Google Cloud with GCP Cloud Run

Overview

This guide provides step-by-step instructions to run the Keeper Automator service on Google Cloud, specifically using the GCP Cloud Run service. The Automator is also protected by the Google Armor service in order to restrict access to Keeper's infrastructure IPs.

(1) Create a Project

From the Google Cloud console (https://console.cloud.google.com) create a new project.

Then click "Select Project" on this new project.

(2) Start the Cloud Shell

For this documentation, we'll use the Google Cloud Shell from the web interface. Click to activate the Cloud Shell or install this on your local machine.

• Note the Project ID, which in this case is keeper-automator-439714. This Project ID will be used in subsequent commands.

(3) Link a Billing Account

If you haven't done so, you must link a valid Billing account to the project. This is performed in the Google Cloud user interface from the Billing menu.

(3) Create an Automator Config key

From the Cloud Shell, generate a 256-bit AES key in URL-encoded format:

openssl rand -base64 32

Example key: 6C45ibUhoYqkTD4XNFqoZoZmslvklwyjQO4ZqLdUECs=

Save the resulting Key in Keeper. This will be used as an environment variable when deploying the container. This key ensures that ephemeral containers will be configured at startup.

(4) Enable the Artifact Registry

gcloud services enable run.googleapis.com artifactregistry.googleapis.com

(5) Select a Region

You need to select a region for the service to run. The available region codes can be found by using the following command:

gcloud run regions list

For this example, we will use us-east1

(6) Create Artifact Repository for the Automator service

Run the below 2 commands, replacing "us-east1" with your preferred value from Step 5

gcloud artifacts repositories create keeper-automator-repo \
    --repository-format=docker \
    --location=us-east1 \
    --description="Artifact registry for Keeper Automator service"

gcloud auth configure-docker us-east1-docker.pkg.dev

(7) Upload the Automator container to the Artifact Registry

Create a file called cloudbuild.yaml that contains the following content, ensuring to replace the string "us-east1" with your preferred location from Step 5. Leave all other content the same.

steps:
  - name: 'gcr.io/cloud-builders/docker'
    args: ['pull', 'keeper/automator:latest']
  - name: 'gcr.io/cloud-builders/docker'
    args: [
      'tag',
      'keeper/automator:latest',  
      'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
    ]
  - name: 'gcr.io/cloud-builders/docker'
    args: [
      'push',
      'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
    ]
images:
  - 'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'

• Replace us-east1 with your preferred location from Step 5

Upload this file through the Cloud Shell user interface, or create the text file in the cloud shell.

From the Cloud Shell, execute the following:

gcloud services enable cloudbuild.googleapis.com

Then execute the build:

gcloud builds submit --config cloudbuild.yaml

This will sync the latest Automator container to your Google Artifact Registry.

(8) Deploy the Automator service

The following command will deploy the Keeper Automator service to Google Cloud Run from your Artifact Registry. This service is limited to internal access and load balancers only.

gcloud run deploy keeper-automator \
    --image us-east1-docker.pkg.dev/[PROJECT ID]/keeper-automator-repo/keeper-automator:latest \
    --platform managed \
    --region us-east1 \
    --allow-unauthenticated \
    --ingress internal-and-cloud-load-balancing \
    --min-instances 1 \
    --max-instances 2 \
    --set-env-vars "AUTOMATOR_CONFIG_KEY=XXX,AUTOMATOR_PORT=8080,DISABLE_SNI_CHECK=true,SSL_MODE=none"

Note the following:

• [PROJECT_ID] needs to be replaced by your Project ID as found in Step 2

• XXX is replaced with the configuration key that you created in Step 3 above.

• AUTOMATOR_PORT tells the container to listen on port 8080

• SSL_MODE allows the SSL connection to terminate with the load balancer

• DISABLE_SNI_CHECK allows the request to complete behind the load balancer

• The mininum number of instances is 1, which is acceptable in most environments.

• If min/max is not set, the service will drop to zero instances and startup on the first request

(9) Create Managed Certificate

The Keeper system is going to communicate with your Automator service through a publicly routable DNS name. In this example, I'm using gcpautomator.lurey.com. In order to set this up, you need to first create a managed SSL certificate. The command for this is below.

gcloud compute ssl-certificates create automator-compute-certificate \
    --domains gcpautomator.lurey.com \
    --global

• Replace gcpautomator.lurey.com with your desired name

(10) Create a Serverless Network Endpoint Group

The next command links the Cloud Run service to a Google Cloud Load Balancer.

gcloud compute network-endpoint-groups create keeper-automator-neg \
    --region us-east1 \
    --network-endpoint-type=serverless \
    --cloud-run-service keeper-automator

• Replace us-east1 with the region of your Cloud Run service from Step 5.

