To export data from Worklytics to Amazon Web Services (AWS) S3 buckets, you can set up a Data Export Connection in the Worklytics Web App selecting Amazon S3 as Data Destination.

How it works

Your organization, as tenant of the Worklytics platform, is assigned with a Google Cloud Platform (GCP) service account (SA) that will be used to export the data to your AWS S3 bucket via Workload Identity Federation.

Your tenant SA must be granted with the necessary permissions to access your AWS S3 bucket where the data will be exported.

Pre-requisites

1. Take note of your Worklytics' tenant Service Account Unique ID: you can find this value in the Export Data Configuration page of the Worklytics Web App, and also on the UI to create the data export itself.

2. Go to the Amazon Web Services Console and create a new bucket (or choose an existing one).

3. Create an AWS IAM role and allow your Worklytics' tenant SA to assume it, but configuring the role assumption policy.

4. Grant the role s3:PutObject, s3:GetObject, and s3:ListBucket permissions on the chosen bucket.

We also provide a Terraform module that will automatically provision these resources for you.

Setting up the connection

1. Go to the Data Export Connection section in the Worklytics Web App.

2. Select the dataset you want to export, and its frequency.

3. Select Amazon S3 as Data Destination, and provide the following values:

   • Enter the Bucket Name.

   • Enter the Role ARN: created in the pre-requisites. It's the role that your Worklytics' tenant SA will assume to access the bucket.

   • Enter the Region where the bucket is located.

4. Select the format and compression options, and click on "Create Export".

To export data from Worklytics to Google Cloud Storage (GCS) buckets, you can set up a Data Export Connection in the Worklytics Web App selecting Google Cloud Storage as Data Destination.

How it works

Your organization, as tenant of the Worklytics platform, is assigned with a Google Cloud Platform (GCP) service account (SA) that will be used to export the data to your GCS bucket via Workload Identity Federation.

Your tenant SA must be granted with the necessary permissions to access your GCS bucket where data will be exported.

Pre-requisites

1. Take note of your Worklytics' tenant Service Account email address: you can find this in the Export Data Configuration page of the Worklytics Web App, and also on the UI to create the data export itself.

2. Go to the Google Cloud Console and create a new bucket (o choose an existing one).

3. Grant Worklytics' tenant SA with the GCP IAM role of Storage Object Admin (roles/storage.objectAdmin) or a similarly restrictive role that permits object creation and listing within the bucket.

We provide a Terraform module that will automatically provision these resources for you.

Setting up the connection

1. Go to the Data Export Connection section in the Worklytics Web App.

2. Select the dataset you want to export, and its frequency.

3. Select Google Cloud Storage as Data Destination, and enter the Bucket Name.

4. Select the format and compression options, and click on "Create Export".

To export data from Worklytics to Azure (Blob Storage) containers, you can set up a Data Export Connection in the Worklytics Web App selecting Google Cloud Storage as Data Destination.

How it works

Your organization, as tenant of the Worklytics platform, is assigned with a Google Cloud Platform (GCP) service account (SA) that will be used to export the data to your GCS bucket via Workload Identity Federation.

Your tenant SA must be granted with the necessary permissions to access your Azure Blob Storage container where data will be exported.

Pre-requisites

1. Take note of your Worklytics' tenant SA Unique ID: you can find this value in the Export Data Configuration page of the Worklytics Web App, and also on the UI to create the data export itself.

2. Go to the Azure Portal and select a Storage Account (or create a new one).

3. Inside the Storage Account, create a new container (or choose an existing one).

4. Go to the Entra ID section of the portal and create a new application registration. Note the application's cliend ID (this is the "Application ID" value in the properties section of the application).

5. Setup Federated Identity Credentials for the application: go to the "Certificates & secrets" section of the application and create a new Credential with the following values:

   • Federated credential scenario: choose "Other issuer"

   • Issuer: https://accounts.google.com

   • Subject identifier: your Worklytics' tenant SA Unique ID

   • Audience: api://AzureADTokenExchange

6. Now, go to the "Access control (IAM)" section of the Storage Account and add a new role assignment using:

   • Role assignment: Storage Blob Delegator

   • Member granted with the role: The Service Principal that represents the application.

7. Repeat the same step, this time inside the container you've created:

   • Role assignment: Storage Blob Data Contributor

   • Member granted with the role: The Service Principal that represents the application.

Note: role assignment changes may take a few minutes to take effect.

1. Finally, take note of the values you'll need to provide when configuring the Data Export in the Worklytics Web App:

   • Storage Account Name

   • Container Name

   • Application ID (Client ID)

   • Tenant ID: in the Azure portal, find this under "Home > Microsoft Entra ID > Overview > Tenant ID".

Setting up the connection

1. Go to the Data Export Connection section in the Worklytics Web App.

2. Select the dataset you want to export, and its frequency.

3. Select Azure as Data Destination, and enter all the values from the step number 7 of the pre-requisites.

4. Select the format and compression options, and click on "Create Export".

You can export the data to any of the supported Cloud Storage Providers. All providers work in a similar way: your organization, as tenant of the Worklytics platform, is assigned with a Google Cloud Platform (GCP) service account (SA) that will be used to export the data to the Cloud Storage Provider of your choice via Workload Identity Federation.

All providers need a series of prerequisites to be met before you can set up the connection in the Worklytics Web App: create some storage resources (such as the bucket/container where the data will be exported) to and give access to them to your Worklytics' tenant account.

Once those prerequisites are met, you can create a Data Export in the Worklytics Web App by choosing the desired dataset, configuring its settings (file format, compression, etc.), and providing the necessary information about your storage resources (e.g. bucket/container name).

The user that creates the Data Export needs to have the DataExportAdmin role. Check the Worklytics Access Control documentation for more information.

Whatever the provider you choose, we recommend creating a dedicated bucket/container for the data export and use the Terraform modules we provide to automatically provision the necessary resources, instead of creating them manually. See the detailed instructions for each provider:

• Amazon Web Services (AWS) S3

• Azure Blob Storage (beta)

• Google Cloud Storage (GCS)