Google Cloud with GCP Cloud Run
Running the Keeper Automator service on the Google Cloud platform with Cloud Run
Last updated
Running the Keeper Automator service on the Google Cloud platform with Cloud Run
Last updated
This guide provides step-by-step instructions to run the Keeper Automator service on Google Cloud, specifically using the GCP Cloud Run service. The Automator is also protected by the Google Armor service in order to restrict access to Keeper's infrastructure IPs.
From the Google Cloud console (https://console.cloud.google.com) create a new project.
Then click "Select Project" on this new project.
For this documentation, we'll use the Google Cloud Shell from the web interface. Click to activate the Cloud Shell or install this on your local machine.
Note the Project ID, which in this case is keeper-automator-439714
. This Project ID will be used in subsequent commands.
If you haven't done so, you must link a valid Billing account to the project. This is performed in the Google Cloud user interface from the Billing menu.
From the Cloud Shell, generate a 256-bit AES key in URL-encoded format:
Example key: 6C45ibUhoYqkTD4XNFqoZoZmslvklwyjQO4ZqLdUECs=
Save the resulting Key in Keeper. This will be used as an environment variable when deploying the container. This key ensures that ephemeral containers will be configured at startup.
You need to select a region for the service to run. The available region codes can be found by using the following command:
For this example, we will use us-east1
Run the below 2 commands, replacing "us-east1" with your preferred value from Step 5
Create a file called cloudbuild.yaml
that contains the following content, ensuring to replace the string "us-east1
" with your preferred location from Step 5. Leave all other content the same.
Replace us-east1
with your preferred location from Step 5
Upload this file through the Cloud Shell user interface, or create the text file in the cloud shell.
From the Cloud Shell, execute the following:
Then execute the build:
This will sync the latest Automator container to your Google Artifact Registry.
The following command will deploy the Keeper Automator service to Google Cloud Run from your Artifact Registry. This service is limited to internal access and load balancers only.
Note the following:
[PROJECT_ID]
needs to be replaced by your Project ID as found in Step 2
XXX
is replaced with the configuration key that you created in Step 3 above.
AUTOMATOR_PORT
tells the container to listen on port 8080
SSL_MODE
allows the SSL connection to terminate with the load balancer
DISABLE_SNI_CHECK
allows the request to complete behind the load balancer
The mininum number of instances is 1, which is acceptable in most environments.
If min/max is not set, the service will drop to zero instances and startup on the first request
The Keeper system is going to communicate with your Automator service through a publicly routable DNS name. In this example, I'm using gcpautomator.lurey.com
. In order to set this up, you need to first create a managed SSL certificate. The command for this is below.
Replace gcpautomator.lurey.com
with your desired name
The next command links the Cloud Run service to a Google Cloud Load Balancer.
Replace us-east1
with the region of your Cloud Run service from Step 5.
This creates a backend service that links to the Cloud Run service:
This attaches the NEG to the backend service.
Replace us-east1
with the desired location specified in Step 5
Get the IP address and note for later:
The IP address must be mapped to a valid DNS.
In your DNS provider, set up an A-record pointing to the IP.
Type | Name | Value | TTL |
---|---|---|---|
A |
|
| 60 |
This step is important. Ensure that the desired domain name is pointing to the IP address provided. This step must be performed in your DNS provider directly.
Create a global forwarding rule to direct incoming requests to the target proxy:
The Keeper Automator service should be restricted to only the necessary IPs as discussed on the Ingress Requirements page.
Let's create a Cloud Armor Security Policy to restrict access to certain IP addresses
In this step, we will attach IPs Keeper's US Data Center as found in this page. Additional rules can be created as you see fit.
We recommend adding your external IP to this list, so that you can test the Automator service
We will also add a default "deny" rule to restrict other traffic:
Finally, attach the Cloud Armor security policy to the backend service
At this point, the Automator service should be running and the service should be exposed only to the Keeper infrastructure.
The next step is to finish the configuration with the Keeper Commander utility.
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell
to open the session, then login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
Create the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This will be populated with the automator URL.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team
, team_for_user
and device
).
NOTE: Replace gcpautomator.lurey.com
with the domain name you created in Step 15
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
To update the container in Google when there is a new version available from Keeper, run the following commands:
If you need assistance, please email commander@keepersecurity.com or open a support ticket.