# Google Cloud with GCP Cloud Run
## Overview
This guide provides step-by-step instructions to run the Keeper Automator service on Google Cloud, specifically using the GCP Cloud Run service. The Automator is also protected by the Google Armor service in order to restrict access to Keeper's infrastructure IPs.
### (1) Create a Project
From the Google Cloud console () create a new project.
Create a New Project
Then click "**Select Project**" on this new project.
### (2) Start the Cloud Shell
For this documentation, we'll use the Google Cloud Shell from the web interface. Click to activate the Cloud Shell or install this on your local machine.
Start the Google Cloud Shell
* Note the **Project ID**, which in this case is `keeper-automator-439714`. This Project ID will be used in subsequent commands.
### (3) Link a Billing Account
If you haven't done so, you must link a valid Billing account to the project. This is performed in the Google Cloud user interface from the Billing menu.
### (3) Create an Automator Config key
From the Cloud Shell, generate a 256-bit AES key in URL-encoded format:
```
openssl rand -base64 32
```
Example key: `6C45ibUhoYqkTD4XNFqoZoZmslvklwyjQO4ZqLdUECs=`
Save the resulting Key in Keeper. This will be used as an environment variable when deploying the container. This key ensures that ephemeral containers will be configured at startup.
### (4) Enable the Artifact Registry
```
gcloud services enable run.googleapis.com artifactregistry.googleapis.com
```
### (5) Select a Region
You need to select a region for the service to run. The available region codes can be found by using the following command:
```
gcloud run regions list
```
For this example, we will use `us-east1`
### (6) Create Artifact Repository for the Automator service
Run the below 2 commands, replacing "us-east1" with your preferred value from Step 5
```
gcloud artifacts repositories create keeper-automator-repo \
--repository-format=docker \
--location=us-east1 \
--description="Artifact registry for Keeper Automator service"
```
```
gcloud auth configure-docker us-east1-docker.pkg.dev
```
### (7) Upload the Automator container to the Artifact Registry
Create a file called `cloudbuild.yaml` that contains the following content, ensuring to replace the string "`us-east1`" with your preferred location from Step 5. Leave all other content the same.
{% code title="cloudbuild.yaml" overflow="wrap" %}
```yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['pull', 'keeper/automator:latest']
- name: 'gcr.io/cloud-builders/docker'
args: [
'tag',
'keeper/automator:latest',
'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'push',
'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
]
images:
- 'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
```
{% endcode %}
* Replace `us-east1` with your preferred location from [Step 5](#id-5-select-a-region)
Upload this file through the Cloud Shell user interface, or create the text file in the cloud shell.
From the Cloud Shell, execute the following:
```
gcloud services enable cloudbuild.googleapis.com
```
Then execute the build:
```
gcloud builds submit --config cloudbuild.yaml
```
This will sync the latest Automator container to your Google Artifact Registry.
### (8) Deploy the Automator service
The following command will deploy the Keeper Automator service to Google Cloud Run from your Artifact Registry. This service is limited to internal access and load balancers only.
{% code overflow="wrap" %}
```
gcloud run deploy keeper-automator \
--image us-east1-docker.pkg.dev/[PROJECT ID]/keeper-automator-repo/keeper-automator:latest \
--platform managed \
--region us-east1 \
--allow-unauthenticated \
--ingress internal-and-cloud-load-balancing \
--min-instances 1 \
--max-instances 2 \
--set-env-vars "AUTOMATOR_CONFIG_KEY=XXX,AUTOMATOR_PORT=8080,DISABLE_SNI_CHECK=true,SSL_MODE=none"
```
{% endcode %}
Note the following:
* `[PROJECT_ID]` needs to be replaced by your Project ID as found in Step 2
* `XXX` is replaced with the configuration key that you created in Step 3 above.
* `AUTOMATOR_PORT` tells the container to listen on port 8080
* `SSL_MODE` allows the SSL connection to terminate with the load balancer
* `DISABLE_SNI_CHECK` allows the request to complete behind the load balancer
* The mininum number of instances is 1, which is acceptable in most environments.
* If min/max is not set, the service will drop to zero instances and startup on the first request
### (9) Create Managed Certificate
The Keeper system is going to communicate with your Automator service through a publicly routable DNS name. In this example, I'm using `gcpautomator.lurey.com`. In order to set this up, you need to first create a managed SSL certificate. The command for this is below.
```
gcloud compute ssl-certificates create automator-compute-certificate \
--domains gcpautomator.lurey.com \
--global
```
* Replace `gcpautomator.lurey.com` with your desired name
### (10) Create a Serverless Network Endpoint Group
The next command links the Cloud Run service to a Google Cloud Load Balancer.
```bash
gcloud compute network-endpoint-groups create keeper-automator-neg \
--region us-east1 \
--network-endpoint-type=serverless \
--cloud-run-service keeper-automator
```
* Replace `us-east1` with the region of your Cloud Run service from [**Step 5**](#id-5-select-a-region).