(11) Create a backend service that will use the NEG

This creates a backend service that links to the Cloud Run service:

gcloud compute backend-services create keeper-automator-backend \
    --global \
    --protocol HTTP

(12) Attach the NEG to the backend service

This attaches the NEG to the backend service.

gcloud compute backend-services add-backend keeper-automator-backend \
    --global \
    --network-endpoint-group keeper-automator-neg \
    --network-endpoint-group-region us-east1

• Replace us-east1 with the desired location specified in Step 5

(13) Create a URL map that directs incoming traffic to the backend service

gcloud compute url-maps create keeper-automator-url-map \
    --default-service keeper-automator-backend

(14) Create the HTTPS target proxy and map the Automator certificate

gcloud compute target-https-proxies create keeper-automator-target-proxy \
    --url-map keeper-automator-url-map \
    --ssl-certificates automator-compute-certificate

(15) Reserve a static IP address and assign DNS entry

gcloud compute addresses create keeper-automator-ip --global

Get the IP address and note for later:

gcloud compute addresses list

The IP address must be mapped to a valid DNS.

In your DNS provider, set up an A-record pointing to the IP.

Example A-Record Configuration

• This step is important. Ensure that the desired domain name is pointing to the IP address provided. This step must be performed in your DNS provider directly.

(16) Create a Global Forwarding Rule

Create a global forwarding rule to direct incoming requests to the target proxy:

gcloud compute forwarding-rules create keeper-automator-forwarding-rule \
    --global \
    --target-https-proxy keeper-automator-target-proxy \
    --ports 443 \
    --address keeper-automator-ip

(17) Lock down access to specific IPs

The Keeper Automator service should be restricted to only the necessary IPs as discussed on the Ingress Requirements page.

Let's create a Cloud Armor Security Policy to restrict access to certain IP addresses

gcloud compute security-policies create allow-specific-ips-policy --description "Allow specific IPs"

In this step, we will attach IPs Keeper's US Data Center as found in this page. Additional rules can be created as you see fit.

gcloud compute security-policies rules create 1000 \
    --security-policy allow-specific-ips-policy \
    --src-ip-ranges 54.208.20.102,34.203.159.189 \
    --action allow

• We recommend adding your external IP to this list, so that you can test the Automator service

We will also add a default "deny" rule to restrict other traffic:

gcloud compute security-policies rules create 2000 \
    --security-policy allow-specific-ips-policy \
    --action deny-404 \
    --src-ip-ranges '*'

Finally, attach the Cloud Armor security policy to the backend service

gcloud compute backend-services update keeper-automator-backend \
    --global \
    --security-policy allow-specific-ips-policy

At this point, the Automator service should be running and the service should be exposed only to the Keeper infrastructure.

The next step is to finish the configuration with the Keeper Commander utility.

(18) Login to Keeper Commander

Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.

On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here: https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.

$ keeper shell

My Vault> login admin@company.com

  _  __  
 | |/ /___ ___ _ __  ___ _ _ 
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
 v16.x.xxx    |_|

 password manager & digital vault

Logging in to Keeper Commander
Enter password for admin@company.com
Password: ********************
Successfully authenticated with Master Password
Syncing...
Decrypted [58] record(s)

My Vault>

(19) Create the Automator

Create the Automator using a series of commands, starting with automator create

My Vault> automator create --name "My Automator" --node "Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

The output of the command will display the Automator settings, including metadata from the identity provider.

                    Automator ID: XXXX
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Note that the "URL" is not populated yet. This will be populated with the automator URL.

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).

automator edit --url https://gcpautomator.lurey.com --skill=team --skill=team_for_user --skill=device "My Automator"

• NOTE: Replace gcpautomator.lurey.com with the domain name you created in Step 15

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

Testing the User Experience

Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.

The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

Updating the Container

To update the container in Google when there is a new version available from Keeper, run the following commands:

• Repeat Step 7

• Repeat Step 8

Need help?

If you need assistance, please email commander@keepersecurity.com or open a support ticket.