Installing a GCP connector on Cloud Run using CLI

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.

Prerequisites

Item

Description

Apono Token

Account-specific Apono authentication value Use the following steps to obtain your token:

On the Connectors page, click Install Connector. The Install Connector page appears.
Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.

Kubernetes Command Line Tool (kubectl)

Command-line tool used for communicating with a Kubernetes cluster's control plane

Google Cloud Command Line Interface (Google Cloud CLI)

Command-line interface used to manage Google Cloud resources

Google Cloud Information

Information for your Google Cloud instance

Google-defined Values:

(Organization) Organization ID
Project ID
Google Cloud Location

Customer-defined Values:

Service Account Name
Artifact Repository Name
Cloud Run Service Name

Google Cloud Roles

Google Cloud role that provides Owner permissions for the project or organization

Project Implementation Role:

Owner

Organization Implementation Roles:

Owner
Organization Administrator

Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.

Project

Follow these steps to create a service account for Cloud Run in a Google Project:

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login 
gcloud services enable cloudresourcemanager.googleapis.com --project $GCP_PROJECT_ID
gcloud services enable cloudasset.googleapis.com --project $GCP_PROJECT_ID
gcloud services enable cloudidentity.googleapis.com --project $GCP_PROJECT_ID
gcloud services enable admin.googleapis.com --project $GCP_PROJECT_ID

Create the service account.

{% code overflow="wrap" %}

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

{% endcode %}

Assign the following roles to the service account.

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudasset.googleapis.com
gcloud services enable cloudidentity.googleapis.com
gcloud services enable admin.googleapis.com

Set the environment variables.

export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.
Role
Permissions Granted
role/secretmanager.secretAccessor
Access secret versions
Read the secret data
roles/iam.securityAdmin
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
roles/browser
List resources within the organization
View metadata

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Deploy the connector

Follow these steps to deploy the Apono connector:

Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
- New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
- Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
    --location=$GCP_LOCATION --description="Docker repository" \
    --project=$GCP_PROJECT_ID

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.7.3

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.7.3

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector:v1.7.3 $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.7.3

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

Deploy the Docker image of the Apono connector to the Cloud Run service.

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=2Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io

PreviousApono Connector for GCP NextInstalling a GCP connector on GKE using CLI (Helm)

Last updated 16 days ago

Was this helpful?