1 of 5

Apono Connector for GCP

How to install a Connector on a GCP Project to integrate a GCP Organization or Project with Apono with Helm

To integrate with GCP and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.

To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow this guide.
To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow this guide.

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended GCP Installation Architecture.

How to install

GCP Organization Connector

Using Helm

Prerequisites

A GCP user with owner permissions for the organization
A GKE cluster on any GCP Project of your choosing
Google CLI
Kubernetes command-line tool (kubectl)
The Apono GCP token generated in the Apono UI:

Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.
- Read more here.

Step-by-step guide

Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"

Set the connector service account variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

Make sure Cloud Resource Manager API is enabled

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"

Verifying default GKE cluster for installation

Open the Kubernetes command-line tool
Run kubectl config get-contexts to see the GKE clusters list
Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
Run kubectl get-contexts - verify the "*" indicates the correct cluster.

Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

Install Helm Chart

The helm chart installs the following:

Kubernetes Deployment containing the Apono-Connector image container
Kubernetes Service Account annotated with GCP IAM Service Account
Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

GCP Project Connector

Using Helm

Prerequisites

A GCP user with owner permissions for the organization
A GKE cluster on the GCP Project you'd like to integrate with Apono
Google CLI
Kubernetes command-line tool (kubectl)
The Apono GCP token generated in the Apono UI:

Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.
- Read more here.

Step-by-step guide

Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"

Set the following variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

Enable Cloud Resource Manager API

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID

Verifying default GKE cluster for installation

Open the Kubernetes command-line tool
Run kubectl config get-contexts to see the GKE clusters list
Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
Run kubectl get-contexts - verify the "*" indicates the correct cluster.

Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

Install Helm Chart

The helm chart installs the following:

Kubernetes Deployment containing the Apono-Connector image container
Kubernetes Service Account annotated with GCP IAM Service Account
Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

Results

You can validate the Connector is installed in the Connector status page.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

You can now integrate Apono with a GCP Project or GCP Organization.

Installing a GCP connector on Cloud Run using CLI

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.

Prerequisites

Item

Description

Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.

Project

Follow these steps to create a service account for Cloud Run in a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login \
gcloud services enable cloudresourcemanager.googleapis.com \
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Deploy the connector

Follow these steps to deploy the Apono connector:

Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
- New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
- Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
    --location=$GCP_LOCATION --description="Docker repository" \
    --project=$GCP_PROJECT_ID

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

Deploy the Docker image of the Apono connector to the Cloud Run service.

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io

Installing a GCP connector on GKE using CLI (Helm)

Deploy the Apono connector with Helm

Integrating a cloud account with Apono allows you to sync and manage your resources:

Discover existing privileges and identities
Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

Prerequisites

Item

Description

Create an IAM service account

Use the following sections to create an IAM service account user for either your or .

Project

Follow these steps to create a service account for a Google Project:

In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Create the service account.
Assign the following roles to the service account.

Organization

Follow these steps to create a service account for a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Create the service account.
Assign the following roles to the service account.

Deploy the connector

Follow these steps to deploy the Apono connector:

Deploy the Apono connector on a GKE cluster.

Create a new GKE cluster
Connect the GKE cluster.

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.

Connect the GKE cluster.

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.

Bind the IAM Service Account to the GKE Service Account.

Deploy Apono connector on your GKE cluster using Helm Chart.

Installing a GCP connector on GKE using Terraform

Create a connector on Google Kubernetes Engine

Connectors are secure on-premises components that link Apono to your resources:

No secrets are read, cached, or stored
No account admin privileges need to be granted to Apono
The connector contacts your secret store or key vault to sync data or provision access

Once set up, this connector will enable you to sync data from cloud applications and grant and revoke access permissions through Google Kubernetes Engine (GKE).

Prerequisites

Item

Description

Install a connector

Use the following sections to install a connector for either your or .

Project

Follow these steps to install an Apono connector for a Google Project:

In your shell environment, log in to Google Cloud with an account possessing Owner permissions.

At the shell prompt, set the environment variables.

(Optional) Set the following optional environment variables.

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector.

At the Terraform CLI, download and install the provider plugin and module.

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

Enter yes to confirm deploying the changes to your Google Project instance.

Organization

Follow these steps to install an Apono connector for a Google Organization:

In your shell environment, log in to Google Cloud with an account possessing Organization Administrator permissions.

At the shell prompt, set the environment variables.

(Optional) Set the following optional environment variables.

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector.

At the Terraform CLI, download and install the provider plugin and module.

