create a private key as a P12 format.

Under the Create key section, click "+ Create Key" and change the Key type to "P12" then click "Create".

Screen_Shot_2019-10-04_at_8.12.26_AM.png

After it's created, then Google will download the .p12 file to your computer. Note: Please save a backup of the .p12 key file and save it on your local machine, as if the site goes down then you will need this key. It will also display a screen for the private key's password (so it's good to remember the password). Make sure to close out that tab and click "Done".

Service Account is Created, What's Next?

After the Service Account is made, then all we need to do is let BackupBuddy know two things (The Service account ID and the file path to the P12 file). Since the P12 file was saved on your local machine, you will need to log into your web server through either your hosting provider's cPanel or an FTP Client. I'd recommend storing this P12 file in the root directory of your WordPress installation (in most cases, it's the public_html directory).

Once the file is in the root directory, I'd recommend renaming the file so it doesn't contain the random integers in the filename. Try changing it to something like, "backupbuddy" (with the .p12 extension).

After it's uploaded to the root directory and renamed, go back to the Service Account settings for BackupBuddy and enter your Service Account ID (looks like an email), and the file path to the .p12 file. BackupBuddy will see where your root directory for the site is, so you can follow this to the path of your file. Make sure to include the file name as well (so add the backupbuddy.p12 after the forward /).

BackupBuddy___Remote_Destinations___Tyler_s_Deployment_Site___WordPress__1_.png

 

It will now create the Service Account, and provide you with 15GB of space!

Understanding the Service Account

The Service Account approach is a bit different than just using the Google Drive destination, as there's no UI (User Interface) through the account. The Service Account just handles the storage and what it should do with the backups once received, which can make accessing the backups different from just accessing them from your Google Drive space. So, if your site goes down and you need to access the backups you can either access the backups on another site or you can use IAM permissions or file sharing between two accounts.

If you don't have much knowledge of IAM, then accessing the backups on another site would be the more reasonable approach. All you'll need to do is spin up another site and use the Service Account remote destination option through BackupBuddy on the other site, enter your Service Account ID and re-upload the .p12 key file to your new server's public_html (root) directory. From there, you can hook into your service account again and retrieve the backup.

If you wish to use file sharing, then you will need to use your personal Google Drive account and share it with the Service Account's email address (Service Account ID). The Service Account will then be able to upload to any project you choose from your personal Google Drive account, just make sure to set the permissions on the file after it's uploaded so you can grant your personal account access to the file (backup). When the file/backup is uploaded, it will be owned by the Service Account.

Powered by Zendesk