Installing a GCP connector on Cloud Run using CLI

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.

Prerequisites

Item	Description
Apono Token	Account-specific Apono authentication value Use the following steps to obtain your token: On the Connectors page, click Install Connector. The Install Connector page appears. Click Cloud installation. Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run). Copy the token listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)	Command-line tool used for communicating with a Kubernetes cluster's control plane
Google Cloud Command Line Interface (Google Cloud CLI)	Command-line interface used to manage Google Cloud resources
Google Cloud Information	Information for your Google Cloud instance Google-defined Values: (Organization) Organization ID Project ID Google Cloud Location Customer-defined Values: Service Account Name Artifact Repository Name Cloud Run Service Name
Google Cloud Roles	Google Cloud role that provides Owner permissions for the project or organization Project Implementation Role: Owner Organization Implementation Roles: Owner Organization Administrator

Item

Description

Apono Token

Account-specific Apono authentication value Use the following steps to obtain your token:

On the Connectors page, click Install Connector. The Install Connector page appears.
Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.

Kubernetes Command Line Tool (kubectl)

Command-line tool used for communicating with a Kubernetes cluster's control plane

Google Cloud Command Line Interface (Google Cloud CLI)

Command-line interface used to manage Google Cloud resources

Google Cloud Information

Information for your Google Cloud instance

Google-defined Values:

(Organization) Organization ID
Project ID
Google Cloud Location

Customer-defined Values:

Service Account Name
Artifact Repository Name
Cloud Run Service Name

Google Cloud Roles

Google Cloud role that provides Owner permissions for the project or organization

Project Implementation Role:

Owner

Organization Implementation Roles:

Owner
Organization Administrator

Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.

Project

Follow these steps to create a service account for Cloud Run in a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login \
gcloud services enable cloudresourcemanager.googleapis.com \
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

Role	Permissions Granted
role/secretmanager.secretAccessor	Access secret versions Read the secret data
roles/iam.securityAdmin	Manage IAM policies, roles, and service accounts Set and update IAM policies Grant, modify, and revoke IAM roles for users and service accounts

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

Role	Permissions Granted
role/secretmanager.secretAccessor	Access secret versions Read the secret data
roles/iam.securityAdmin	Manage IAM policies, roles, and service accounts Set and update IAM policies Grant, modify, and revoke IAM roles for users and service accounts
roles/browser	List resources within the organization View metadata

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

roles/browser

List resources within the organization
View metadata

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Deploy the connector

Follow these steps to deploy the Apono connector:

Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
- New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
- Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
    --location=$GCP_LOCATION --description="Docker repository" \
    --project=$GCP_PROJECT_ID

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

Deploy the Docker image of the Apono connector to the Cloud Run service.

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io

PreviousApono Connector for GCP NextInstalling a GCP connector on GKE using CLI (Helm)

Last updated 1 month ago