Installing a GCP connector on Cloud Run using CLI
Deploy the Docker image of the Apono connector as Cloud Run service
Cloud Run is a managed compute platform that enables running containerized applications in a fully managed serverless environment.
This article explains how to setup an Apono connector for Cloud Run with a Docker image.
Prerequisites
Account-specific Apono authentication value
Use the following steps to obtain your token:
Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.
Kubernetes Command Line Tool (kubectl)
Google Cloud Command Line Interface (Google Cloud CLI)
Information for your Google Cloud instance
Google-defined Values:
Customer-defined Values:
Project Implementation Role:
Organization Implementation Roles:
Organization Administrator
Create a Cloud Run user
Use the following sections to create a Cloud Run user for either your Google Project or Google Organization.
Project
Follow these steps to create a service account for Cloud Run in a Google Project:
In your shell environment, log in to Google Cloud and enable the API.
gcloud auth login \
gcloud services enable cloudresourcemanager.googleapis.com \
gcloud services enable cloudasset.googleapis.com
Set the environment variables.
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
Assign the following roles to the service account.
role/secretmanager.secretAccessor
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor" \
--project $GCP_PROJECT_ID
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.securityAdmin" \
--project $GCP_PROJECT_ID
Organization
Follow these steps to create a service account for Cloud Run in a Google Organization:
In your shell environment, log in to Google Cloud and enable the API.
gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudasset.googleapis.com
Set the environment variables.
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
export GCP_ARTIFACT_REPOSITORY_NAME=<ARTIFACT_REPOSITORY_NAME>
export GCP_CLOUDRUN_SERVICE_NAME=<CLOUDRUN_SERVICE_NAME>
export GCP_LOCATION=<GCP_LOCATION>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
Assign the following roles to the service account.
role/secretmanager.secretAccessor
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
List resources within the organization
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.securityAdmin"
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/browser"
Deploy the connector
Follow these steps to deploy the Apono connector:
Push the connector image to GCP Artifact Registry.
The following sets of commands push the connector image to the GCP Artifact Registry:
New Registry: Use the code on this tab to push the Apono connector Docker image to a new GCP Artifact Registry.
Existing Registry: Use the code on this tab to push the Apono connector Docker image to an existing Docker-format GCP Artifact Registry
gcloud artifacts repositories create $GCP_ARTIFACT_REPOSITORY_NAME --repository-format=docker \
--location=$GCP_LOCATION --description="Docker repository" \
--project=$GCP_PROJECT_ID
docker login registry.apono.io -u apono --password $APONO_TOKEN
docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4
export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector:v1.6.4
echo $IMAGE_PATH
docker image tag registry.apono.io/apono-connector:v1.6.4 $IMAGE_PATH
gcloud auth configure-docker \
$GCP_LOCATION-docker.pkg.dev
docker push $IMAGE_PATH
docker login registry.apono.io -u apono --password $APONO_TOKEN
docker pull --platform linux/amd64 registry.apono.io/apono-connector:v1.6.4
export IMAGE_PATH=$GCP_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_ARTIFACT_REPOSITORY_NAME/registry.apono.io/apono-connector
echo $IMAGE_PATH
docker image tag registry.apono.io/apono-connector $IMAGE_PATH
gcloud auth configure-docker \
$GCP_LOCATION-docker.pkg.dev
docker push $IMAGE_PATH
Deploy the Docker image of the Apono connector to the Cloud Run service.
gcloud run deploy $GCP_CLOUDRUN_SERVICE_NAME --image $IMAGE_PATH --region=$GCP_LOCATION --allow-unauthenticated --max-instances=1 --min-instances=1 --cpu=1 --memory=1Gi --no-cpu-throttling --service-account $SERVICE_ACCOUNT_NAME --update-env-vars APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID,APONO_TOKEN=$APONO_TOKEN,APONO_URL=api.apono.io