Installing a GCP connector on Cloud Run using CLI

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.

Prerequisites

Item

Description

Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.

Project

Follow these steps to create a service account for Cloud Run in a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login \
gcloud services enable cloudresourcemanager.googleapis.com \
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Deploy the connector

Follow these steps to deploy the Apono connector:

Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
- New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
- Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
    --location=$GCP_LOCATION --description="Docker repository" \
    --project=$GCP_PROJECT_ID

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

Deploy the Docker image of the Apono connector to the Cloud Run service.

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io

PreviousApono Connector for GCP NextInstalling a GCP connector on GKE using CLI (Helm)

Last updated 1 month ago

Item

Description

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME> export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME> export GCP_LOCATION=<GCP_LOCATION> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Role

Permissions Granted

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" \ --project $GCP_PROJECT_ID gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" \ --project $GCP_PROJECT_ID

export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID> export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME> export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME> export GCP_LOCATION=<GCP_LOCATION> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Role

Permissions Granted

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/browser"

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \ --location=$GCP_LOCATION --description="Docker repository" \ --project=$GCP_PROJECT_ID docker login registry.apono.io -u apono --password $APONO_TOKEN docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4 export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4 echo $IMAGE_PATH docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH gcloud auth configure-docker \ $GCP_LOCATION-docker.pkg.dev docker push $IMAGE_PATH

docker login registry.apono.io -u apono --password $APONO_TOKEN docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4 export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector echo $IMAGE_PATH docker image tag registry.apono.io/apono-connector $IMAGE_PATH gcloud auth configure-docker \ $GCP_LOCATION-docker.pkg.dev docker push $IMAGE_PATH

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io