# Installing a GCP connector on Cloud Run using CLI Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment. This article explains how to setup an Apono connector for Cloud Run with a Docker image. *** ### Prerequisites
ItemDescription
Apono Token

Account-specific Apono authentication value

Use the following steps to obtain your token:

  1. On the Connectors page, click Install Connector. The Install Connector page appears.
  2. Click Cloud installation.
  3. Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
  4. Copy the token listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)Command-line tool used for communicating with a Kubernetes cluster's control plane
Google Cloud Command Line Interface (Google Cloud CLI)Command-line interface used to manage Google Cloud resources
Google Cloud Information

Information for your Google Cloud instance

Google-defined Values:

Customer-defined Values:

  • Service Account Name
  • Artifact Repository Name
  • Cloud Run Service Name
Google Cloud Roles

Google Cloud role that provides Owner permissions for the project or organization

Project Implementation Role:

  • Owner

Organization Implementation Roles:

  • Owner
  • Organization Administrator
*** ### Create a Cloud Run user Use the following sections to create a Cloud Run user for either your [Google Project](#project) or [Google Organization](#organization). #### Project Follow these steps to create a service account for Cloud Run in a Google Project: 1. Set the environment variables. ```shell export GCP_PROJECT_ID= export SERVICE_ACCOUNT_NAME= export GCP_ARTIFACT_REPOSITORY_NAME= export GCP_CLOUDRUN_SERVICE_NAME= export GCP_LOCATION= export APONO_TOKEN= export APONO_CONNECTOR_ID= ``` 2. In your shell environment, log in to Google Cloud and enable the API. ```shell gcloud auth login gcloud services enable cloudresourcemanager.googleapis.com --project $GCP_PROJECT_ID gcloud services enable cloudasset.googleapis.com --project $GCP_PROJECT_ID gcloud services enable cloudidentity.googleapis.com --project $GCP_PROJECT_ID gcloud services enable admin.googleapis.com --project $GCP_PROJECT_ID ``` 3. Create the service account. 
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
4. Assign the following roles to the service account.
RolePermissions Granted
role/secretmanager.secretAccessor
  • Access secret versions
  • Read the secret data
roles/iam.securityAdmin
  • Manage IAM policies, roles, and service accounts
  • Set and update IAM policies
  • Grant, modify, and revoke IAM roles for users and service accounts
{% code overflow="wrap" %} ```sh gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" \ --project $GCP_PROJECT_ID gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" \ --project $GCP_PROJECT_ID ``` {% endcode %} #### Organization Follow these steps to create a service account for Cloud Run in a Google Organization: 1. In your shell environment, log in to Google Cloud and enable the API. ```shell gcloud alpha auth login gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudasset.googleapis.com gcloud services enable cloudidentity.googleapis.com gcloud services enable admin.googleapis.com ``` 2. Set the environment variables. ```shell export GCP_ORGANIZATION_ID= export GCP_PROJECT_ID= export SERVICE_ACCOUNT_NAME= export GCP_ARTIFACT_REPOSITORY_NAME= export GCP_CLOUDRUN_SERVICE_NAME= export GCP_LOCATION= export APONO_TOKEN= export APONO_CONNECTOR_ID= ``` 3. Create the service account. 
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
4. Assign the following roles to the service account.
RolePermissions Granted
role/secretmanager.secretAccessor
  • Access secret versions
  • Read the secret data
roles/iam.securityAdmin
  • Manage IAM policies, roles, and service accounts
  • Set and update IAM policies
  • Grant, modify, and revoke IAM roles for users and service accounts
roles/browser
  • List resources within the organization
  • View metadata
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"
*** ### Deploy the connector Follow these steps to deploy the Apono connector: 1. Push the connector image to GCP Artifact Registry. The following sets of commands push the connector image to the GCP Artifact Registry: * **New Registry**: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry. * **Existing Registry**: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry {% tabs %} {% tab title="New Registry" %} {% code overflow="wrap" %} ```sh gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \ --location=$GCP_LOCATION --description="Docker repository" \ --project=$GCP_PROJECT_ID docker login registry.apono.io -u apono --password $APONO_TOKEN docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.7.9 export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.7.9 echo $IMAGE_PATH docker image tag registry.apono.io/apono-connector:v1.7.9 $IMAGE_PATH gcloud auth configure-docker \ $GCP_LOCATION-docker.pkg.dev docker push $IMAGE_PATH ``` {% endcode %} {% endtab %} {% tab title="Existing Registry" %} {% code overflow="wrap" %} ```sh docker login registry.apono.io -u apono --password $APONO_TOKEN docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.7.9 export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector echo $IMAGE_PATH docker image tag registry.apono.io/apono-connector $IMAGE_PATH gcloud auth configure-docker \ $GCP_LOCATION-docker.pkg.dev docker push $IMAGE_PATH ``` {% endcode %} {% endtab %} {% endtabs %} 2. Deploy the Docker image of the Apono connector to the Cloud Run service. {% code overflow="wrap" %} ```shell gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=2Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.apono.io/docs/gcp-environment/apono-connector-for-gcp/installing-a-gcp-connector-for-cloud-run.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.