Cloud Storage Buckets

A Cloud Storage Bucket connection lets Mycorr read files — CSV, TSV, or Parquet — directly from a cloud storage bucket and import them into a Model as Tables.

Supported providers: Google Cloud Storage (GCS). Amazon S3 and Azure Blob Storage are on the roadmap.

How it works

Once a connection is set up, you can browse your bucket from the Import panel inside a Model. Folders and files appear as a tree — click a file and Mycorr imports it as a new Table in the current Model.

  • Per-file import. Each file you click becomes its own Table.
  • Fully owned. After import, the Table is yours — edit it, share it, version it. There is no live link back to the bucket.
  • Re-import by clicking the file again to bring in a fresh copy as a new Table.

Connecting a bucket

Connections are created from Settings → Connections → New Connection → Cloud Storage Bucket, or from the Import panel inside a Model.

When creating a GCS connection, you provide:

  1. Access scope — a single bucket (recommended) or your entire GCP project (browse all buckets you have access to).
  2. Sign in with Google to link your Google account to the connection. (Mycorr requests only non-sensitive openid email profile scopes — never access to your Cloud data via OAuth.)
  3. The WIF audience your admin gives you (see below). Mycorr uses Workload Identity Federation: your Google sign-in is exchanged for a short-lived token whose bucket access comes from IAM, not the OAuth grant.

⚠️ Cloud setup is required first. Before the connection will work, someone with admin access to your GCP project needs to grant Mycorr's access. See the GCP Setup page for the commands your admin runs once, then hands you the WIF audience to paste into Mycorr.

Security model

  • No long-lived secret in Mycorr. Mycorr never asks for a service account JSON key. Access is brokered by your Google sign-in, exchanged on the fly for a short-lived (1 hour) token to read the bucket.
  • No sensitive OAuth scope. Sign-in requests only openid email profile; the bucket grant lives in your GCP IAM, not the OAuth scope.
  • Read-only. The roles granted (storage.objectViewer, optionally storage.bucketViewer) only allow reading. Mycorr cannot write, modify, or delete anything in your bucket.
  • Revocable in GCP. Removing the federated principal from the IAM binding (or deleting the WIF provider) cuts off access at the next token refresh — independent of Mycorr.
  • Audit trail. Every bucket read shows up in Cloud Audit Logs with the human user's identity (principalSubject) attached.

Revoking

Two ways to disconnect:

  • In Mycorr: Settings → Connections → click the row → Delete.
  • In GCP: remove the principalSet binding, or delete the WIF provider. Full commands in GCP Setup → Revoking access.

Either is sufficient. Both is fine.

Next

  • GCP Setup (admin) — the one-time GCP configuration your admin runs to grant Mycorr access.