Installing a GCP connector on Cloud Run using CLI
Deploy the Docker image of the Apono connector as Cloud Run service
Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.
This article explains how to setup an Apono connector for Cloud Run with a Docker image.
Prerequisites
Apono Token
Account-specific Apono authentication value Use the following steps to obtain your token:
On the Connectors page, click Install Connector. The Install Connector page appears.
Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)
Command-line tool used for communicating with a Kubernetes cluster's control plane
Google Cloud Command Line Interface (Google Cloud CLI)
Command-line interface used to manage Google Cloud resources
Google Cloud Information
Information for your Google Cloud instance
Google-defined Values:
(Organization) Organization ID
Google Cloud Location
Customer-defined Values:
Service Account Name
Artifact Repository Name
Cloud Run Service Name
Google Cloud Roles
Google Cloud role that provides Owner permissions for the project or organization
Project Implementation Role:
Owner
Organization Implementation Roles:
Owner
Organization Administrator
Create a Cloud Run user
Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.
Project
Follow these steps to create a service account for Cloud Run in a Google Project:
In your shell environment, log in to Google Cloud and enable the API.
gcloud auth login gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudasset.googleapis.com
Set the environment variables.
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME> export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME> export GCP_LOCATION=<GCP_LOCATION> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
Create the service account.
{% code overflow="wrap" %}
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
{% endcode %}
Assign the following roles to the service account.
role/secretmanager.secretAccessor
Access secret versions
Read the secret data
roles/iam.securityAdmin
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor" \
--project $GCP_PROJECT_ID
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.securityAdmin" \
--project $GCP_PROJECT_ID
Organization
Follow these steps to create a service account for Cloud Run in a Google Organization:
In your shell environment, log in to Google Cloud and enable the API.
gcloud alpha auth login gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudasset.googleapis.com
Set the environment variables.
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID> export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME> export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME> export GCP_LOCATION=<GCP_LOCATION> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
Assign the following roles to the service account.
RolePermissions Grantedrole/secretmanager.secretAccessor
Access secret versions
Read the secret data
roles/iam.securityAdmin
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
roles/browser
List resources within the organization
View metadata
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.securityAdmin"
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/browser"
Deploy the connector
Follow these steps to deploy the Apono connector:
Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry
gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
--location=$GCP_LOCATION --description="Docker repository" \
--project=$GCP_PROJECT_ID
docker login registry.apono.io -u apono --password $APONO_TOKEN
docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.7.3
export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.7.3
echo $IMAGE_PATH
docker image tag registry.apono.io/apono-connector:v1.7.3 $IMAGE_PATH
gcloud auth configure-docker \
$GCP_LOCATION-docker.pkg.dev
docker push $IMAGE_PATH
Deploy the Docker image of the Apono connector to the Cloud Run service.
gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=2Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io
Last updated
Was this helpful?