Google Cloud with GCP Cloud Run
Running the Keeper Automator service on the Google Cloud platform with Cloud Run
Overview
This guide provides step-by-step instructions to run the Keeper Automator service on Google Cloud, specifically using the GCP Cloud Run service. The Automator is also protected by the Google Armor service in order to restrict access to Keeper's infrastructure IPs.
(1) Create a Project
From the Google Cloud console (https://console.cloud.google.com) create a new project.
Then click "Select Project" on this new project.
(2) Start the Cloud Shell
For this documentation, we'll use the Google Cloud Shell from the web interface. Click to activate the Cloud Shell or install this on your local machine.
Note the Project ID, which in this case is
keeper-automator-439714
. This Project ID will be used in subsequent commands.
(3) Link a Billing Account
If you haven't done so, you must link a valid Billing account to the project. This is performed in the Google Cloud user interface from the Billing menu.
(3) Create an Automator Config key
From the Cloud Shell, generate a 256-bit AES key in URL-encoded format:
Example key: 6C45ibUhoYqkTD4XNFqoZoZmslvklwyjQO4ZqLdUECs=
Save the resulting Key in Keeper. This will be used as an environment variable when deploying the container. This key ensures that ephemeral containers will be configured at startup.
(4) Enable the Artifact Registry
(5) Select a Region
You need to select a region for the service to run. The available region codes can be found by using the following command:
For this example, we will use us-east1
(6) Create Artifact Repository for the Automator service
Run the below 2 commands, replacing "us-east1" with your preferred value from Step 5
(7) Upload the Automator container to the Artifact Registry
Create a file called cloudbuild.yaml
that contains the following content, ensuring to replace the string "us-east1
" with your preferred location from Step 5. Leave all other content the same.
Replace
us-east1
with your preferred location from Step 5
Upload this file through the Cloud Shell user interface, or create the text file in the cloud shell.
From the Cloud Shell, execute the following:
Then execute the build:
This will sync the latest Automator container to your Google Artifact Registry.
(8) Deploy the Automator service
The following command will deploy the Keeper Automator service to Google Cloud Run from your Artifact Registry. This service is limited to internal access and load balancers only.
Note the following:
[PROJECT_ID]
needs to be replaced by your Project ID as found in Step 2XXX
is replaced with the configuration key that you created in Step 3 above.AUTOMATOR_PORT
tells the container to listen on port 8080SSL_MODE
allows the SSL connection to terminate with the load balancerDISABLE_SNI_CHECK
allows the request to complete behind the load balancerThe mininum number of instances is 1, which is acceptable in most environments.
If min/max is not set, the service will drop to zero instances and startup on the first request
(9) Create Managed Certificate
The Keeper system is going to communicate with your Automator service through a publicly routable DNS name. In this example, I'm using gcpautomator.lurey.com
. In order to set this up, you need to first create a managed SSL certificate. The command for this is below.
Replace
gcpautomator.lurey.com
with your desired name
(10) Create a Serverless Network Endpoint Group
The next command links the Cloud Run service to a Google Cloud Load Balancer.
Replace
us-east1
with the region of your Cloud Run service from Step 5.
(11) Create a backend service that will use the NEG
This creates a backend service that links to the Cloud Run service:
(12) Attach the NEG to the backend service
This attaches the NEG to the backend service.
Replace
us-east1
with the desired location specified in Step 5
(13) Create a URL map that directs incoming traffic to the backend service
(14) Create the HTTPS target proxy and map the Automator certificate
(15) Reserve a static IP address and assign DNS entry
Get the IP address and note for later:
The IP address must be mapped to a valid DNS.
In your DNS provider, set up an A-record pointing to the IP.
Example A-Record Configuration
Type | Name | Value | TTL |
---|---|---|---|
A |
|
| 60 |
This step is important. Ensure that the desired domain name is pointing to the IP address provided. This step must be performed in your DNS provider directly.
(16) Create a Global Forwarding Rule
Create a global forwarding rule to direct incoming requests to the target proxy:
(17) Lock down access to specific IPs
The Keeper Automator service should be restricted to only the necessary IPs as discussed on the Ingress Requirements page.
Let's create a Cloud Armor Security Policy to restrict access to certain IP addresses
In this step, we will attach IPs Keeper's US Data Center as found in this page. Additional rules can be created as you see fit.
We recommend adding your external IP to this list, so that you can test the Automator service
We will also add a default "deny" rule to restrict other traffic:
Finally, attach the Cloud Armor security policy to the backend service
At this point, the Automator service should be running and the service should be exposed only to the Keeper infrastructure.
The next step is to finish the configuration with the Keeper Commander utility.
(18) Login to Keeper Commander
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell
to open the session, then login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
(19) Create the Automator
Create the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This will be populated with the automator URL.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team
, team_for_user
and device
).
NOTE: Replace
gcpautomator.lurey.com
with the domain name you created in Step 15
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
Updating the Container
To update the container in Google when there is a new version available from Keeper, run the following commands:
Need help?
If you need assistance, please email commander@keepersecurity.com or open a support ticket.
Last updated