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

Enter yes to confirm deploying the changes to your Google Organization instance.

FAQ

Can the Apono Terraform module be pinned to a version?

Yes. You can append the version number to the source location with the ?ref=vX.X.X query string.

The following examples pin the version to 1.0.0 for a connector without permissions.

Updating a connector in Google Cloud

Learn how to update a connector through the Helm CLI

Periodically, you may need to update your Google Cloud connector to help maintain functionality, performance, and security.

This article explains how to update a connector through the Helm CLI.

Prerequisites

Item

Description

Update a connector

To update an Apono connector for Google Cloud, follow these steps in the shell environment:

Set the APONO_CONNECTOR_ID environment variable to your chosen connector ID value.
```
export APONO_CONNECTOR_ID=apono-google-integration
```
Set the APONO_TOKEN environment variable to your account token.
```
export APONO_TOKEN=abcd1234-e5f6-7g8h-90123i45678
```
Set the PROJECT_ID environment variable to the Google Project ID.
```
export PROJECT_ID=my-project-12345
```

Set the GCP_SERVICE_ACCOUNT_EMAIL environment variable.

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com &&

Run the following helm upgrade command to pull the most recent connector version.

helm upgrade apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

On the Connectors page, verify that the connector has been updated.

Apono Connector for GCP

How to install a Connector on a GCP Project to integrate a GCP Organization or Project with Apono with Helm

To integrate with GCP and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow this guide.
To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow this guide.

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended GCP Installation Architecture.

How to install

GCP Organization Connector

Using Helm

Prerequisites

A GCP user with owner permissions for the organization
A GKE cluster on any GCP Project of your choosing
Google CLI
Kubernetes command-line tool (kubectl)
The Apono GCP token generated in the Apono UI:

Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.
- Read more here.

Step-by-step guide

Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"

Set the connector service account variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

Make sure Cloud Resource Manager API is enabled

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"

Verifying default GKE cluster for installation

Open the Kubernetes command-line tool
Run kubectl config get-contexts to see the GKE clusters list
Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
Run kubectl get-contexts - verify the "*" indicates the correct cluster.

Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

Install Helm Chart

The helm chart installs the following:

Kubernetes Deployment containing the Apono-Connector image container
Kubernetes Service Account annotated with GCP IAM Service Account
Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

GCP Project Connector

Using Helm

Prerequisites

A GCP user with owner permissions for the organization
A GKE cluster on the GCP Project you'd like to integrate with Apono
Google CLI
Kubernetes command-line tool (kubectl)
The Apono GCP token generated in the Apono UI:

Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.
- Read more here.

Step-by-step guide

Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"

Set the following variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

Enable Cloud Resource Manager API

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID

Verifying default GKE cluster for installation

Open the Kubernetes command-line tool
Run kubectl config get-contexts to see the GKE clusters list
Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
Run kubectl get-contexts - verify the "*" indicates the correct cluster.

Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

Install Helm Chart

The helm chart installs the following:

Kubernetes Deployment containing the Apono-Connector image container
Kubernetes Service Account annotated with GCP IAM Service Account
Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

Results

You can validate the Connector is installed in the Connector status page.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

You can now integrate Apono with a GCP Project or GCP Organization.

Installing a GCP connector on Cloud Run using CLI

Deploy the Docker image of the Apono connector as Cloud Run service

Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.

This article explains how to setup an Apono connector for Cloud Run with a Docker image.

Prerequisites

Item

Description

Create a Cloud Run user

Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.

Project

Follow these steps to create a service account for Cloud Run in a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login \
gcloud services enable cloudresourcemanager.googleapis.com \
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

Role

Permissions Granted

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for Cloud Run in a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudasset.googleapis.com

Set the environment variables.

export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.
Role Permissions Granted

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Deploy the connector

Follow these steps to deploy the Apono connector:

Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
- New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
- Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry

gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
    --location=$GCP_LOCATION --description="Docker repository" \
    --project=$GCP_PROJECT_ID

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

docker login registry.apono.io -u apono --password $APONO_TOKEN 

docker pull registry.apono.io/apono-docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4

export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector

echo $IMAGE_PATH

docker image tag registry.apono.io/apono-connector $IMAGE_PATH

gcloud auth configure-docker \
    $GCP_LOCATION-docker.pkg.dev

docker push $IMAGE_PATH

Deploy the Docker image of the Apono connector to the Cloud Run service.

gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION  --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io

Installing a GCP connector on GKE using CLI (Helm)

Deploy the Apono connector with Helm

Integrating a cloud account with Apono allows you to sync and manage your resources:

Discover existing privileges and identities
Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

Prerequisites

Item

Description

Create an IAM service account

Use the following sections to create an IAM service account user for either your or .

