# Data Delivery Using GCS

## How to Set Up GCS Delivery

The following step-by-step instructions describe how to configure IAM access permissions for Forager in your Google Cloud console so that you can use a Cloud Storage bucket to unload Forager data:

### 1. Creating a custom IAM role

Create a custom role that has the permissions required to access the bucket and get objects.

1. Sign in to the Google Cloud console as a project editor.
2. From the home dashboard, select **IAM & Admin** » **Roles**.
3. Select **Create Role**.
4. Enter a **Title** and optional **Description** for the custom role.
5. Select **Add Permissions**.
6. Filter the list of permissions, and add the following from the list:


**Required permissions**

- `storage.buckets.get`
- `storage.objects.create`
- `storage.objects.delete`
- `storage.objects.list`
- `storage.multipartUploads.abort`
- `storage.multipartUploads.create`
- `storage.multipartUploads.list`
- `storage.multipartUploads.listParts`


1. Select **Add**.
2. Select **Create**.


### 2. Assigning the Custom Role to Forager Cloud Storage Service Account

1. Sign in to the Google Cloud console as a project editor.
2. From the home dashboard, select **Cloud Storage** » **Buckets**.
3. Filter the list of buckets, and select the bucket that you specified when you created your storage integration.
4. Select **Permissions** » **View by principals**, then select **Grant access**.
5. Under **Add principals**, paste the name of the the below service account, `k9kb00000@awseucentral2-1-0c24.iam.gserviceaccount.com`
6. Under Assign roles, select the custom IAM role that you created previously, then select **Save**.


> **Important**
If your Google Cloud organization was created on or after May 3, 2024, Google Cloud enforces a [domain restriction constraint](https://docs.cloud.google.com/resource-manager/docs/organization-policy/restricting-domains) in project organization policies. The default constraint lists your domain as the only allowed value. You will need to modify your Organization Policy to allow for external services to access your bucket.


### 3. (Optional) Granting the Cloud Storage service account permissions on the Cloud Key Management Service cryptographic keys

> **Note**
This step is required only if your GCS bucket is encrypted using a key stored in the Google Cloud Key Management Service (Cloud KMS).


1. Sign in to the Google Cloud console as a project editor.
2. From the home dashboard, search for and select **Security** » **Key Management**.
3. Select the key ring that is assigned to your GCS bucket.
4. Click **SHOW INFO PANEL** in the upper-right corner. The information panel for the key ring slides out.
5. Click the **ADD PRINCIPAL** button.
6. In the New principals field, search for the Forager service account name `k9kb00000@awseucentral2-1-0c24.iam.gserviceaccount.com`.
7. From the Select a role dropdown, select the `Cloud KMS CrytoKey Encryptor/Decryptor` role.
8. Click the **Save** button. The service account name is added to the **Cloud KMS CrytoKey Encryptor/Decryptor** role dropdown in the information panel.


### 4. Provide your bucket name to Forager

Once the bucket is set up, send the following details to Forager.ai:

- `gcs://<your-bucket-name>/<desired-path>`


Our team will configure the data delivery to send data directly to your GCS bucket.

## File output paths and file names

Read more about file paths [here](/data-license/v2/output-data-file-details).

## Need Help?

📩 For Support: Contact us at support@forager.ai.