Installing a GCP connector for Cloud Run
Deploy the Docker image of the Apono connector as Cloud Run service
Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.
This article explains how to setup an Apono connector for Cloud Run with a Docker image.
Prerequisites
Item | Description |
---|---|
Apono Token | Account-specific Apono authentication value Use the following steps to obtain your token:
|
Kubernetes Command Line Tool (kubectl) | Command-line tool used for communicating with a Kubernetes cluster's control plane |
Google Cloud Command Line Interface (Google Cloud CLI) | Command-line interface used to manage Google Cloud resources |
Google Cloud Information | Information for your Google Cloud instance:
|
Owner Role | Google Cloud role that provides Owner permissions for the project or organization |
Create a Cloud Run user
Use the following sections to create a Cloud Run user for either your Google Project or Google Organization .
Project
Follow these steps to create a service account for Cloud Run in a Google Project:
-
In your shell environment, log in to Google Cloud and enable the API.
gcloud auth login \ gcloud services enable cloudresourcemanager.googleapis.com \ gcloud services enable cloudasset.googleapis.com
-
Set the environment variables.
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME> export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME> export GCP_LOCATION=<GCP_LOCATION> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
-
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
-
Assign the following roles to the service account.
Role Permissions Granted role/secretmanager.secretAccessor - Access secret versions
- Read the secret data
roles/iam.securityAdmin - Manage IAM policies, roles, and service accounts
- Set and update IAM policies
- Grant, modify, and revoke IAM roles for users and service accounts
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" \ --project $GCP_PROJECT_ID gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" \ --project $GCP_PROJECT_ID
Organization
Follow these steps to create a service account for Cloud Run in a Google Organization:
-
In your shell environment, log in to Google Cloud and enable the API.
gcloud alpha auth login \ gcloud services enable cloudresourcemanager.googleapis.com
-
Set the environment variables.
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID> export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME> export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME> export GCP_LOCATION=<GCP_LOCATION> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
-
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
-
Assign the following roles to the service account.
Role Permissions Granted role/secretmanager.secretAccessor - Access secret versions
- Read the secret data
roles/iam.securityAdmin - Manage IAM policies, roles, and service accounts
- Set and update IAM policies
- Grant, modify, and revoke IAM roles for users and service accounts
roles/browser - List resources within the organization
- View metadata
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/browser"
Deploy the connector
Follow these steps to deploy the Apono connector:
-
Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
- New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
- Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry
gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \ --location=$GCP_LOCATION --description="Docker repository" \ --project=$GCP_PROJECT_ID docker login registry.apono.io -u apono --password $APONO_TOKEN docker pull registry.apono.io/apono-connector:v1.5.3 export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.5.3 echo $IMAGE_PATH docker image tag registry.apono.io/apono-connector:v1.5.3 $IMAGE_PATH gcloud auth configure-docker \ $GCP_LOCATION-docker.pkg.dev docker push $IMAGE_PATH
docker login registry.apono.io -u apono --password $APONO_TOKEN docker pull registry.apono.io/apono-connector export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector echo $IMAGE_PATH docker image tag registry.apono.io/apono-connector $IMAGE_PATH gcloud auth configure-docker \ $GCP_LOCATION-docker.pkg.dev docker push $IMAGE_PATH
-
Deploy the Docker image of the Apono connector to the Cloud Run service.
gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io
Updated 2 months ago