### (11) Create a **backend service** that will use the **NEG**
This creates a backend service that links to the Cloud Run service:
```bash
gcloud compute backend-services create keeper-automator-backend \
--global \
--protocol HTTP
```
### (12) Attach the **NEG** to the backend service
This attaches the NEG to the backend service.
```bash
gcloud compute backend-services add-backend keeper-automator-backend \
--global \
--network-endpoint-group keeper-automator-neg \
--network-endpoint-group-region us-east1
```
* Replace `us-east1` with the desired location specified in [Step 5](#id-5-select-a-region)
### (13) Create a URL map that directs incoming traffic to the backend service
```
gcloud compute url-maps create keeper-automator-url-map \
--default-service keeper-automator-backend
```
### (14) Create the HTTPS target proxy and map the Automator certificate
```
gcloud compute target-https-proxies create keeper-automator-target-proxy \
--url-map keeper-automator-url-map \
--ssl-certificates automator-compute-certificate
```
### (15) Reserve a static IP address and assign DNS entry
```
gcloud compute addresses create keeper-automator-ip --global
```
Get the IP address and note for later:
```
gcloud compute addresses list
```
The IP address must be mapped to a valid DNS.
In your DNS provider, set up an A-record pointing to the IP.
#### Example A-Record Configuration
Type
Name
Value
TTL
A
gcpautomator.lurey.com
xx.xx.xx.xx
60
* This step is important. Ensure that the desired domain name is pointing to the IP address provided. This step must be performed in your DNS provider directly.
### (16) Create a Global Forwarding Rule
Create a **global forwarding rule** to direct incoming requests to the target proxy:
```
gcloud compute forwarding-rules create keeper-automator-forwarding-rule \
--global \
--target-https-proxy keeper-automator-target-proxy \
--ports 443 \
--address keeper-automator-ip
```
### (17) Lock down access to specific IPs
The Keeper Automator service should be restricted to only the necessary IPs as discussed on the [Ingress Requirements](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/ingress-requirements) page.
Let's create a **Cloud Armor Security Policy** to restrict access to certain IP addresses
{% code overflow="wrap" %}
```
gcloud compute security-policies create allow-specific-ips-policy --description "Allow specific IPs"
```
{% endcode %}
In this step, we will attach IPs Keeper's US Data Center as found [in this page](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/ingress-requirements). Additional rules can be created as you see fit.
{% code overflow="wrap" %}
```
gcloud compute security-policies rules create 1000 \
--security-policy allow-specific-ips-policy \
--src-ip-ranges 54.208.20.102,34.203.159.189 \
--action allow
```
{% endcode %}
* We recommend adding your external IP to this list, so that you can test the Automator service
We will also add a default "deny" rule to restrict other traffic:
```
gcloud compute security-policies rules create 2000 \
--security-policy allow-specific-ips-policy \
--action deny-404 \
--src-ip-ranges '*'
```
Finally, attach the **Cloud Armor security policy** to the backend service
```
gcloud compute backend-services update keeper-automator-backend \
--global \
--security-policy allow-specific-ips-policy
```
At this point, the Automator service should be running and the service should be exposed only to the Keeper infrastructure.
The next step is to finish the configuration with the Keeper Commander utility.
### (18) Login to Keeper Commander
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:\
[https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup](https://docs.keeper.io/keeperpam/commander-cli/commander-installation-setup)\
\
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type `keeper shell` to open the session, then login using the `login` command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
```
$ keeper shell
My Vault> login admin@company.com
_ __
| |/ /___ ___ _ __ ___ _ _
| '
```
### (19) Create the Automator
Create the Automator using a series of commands, starting with `automator create`
```
My Vault> automator create --name "My Automator" --node "Azure Cloud"
```
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
```
Automator ID: XXXX
Name: My Automator
URL:
Enabled: No
Initialized: No
Skills: Device Approval
```
Note that the "URL" is not populated yet. This will be populated with the automator URL.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (`team`, `team_for_user` and `device`).
{% code overflow="wrap" %}
```
automator edit --url https://gcpautomator.lurey.com --skill=team --skill=team_for_user --skill=device "My Automator"
```
{% endcode %}
* NOTE: Replace `gcpautomator.lurey.com` with the domain name you created in [Step 15](#id-15-reserve-a-static-ip-address-and-assign-dns-entry)
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
```
automator setup "My Automator"
```
Initialize the Automator with the new configuration
```
automator init "My Automator"
```
Enable the service
```
automator enable "My Automator"
```
### Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
***
## Updating the Container
To update the container in Google when there is a new version available from Keeper, run the following commands:
* Repeat [Step 7](#id-7-upload-the-automator-container-to-the-artifact-registry)
* Repeat [Step 8](#id-8-deploy-the-automator-service)
## Need help?
If you need assistance, please email **** or open a [support ticket](https://keepersecurity.servicenowservices.com/csm?id=csm_index).
