Installing a GCP connector on Cloud Run using CLI

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.


Prerequisites

Item
Description

Apono Token

Account-specific Apono authentication value Use the following steps to obtain your token:

  1. Click Cloud installation.

  2. Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).

  3. Copy the token listed on the page in step 1.

Kubernetes Command Line Tool (kubectl)

Google Cloud Command Line Interface (Google Cloud CLI)

Google Cloud Information

Information for your Google Cloud instance

Google-defined Values:

  • Google Cloud Location

Customer-defined Values:

  • Service Account Name

  • Artifact Repository Name

  • Cloud Run Service Name

Google Cloud Roles

Project Implementation Role:

  • Owner

Organization Implementation Roles:

  • Owner

  • Organization Administrator


Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.

Project

Follow these steps to create a service account for Cloud Run in a Google Project:

  1. In your shell environment, log in to Google Cloud and enable the API.

    gcloud auth login \
    gcloud services enable cloudresourcemanager.googleapis.com \
    gcloud services enable cloudasset.googleapis.com
  2. Set the environment variables.

    export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
    export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
    export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
    export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
    export GCP_LOCATION=<GCP_LOCATION>
    export APONO_TOKEN=<YOUR_APONO_TOKEN>
    export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
  3. Create the service account.

    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
  4. Assign the following roles to the service account.

Role
Permissions Granted

role/secretmanager.secretAccessor

  • Access secret versions

  • Read the secret data

roles/iam.securityAdmin

  • Manage IAM policies, roles, and service accounts

  • Set and update IAM policies

  • Grant, modify, and revoke IAM roles for users and service accounts

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

  1. In your shell environment, log in to Google Cloud and enable the API.

    gcloud alpha auth login
    gcloud services enable cloudresourcemanager.googleapis.com
    gcloud services enable cloudasset.googleapis.com
  2. Set the environment variables.

    export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
    export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
    export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
    export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
    export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
    export GCP_LOCATION=<GCP_LOCATION>
    export APONO_TOKEN=<YOUR_APONO_TOKEN>
    export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
  3. Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
  1. Assign the following roles to the service account.

    Role
    Permissions Granted

    role/secretmanager.secretAccessor

    • Access secret versions

    • Read the secret data

    roles/iam.securityAdmin

    • Manage IAM policies, roles, and service accounts

    • Set and update IAM policies

    • Grant, modify, and revoke IAM roles for users and service accounts

    roles/browser

    • List resources within the organization

    • View metadata

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Deploy the connector

Follow these steps to deploy the Apono connector:

  1. Push the connector image to GCP Artifact Registry.

    The following sets of commands push the connector image to the GCP Artifact Registry:

    • New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.

    • Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
    --location=$GCP_LOCATION --description="Docker repository" \
    --project=$GCP_PROJECT_ID

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH
  1. Deploy the Docker image of the Apono connector to the Cloud Run service.

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io

Last updated