Project

Follow these steps to create a service account for a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login
gcloud services enable cloudresourcemanager.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

Role

Permissions Granted

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.
Role Permissions Granted

```shell
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"
```

Deploy the connector

Follow these steps to deploy the Apono connector:

Deploy the Apono connector on a GKE cluster.

Create a new GKE cluster

gcloud container clusters create CLUSTER_NAME

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Bind the IAM Service Account to the GKE Service Account.

gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --member="serviceAccount:$GCP_PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $GCP_PROJECT_ID

Deploy Apono connector on your GKE cluster using Helm Chart.

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace

Installing a GCP connector on GKE using Terraform

Create a connector on Google Kubernetes Engine

Connectors are secure on-premises components that link Apono to your resources:

No secrets are read, cached, or stored
No account admin privileges need to be granted to Apono
The connector contacts your secret store or key vault to sync data or provision access

Once set up, this connector will enable you to sync data from cloud applications and grant and revoke access permissions through Google Kubernetes Engine (GKE).

Prerequisites

Item

Description

Install a connector

Use the following sections to install a connector for either your or .

Project

Follow these steps to install an Apono connector for a Google Project:

In your shell environment, log in to Google Cloud with an account possessing Owner permissions.

gcloud auth application-default login

At the shell prompt, set the environment variables.

export TF_VAR_PROJECT_ID="<GCP_PROJECT_ID>"
export TF_VAR_REGION="<GCP_REGION>"
export TF_VAR_NAME="<GKE_CLUSTER_NAME>"
export TF_VAR_LOCATION="<GCP_CLUSTER_REGION>"
export TF_VAR_APONO_TOKEN="<APONO_TOKEN>"
export TF_VAR_TAGS="<{tag1="value1"}>"

(Optional) Set the following optional environment variables.

export TF_VAR_CONNECTOR_ID="<APONO_CONNECTOR_NAME>"
export TF_VAR_SERVICE_ACCOUNT_NAME="<GCP_SERVICE_ACCOUNT_NAME>"
export TF_VAR_NAMESPACE="<NAMESPACE>"

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector.

provider "google" {
  project     = "{var.PROJECT_ID}"
  region      = "{var.REGION}"
}

data "google_client_config" "provider" {}

data "google_container_cluster" "gke" {
  name     = "{var.NAME}"
  location = "{var.LOCATION}"
}

provider "helm" {
  kubernetes{
    host  = "https://${data.google_container_cluster.gke.endpoint}"
    token = data.google_client_config.provider.access_token
    cluster_ca_certificate = base64decode(
      data.google_container_cluster.gke.master_auth[0].cluster_ca_certificate,)
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "gke-gcloud-auth-plugin"
    }
  }
}

module "apono-connector" {
  source = "github.com/apono-io/terraform-modules//gcp/organization-wide-connector/gke/stacks/apono-connector"
  connectorId = "{var.CONNECTOR_ID}" //OPTIONAL
  aponoToken = "{var.APONO_TOKEN}"
  projectId = "{var.PROJECT_ID}"
  serviceAccountName = "{var.SERVICE_ACCOUNT_NAME}" //OPTIONAL
  namespace = "{var.NAMESPACE}" //OPTIONAL
  tags = "{var.TAGS}"
}

At the Terraform CLI, download and install the provider plugin and module.

terraform init

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

terraform apply

Enter yes to confirm deploying the changes to your Google Project instance.
On the page, verify that the connector has been deployed.

Organization

Follow these steps to install an Apono connector for a Google Organization:

In your shell environment, log in to Google Cloud with an account possessing Organization Administrator permissions.

gcloud alpha auth application-default login

At the shell prompt, set the environment variables.

export TF_VAR_PROJECT_ID="<GCP_PROJECT_ID>"
export TF_VAR_REGION="<GCP_REGION>"
export TF_VAR_NAME="<GKE_CLUSTER_NAME>"
export TF_VAR_LOCATION="<GCP_CLUSTER_REGION>"
export TF_VAR_APONO_TOKEN="<APONO_TOKEN>"
export TF_VAR_ORGANIZATION_ID="<GCP_ORGANIZATION_ID>"
export TF_VAR_TAGS="<{tag1="value1"}>"

