Installing a GCP connector for Cloud Run

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.



Prerequisites

ItemDescription
Apono TokenAccount-specific Apono authentication value

Use the following steps to obtain your token:
  1. On the Connectors page, click Install Connector. The Install Connector page appears.
  2. Click Cloud installation.
  3. Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
  4. Copy the token in step listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)Command-line tool used for communicating with a Kubernetes cluster's control plane
Google Cloud Command Line Interface (Google Cloud CLI)Command-line interface used to manage Google Cloud resources
Google Cloud InformationInformation for your Google Cloud instance:
  • (Organization) Organization ID
  • Project ID
  • Service Account Name
  • Artifact Repository Name
  • Cloud Run Service Name
  • Google Cloud Location
Owner RoleGoogle Cloud role that provides Owner permissions for the project or organization


Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization .


Project

Follow these steps to create a service account for Cloud Run in a Google Project:

  1. In your shell environment, log in to Google Cloud and enable the API.

    gcloud auth login \
    gcloud services enable cloudresourcemanager.googleapis.com
    
  2. Set the environment variables.

    export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
    export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
    export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
    export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
    export GCP_LOCATION=<GCP_LOCATION>
    export APONO_TOKEN=<YOUR_APONO_TOKEN>
    export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
    
  3. Create the service account.

    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
    
  4. Assign the following roles to the service account.

    RolePermissions Granted
    role/secretmanager.secretAccessor
    • Access secret versions
    • Read the secret data
    roles/iam.securityAdmin
    • Manage IAM policies, roles, and service accounts
    • Set and update IAM policies
    • Grant, modify, and revoke IAM roles for users and service accounts

    gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
           --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/secretmanager.secretAccessor" \
        --project $GCP_PROJECT_ID
    
    gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
        --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/iam.securityAdmin" \
        --project $GCP_PROJECT_ID
    



Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

  1. In your shell environment, log in to Google Cloud and enable the API.

    gcloud alpha auth login \
    gcloud services enable cloudresourcemanager.googleapis.com 
    
  2. Set the environment variables.

    export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
    export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
    export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
    export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
    export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
    export GCP_LOCATION=<GCP_LOCATION>
    export APONO_TOKEN=<YOUR_APONO_TOKEN>
    export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
    
  3. Create the service account.

    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
    
  4. Assign the following roles to the service account.

    RolePermissions Granted
    role/secretmanager.secretAccessor
    • Access secret versions
    • Read the secret data
    roles/iam.securityAdmin
    • Manage IAM policies, roles, and service accounts
    • Set and update IAM policies
    • Grant, modify, and revoke IAM roles for users and service accounts
    roles/browser
    • List resources within the organization
    • View metadata

    gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
        --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/secretmanager.secretAccessor"
    
    gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
        --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/iam.securityAdmin"
    
    gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
        --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/browser"
    



Deploy the connector

Follow these steps to deploy the Apono connector:

  1. Push the connector image to GCP Artifact Registry.

    The following sets of commands push the connector image to the GCP Artifact Registry:

    • New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
    • Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

    gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
        --location=$GCP_LOCATION --description="Docker repository" \
        --project=$GCP_PROJECT_ID
    
    docker login registry.apono.io -u apono --password $APONO_TOKEN 
    
    docker pull registry.apono.io/apono-connector:v1.5.3
    
    export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.5.3
    
    echo $IMAGE_PATH
    
    docker image tag registry.apono.io/apono-connector:v1.5.3 $IMAGE_PATH
    
    gcloud auth configure-docker \
        $GCP_LOCATION-docker.pkg.dev
    
    docker push $IMAGE_PATH
    
    docker login registry.apono.io -u apono --password $APONO_TOKEN 
    
    docker pull registry.apono.io/apono-connector
    
    export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector
    
    echo $IMAGE_PATH
    
    docker image tag registry.apono.io/apono-connector $IMAGE_PATH
    
    gcloud auth configure-docker \
        $GCP_LOCATION-docker.pkg.dev
    
    docker push $IMAGE_PATH
    
  2. Deploy the Docker image of the Apono connector to the Cloud Run service.

    gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io