1. Relyance AI Help Center
  2. Admin Center
  3. Integrations

Google Cloud Spanner

Updated
Kaushik B D
google spanner.png

Google Cloud Spanner is a fully managed, scalable, relational database service for regional and global application data.

Relyance AI integrates with Google Cloud Spanner to discover and classify personal and sensitive data across your Spanner databases. Through this integration, Relyance AI can scan your database schemas, tables, and data to provide visibility into what sensitive information exists and where it flows within your organization.

What You’ll Need

To integrate Google Cloud Spanner with Relyance AI, you will need:

  • GCP Console access with permissions to:
    • Create service accounts
    • Grant IAM roles and permissions
    • View Spanner instances and databases
  • A Google Cloud project with active Spanner instances
  • Admin or Owner role on your GCP project (or equivalent permissions)
     

In Google Cloud Platform

This section covers the steps you'll complete in the Google Cloud Console to grant Relyance AI secure access to your Spanner instances.

Step 1: Create a Service Account

  1. Navigate to IAM & AdminService Accounts in the Google Cloud Console.
  2. Click + CREATE SERVICE ACCOUNT.
  3. Enter the service account details:
    • Service account name: Follow the naming convention rely-<tenant_name>-int-<suffix>
      • Example: rely-dataeng-int or rely-aisec-int-surendra
    • Service account ID: Will auto-populate based on the name
    • Service account description: Service account for Relyance AI Spanner integration
  4. Click CREATE AND CONTINUE.
  5. Skip the optional permissions step (you'll configure this in the next step).
  6. Click DONE.
Copy the full service account email (e.g.,rely-dataeng-int@your-project-id.iam.gserviceaccount.com). You'll need this in later steps.

Reference Documentation:

Step 2: Assign Required Permissions

Grant the service account the permissions needed to scan your Spanner databases and discover assets.

  1. In the Google Cloud Console, navigate to SpannerInstances.
  2. Select the Spanner instance you want Relyance AI to access.
  3. Click the PERMISSIONS tab.
  4. Click GRANT ACCESS.
  5. In the "New principals" field, enter the service account email you created in Step 1: 
    rely-<tenant_name>-int-<suffix>@<your-project-id>.iam.gserviceaccount.com
  6. In the "Select a role" dropdown, choose Cloud Spanner Database Reader (roles/spanner.databaseReader).
  7. Click SAVE.
The Cloud Spanner Database Reader role includes the following permissions required for Relyance AI:
  • spanner.databases.get
  • spanner.databases.list
  • spanner.databases.read
  • spanner.databases.select
  • spanner.sessions.create
  • spanner.sessions.delete
  • spanner.sessions.get
  • spanner.instances.get

Reference Documentation:

Step 3: Configure Service Account Impersonation

Allow Relyance AI's platform service account to impersonate your service account.

  1. Navigate to IAM & AdminService Accounts.
  2. Find and click on the service account you created in Step 1.
  3. Click the PERMISSIONS tab.
  4. Click GRANT ACCESS under "View by Principals".
  5. In the "Add principals" drawer:
  6. Click SAVE.
This grants Relyance AI's service account permission to impersonate your service account, enabling secure, credential-free access to your Spanner databases without sharing private keys.

Reference Documentation:

 

In the Relyance AI Application

  1. Login to your Relyance account.
  2. Navigate to the Settings menu in the bottom left-hand side.
  3. Select Integrations.
  4. Find the Google Cloud Spanner integration card and click Configure.
  5. In the Connection Settings section, under Create Connection, click on the drop-down menu.
  6. Under Connection → Authentication Step, select Direct Connection as your authentication method.
  7. Enter your connection details:
    • Service Account Email: Enter the service account email you created in Step 1:
      rely-<tenant_name>-int-<suffix>@<your-project-id>.iam.gserviceaccount.com
    • Project ID: Enter your Google Cloud project ID (e.g., acme-production-12345).
  8. Config Options (Optional): If you want to filter which instances, databases, or tables Relyance AI scans, enter configuration options in JSON format: 
    9. json
  [
     {
       "instance_id": "your-instance-name",
       "allow_list_databases": [],
       "deny_list_databases": ["test-database"],
       "allow_list_tables": []
     }
   ]
    • instance_id: The Spanner instance ID to scan. Required.
    • allow_list_databases: List of specific databases to scan (empty array = scan all). Leave blank to scan all.
    • deny_list_databases: List of databases to exclude from scanning. Leave blank to scan all.
    • allow_list_tables: List of specific tables to scan in format. Leave blank to scan all. <database>.DEFAULT.<table>
    For the default schema, use DEFAULT in the table format: database.DEFAULT.table
  9. Click Authenticate.
  10. You should see a success indicator on the integrations page showing the connection is active.
Was this article helpful?
0 out of 0 found this helpful