Introduction
ClickHouse Cloud connects to GCS using HMAC (Hash-based Message Authentication Code) keys associated with a Google Cloud service account. This approach provides secure access to your GCS buckets without embedding credentials directly in your queries. How it works:- You create a Google Cloud service account with appropriate GCS permissions
- You generate HMAC keys for that service account
- You provide these HMAC credentials to ClickHouse Cloud
- ClickHouse Cloud uses these credentials to access your GCS buckets
Prerequisites
For following this guide you will need:- An active ClickHouse Cloud service
- A Google Cloud project with Cloud Storage enabled
- Permissions to create service accounts and generate HMAC keys in your GCP project
Setup
Create a Google Cloud service account
- In the Google Cloud Console, navigate to IAM & Admin → Service Accounts
- Click
Service accountsfrom the left-hand menu, then clickCreate service account:
Create and continueGrant the service account the Storage Object User role:This role provides read and write access to GCS objectsClick Continue, then DoneMake note of the service account email address:Grant bucket access to the service account
You can grant access at either the project level or individual bucket level.Option 1: Grant access to specific buckets (recommended)
- Navigate to
Cloud Storage→Buckets - Click on the bucket you want to grant access to
- Go to the
Permissionstab - Under “Permissions” click
Grant accessfor the principal created in the previous steps - In the “New principals” field, enter your service account email
- Select the appropriate role:
- Storage Object User for read/write access
- Storage Object Viewer for read-only access
- Click
Save - Repeat for any additional buckets
Option 2: Grant project-level access
- Navigate to
IAM & Admin→IAM - Click
Grant access - Enter your service account email in the
New principalsfield - Select Storage Object User (or Storage Object Viewer for read-only)
- Click SAVE
Generate HMAC keys for the service account
Navigate toCloud Storage → Settings → Interoperability:If you don’t see an “Access keys” section, click Enable interoperability accessUnder “Access keys for service accounts”, click Create a key for a service account:Select the service account you created earlier (e.g clickhouse-gcs-access@your-project.iam.gserviceaccount.com)Click Create key:The HMAC key will be displayed.
Save both the Access Key and Secret immediately - you won’t be able to view the secret again.Example keys are shown below:ImportantStore these credentials securely.
The secret can’t be retrieved again after this screen is closed.
You will need to generate new keys if you lose the secret.
Use HMAC keys with ClickHouse Cloud
Now you can use the HMAC credentials to access GCS from ClickHouse Cloud. For this, use the GCS table function:HMAC authentication in ClickPipes for GCS
ClickPipes uses HMAC (Hash-based Message Authentication Code) keys to authenticate with Google Cloud Storage.When setting up a GCS ClickPipe:- Select
CredentialsunderAuthentication methodduring ClickPipe setup - Provide HMAC credentials obtained in the previous steps
Service account authentication isn’t currently supported - you must use HMAC keys
The GCS bucket URL must use the format:
https://storage.googleapis.com/<bucket>/<path> (not gs://)roles/storage.objectViewer role, which includes:storage.objects.list: to list objects in the bucketstorage.objects.get: to fetch/read objects
Best practices
Use separate service accounts for different environments
Create separate service accounts for development, staging, and production environments. For example:clickhouse-gcs-dev@project.iam.gserviceaccount.comclickhouse-gcs-staging@project.iam.gserviceaccount.comclickhouse-gcs-prod@project.iam.gserviceaccount.com
Apply least-privilege access
Grant only the minimum required permissions:- Use Storage Object Viewer for read-only access
- Grant access to specific buckets rather than project-wide
- Consider using bucket-level conditions to restrict access to specific paths
Rotate HMAC keys regularly
Implement a key rotation schedule:- Generate new HMAC keys
- Update ClickHouse configurations with new keys
- Verify functionality with new keys
- Delete old HMAC keys
Monitor access with Cloud Audit Logs
Enable and monitor Cloud Audit Logs for Cloud Storage:- Navigate to IAM & Admin → Audit Logs
- Find Cloud Storage in the list
- Enable
Admin Read,Data Read, andData Write logs - Use these logs to monitor access patterns and detect anomalies