Azure Container App

Overview

This guide provides step-by-step instructions to publish Keeper Automator to the Azure Container App service. This provides a simple and straightforward way to host the Automator service in the cloud.

(1) Create an Automator Config key

Open a command line interface and generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:

Generate a Key

openssl rand -base64 32

[Byte[]]$key = New-Object Byte[] 32; [System.Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($key); [System.Convert]::ToBase64String($key)

Save the resulting value produced by this command for Step (3).

(2) Create a Container App

From Azure, create a new Container App.

• Select or create a new Resource Group

• Set the Container App Name to "keeperautomator" or whatever you prefer

• Select "Container Image" as the Deployment Source

• Select the region where you would like the service hosted

• Create a new Apps Environment or select an existing environment

• Click Next : Container >

(3) Setup Container Details

In the "Container" step, make the following selections:

• Uncheck the "Use quickstart image"

• Select "Docker Hub or other registries"

• Select "Public"

• Select Registry login server as docker.io

• Set the Image and tag as keeper/automator:latest

• Skip to "Container resource allocation"

• For CPU and Memory, 0.5 CPU cores and 1Gi memory is sufficient, but this can be updated based on your volume of new device logins.

• Create an environment variable called AUTOMATOR_CONFIG_KEY with the value from Step 1 above of the setup guide.

• Create an environment variable called AUTOMATOR_PORT with the value of 8089

• Create an environment variable called SSL_MODE with the value of none

• Click "Next : Ingress >"

(4) Ingress Setup

On the Ingress setup screen, select the following:

• Enable Ingress

• Ingress traffic Accepting traffic from anywhere (we'll modify this in a later step)

• Ingress type HTTP

• Target port set to 8089

(5) Create Container App

Click "Review + Create" and then click "Create"

After a few minutes, the container app will be created and automatically start up.

Clicking on "Go to Resource" will take you to the container environment.

(6) Customize the Ingress Setup

To restrict communications to the Keeper Automator service, click on the "Ingress" link on the left side of the screen under the "Settings" section

• Click on "Ingress"

• Select "Allow traffic from IPs configured below, deny all other traffic"

• Click "Add" to add two of Keeper's IPs and any of your IPs required for testing the service.

• Click Save

(7) Set up Scaling, Health Probes and Volume Mount

In order to prevent Azure from downscaling to zero instances, it's important to set the minimum number of instances to 1.

Navigate to the "Containers" section under the "Application"

Click on the "Edit and deploy" section at the top and then navigate to the Scale section. Set the Min and Max replica to "1"

• Next, click on the "Container" tab

• Click on the container name link, in this case "keeperautomator" at the bottom

Navigate to Health Probes and enter the following under each section:

Under "Liveness probes":

• Enable liveness probes

• Transport: HTTP

• Path: /health

• Port: 8089

• Initial delay seconds: 5

• Period seconds: 30

Under "Startup probes":

• Enable startup probes

• Transport: HTTP

• Path: /health

• Port: 8089

• Initial delay seconds: 5

• Period seconds: 30

Under "Volume Mounts":

• Select "Create new volume"

• Add volume type automatordata

• Add Mount Path as /usr/mybin/config

Finish the configuration

• Click on Save

• Then click on Create to build the new configuration

• After a few minutes, the new containers should start up

(8) Retrieve the Application URL

From the Overview section of the Container App, on the right side is the "Application URL" that was assigned. Copy this and use this Application URL in the next step.

For example, https://craigautomator1.xyx-1234.azurecontainerapps.io

(9) Login to Keeper Commander

Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.

On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here: https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.

$ keeper shell

My Vault> login admin@company.com

  _  __  
 | |/ /___ ___ _ __  ___ _ _ 
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
 v16.x.xxx    |_|

 password manager & digital vault

Logging in to Keeper Commander
Enter password for admin@company.com
Password: ********************
Successfully authenticated with Master Password
Syncing...
Decrypted [58] record(s)

My Vault>

(10) Create the Automator

Create the Automator using a series of commands, starting with automator create

My Vault> automator create --name "My Automator" --node "Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

The output of the command will display the Automator settings, including metadata from the identity provider.

                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Note that the "URL" is not populated yet. This is the Application URL from Step 8.

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).

automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

At this point, the configuration is complete.

For external health checks, you can use the below URL:

https://<server>/health

Example curl command:

$ curl https://craigautomator1.xyz.azurecontainerapps.io/health
OK

Testing the User Experience

Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.

The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

Advanced

Azure Container Apps have many advanced capabilities that are beyond the scope of this documentation. A few of the capabilities are provided below.

Scaling with Multiple Containers

If you would like to have multiple containers running the Keeper Automator service:

• Click on "Scale and replicas"

• Click "Edit and deploy"

• Click on the "Scale" tab

• Select the min and max number of containers. The minimum should be at least 1.

• Click Create

• After a minute, the new version will deploy

• Run automator setup xxx multiple times (one for each container)

• Run automator init xxx multiple times (one for each container)

Logging

The Keeper Automator logs can be viewed and monitored using the "Console" or "Log stream" section.

For example, to tail the log file of a running Automator service:

• Click on Console

• Select "/bin/sh"

• Click Connect

• At the prompt, type: tail -f logs/keeper-automator.log

Advanced Settings

Environment variables can be passed into the Container to turn on/off features of the runtime environment. The variables with their description can be found at the Advanced Settings page.