(Optional) Set the following optional environment variables.

export TF_VAR_CONNECTOR_ID="<APONO_CONNECTOR_NAME>"
export TF_VAR_SERVICE_ACCOUNT_NAME="<GCP_SERVICE_ACCOUNT_NAME>"
export TF_VAR_NAMESPACE="<NAMESPACE>"

In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector.

provider "google" {
  project     = "{var.PROJECT_ID}"
  region      = "{var.REGION}"
}

data "google_client_config" "provider" {}

data "google_container_cluster" "gke" {
  name     = "{var.NAME}"
  location = "{var.LOCATION}"
}

provider "helm" {
  kubernetes{
    host  = "https://${data.google_container_cluster.gke.endpoint}"
    token = data.google_client_config.provider.access_token
    cluster_ca_certificate = base64decode(
      data.google_container_cluster.gke.master_auth[0].cluster_ca_certificate,)
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "gke-gcloud-auth-plugin"
    }
  }
}

module "apono-connector" {
  source = "github.com/apono-io/terraform-modules//gcp/organization-wide-connector/gke/stacks/apono-connector"
  connectorId = "{var.CONNECTOR_ID}" //OPTIONAL
  aponoToken = "{var.APONO_TOKEN}"
  projectId = "{var.PROJECT_ID}"
  organizationId = "{var.ORGANIZATION_ID}"
  serviceAccountName = "{var.SERVICE_ACCOUNT_NAME}" //OPTIONAL
  namespace = "{var.NAMESPACE}" //OPTIONAL
  tags = "{var.TAGS}"
}

At the Terraform CLI, download and install the provider plugin and module.

terraform init

Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.

terraform apply

Enter yes to confirm deploying the changes to your Google Organization instance.
On the page, verify that the connector has been deployed.

FAQ

Can the Apono Terraform module be pinned to a version?

Yes. You can append the version number to the source location with the ?ref=vX.X.X query string.

The following examples pin the version to 1.0.0 for a connector without permissions.

Pinned Version (Project)

provider "google" {
  project     = "{var.PROJECT_ID}"
  region      = "{var.REGION}"
}

data "google_client_config" "provider" {}

data "google_container_cluster" "gke" {
  name     = "{var.NAME}"
  location = "{var.LOCATION}"
}

provider "helm" {
  kubernetes{
    host  = "https://${data.google_container_cluster.gke.endpoint}"
    token = data.google_client_config.provider.access_token
    cluster_ca_certificate = base64decode(
      data.google_container_cluster.gke.master_auth[0].cluster_ca_certificate,)
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "gke-gcloud-auth-plugin"
    }
  }
}

module "apono-connector" {
  source = "github.com/apono-io/terraform-modules//gcp/organization-wide-connector/gke/stacks/apono-connector?ref=v1.0.0"
  connectorId = "{var.CONNECTOR_ID}" //OPTIONAL
  aponoToken = "{var.APONO_TOKEN}"
  projectId = "{var.PROJECT_ID}"
  serviceAccountName = "{var.SERVICE_ACCOUNT_NAME}" //OPTIONAL
  namespace = "{var.NAMESPACE}" //OPTIONAL
  tags = "{var.TAGS}"
}

Pinned Version (Organization)

provider "google" {
  project     = "{var.PROJECT_ID}"
  region      = "{var.REGION}"
}

data "google_client_config" "provider" {}

data "google_container_cluster" "gke" {
  name     = "{var.NAME}"
  location = "{var.LOCATION}"
}

provider "helm" {
  kubernetes{
    host  = "https://${data.google_container_cluster.gke.endpoint}"
    token = data.google_client_config.provider.access_token
    cluster_ca_certificate = base64decode(
      data.google_container_cluster.gke.master_auth[0].cluster_ca_certificate,)
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "gke-gcloud-auth-plugin"
    }
  }
}

module "apono-connector" {
  source = "github.com/apono-io/terraform-modules//gcp/organization-wide-connector/gke/stacks/apono-connector?ref=v1.0.0"
  connectorId = "{var.CONNECTOR_ID}" //OPTIONAL
  aponoToken = "{var.APONO_TOKEN}"
  projectId = "{var.PROJECT_ID}"
  organizationId = "{var.ORGANIZATION_ID}"
  serviceAccountName = "{var.SERVICE_ACCOUNT_NAME}" //OPTIONAL
  namespace = "{var.NAMESPACE}" //OPTIONAL
  tags = "{var.TAGS}"
}