Azure App Services
Deployment with Azure App Services
Overview
This guide provides step-by-step instructions to instantiate Keeper Automator as a Web App within Azure App Services. For environments such as GCC High and DoD, this service is available for hosting the Automator.
(1) Create an Automator Config key
Open a command line interface and generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:
Generate a Key
Save the resulting value produced by this command for Step (6).
(2) Create a App Services Web App
From the Azure portal, create a new Web App by selecting App Services in the search bar and then selecting Create + Web App
Select or create a new Resource Group
Set the Instance Name
Set Publish to "Docker Container"
Set Operating System to "Linux"
Select the region where you would like the service hosted
Select your Linux Plan or create a new plan. Pricing plan at a minimum should be Premium V3 P0V3, but will also be dependent on the end user environment
Proceed to the
Docker
section
(3) Setup Docker Container Details
In the "Docker" step, make the following selections:
Options: "Single Container"
Image Service: "Docker Hub"
Access Type: "Public"
Image and tag:
keeper/automator:latest
Proceed to the
Monitoring
section
(4) Setup WebApp Monitoring
Select "Enable Application Insights": Yes
Select or create a new Application Insights workspace
Proceed to the
Review + create
section
(5) Create WebApp
Click "Review + Create" and then click "Create"
After a few minutes, the web app will be created and automatically start up.
Clicking on "Go to Resource" will take you to the container environment.
Make note of the Default domain value. This will be needed to setup and initialize the Automator service
(6) Configure the WebApp
Go to the Configuration section and select "New application setting"
Or your environment variables settings may be in a different section of the UI under Environment variables.
Add the following application settings:
Create the below environment variables with their respective values:
AUTOMATOR_CONFIG_KEY -> "value from Step 1 above of the setup guide"
AUTOMATOR_PORT -> 8089
SSL_MODE -> none
WEBSITES_PORT -> 8089
Click Apply
(7) Set up Diagnostics
Select Diagnostic settings and then select "+ Add diagnostic setting"
Give the diagnostic setting a name.
Select "App Service Console logs"
Select "App Service Application logs"
Select "Send to Log Analytics workspace"
Select or setup a new Log Analytics workspace
(8) Set up Logs
Select Logs from the main menu. Click the "X" to close the Queries window.
To see the Docker deployment and startup logs: AppServicePlatformLogs
To see the application error logs: AppServiceConsoleLogs
(9) Set up App Service logs
Select App Service Logs from the main menu under the Monitoring section. Then select File System under Application logging and set a retention per user's preference
Click Save
(10) View Log stream
Select Log Stream from the main menu under the Overview section to verify the Automator service is connected and logging correctly
(11) Configure Health Check
Select Health check from the main menu under the Monitoring section. Then Enable the health check function and set the Path value to "/health". Click Save to save the configuration, and Save again to confirm changes.
(12) Configure Access Restrictions
In the Networking section you can setup simple access rules or configure Azure Front Door.
Select Networking from the main menu and click on "Enabled with no access restrictions"
Under Access Restrictions, select "Enabled from select virtual networks and IP addresses" and "Allow" unmatched rule action. Click +Add to add inbound access rules.
Under Add Rule, add the inbound firewall rules. You should restrict traffic to the Keeper published IP addresses marked as "Connection verification only" for your respective region per the page below.
Click Add Rule
Click Save to save the configurations
(13) Login to Keeper Commander
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell
to open the session, then login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
(14) Create the Automator
Create the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This is the Default Domain value from Step 5.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team
, team_for_user
and device
).
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
At this point, the configuration is complete.
For external health checks, you can use the below URL:
https://<server>/health
Example curl
command:
Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
Last updated