Running the Keeper Automator service on the Google Cloud platform with Cloud Run
This guide provides step-by-step instructions to run the Keeper Automator service on Google Cloud, specifically using the GCP Cloud Run service. The Automator is also protected by the Google Armor service in order to restrict access to Keeper's infrastructure IPs.
From the Google Cloud console () create a new project.
Then click "Select Project" on this new project.
For this documentation, we'll use the Google Cloud Shell from the web interface. Click to activate the Cloud Shell or install this on your local machine.
Note the Project ID, which in this case is keeper-automator-439714. This Project ID will be used in subsequent commands.
If you haven't done so, you must link a valid Billing account to the project. This is performed in the Google Cloud user interface from the Billing menu.
From the Cloud Shell, generate a 256-bit AES key in URL-encoded format:
Example key: 6C45ibUhoYqkTD4XNFqoZoZmslvklwyjQO4ZqLdUECs=
Save the resulting Key in Keeper. This will be used as an environment variable when deploying the container. This key ensures that ephemeral containers will be configured at startup.
You need to select a region for the service to run. The available region codes can be found by using the following command:
For this example, we will use us-east1
Run the below 2 commands, replacing "us-east1" with your preferred value from Step 5
Create a file called cloudbuild.yaml that contains the following content, ensuring to replace the string "us-east1" with your preferred location from Step 5. Leave all other content the same.
Replace us-east1 with your preferred location from
Upload this file through the Cloud Shell user interface, or create the text file in the cloud shell.
From the Cloud Shell, execute the following:
Then execute the build:
This will sync the latest Automator container to your Google Artifact Registry.
The following command will deploy the Keeper Automator service to Google Cloud Run from your Artifact Registry. This service is limited to internal access and load balancers only.
Note the following:
[PROJECT_ID] needs to be replaced by your Project ID as found in Step 2
XXX is replaced with the configuration key that you created in Step 3 above.
AUTOMATOR_PORT tells the container to listen on port 8080
The Keeper system is going to communicate with your Automator service through a publicly routable DNS name. In this example, I'm using gcpautomator.lurey.com. In order to set this up, you need to first create a managed SSL certificate. The command for this is below.
Replace gcpautomator.lurey.com with your desired name
The next command links the Cloud Run service to a Google Cloud Load Balancer.
Replace us-east1 with the region of your Cloud Run service from .
This creates a backend service that links to the Cloud Run service:
This attaches the NEG to the backend service.
Replace us-east1 with the desired location specified in
Get the IP address and note for later:
The IP address must be mapped to a valid DNS.
In your DNS provider, set up an A-record pointing to the IP.
This step is important. Ensure that the desired domain name is pointing to the IP address provided. This step must be performed in your DNS provider directly.
Create a global forwarding rule to direct incoming requests to the target proxy:
The Keeper Automator service should be restricted to only the necessary IPs as discussed on the page.
Let's create a Cloud Armor Security Policy to restrict access to certain IP addresses
In this step, we will attach IPs Keeper's US Data Center as found . Additional rules can be created as you see fit.
We recommend adding your external IP to this list, so that you can test the Automator service
We will also add a default "deny" rule to restrict other traffic:
Finally, attach the Cloud Armor security policy to the backend service
At this point, the Automator service should be running and the service should be exposed only to the Keeper infrastructure.
The next step is to finish the configuration with the Keeper Commander utility.
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
Create the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This will be populated with the automator URL.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).
NOTE: Replace gcpautomator.lurey.com with the domain name you created in
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
To update the container in Google when there is a new version available from Keeper, run the following commands:
Repeat
Repeat
If you need assistance, please email [email protected] or open a .
SSL_MODE allows the SSL connection to terminate with the load balancerDISABLE_SNI_CHECK allows the request to complete behind the load balancer
The mininum number of instances is 1, which is acceptable in most environments.
If min/max is not set, the service will drop to zero instances and startup on the first request
A
gcpautomator.lurey.com
xx.xx.xx.xx
60
openssl rand -base64 32gcloud services enable run.googleapis.com artifactregistry.googleapis.comgcloud run regions listgcloud artifacts repositories create keeper-automator-repo \
--repository-format=docker \
--location=us-east1 \
--description="Artifact registry for Keeper Automator service"gcloud auth configure-docker us-east1-docker.pkg.devsteps:
- name: 'gcr.io/cloud-builders/docker'
args: ['pull', 'keeper/automator:latest']
- name: 'gcr.io/cloud-builders/docker'
args: [
'tag',
'keeper/automator:latest',
'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'push',
'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
]
images:
- 'us-east1-docker.pkg.dev/$PROJECT_ID/keeper-automator-repo/keeper-automator:latest'
gcloud services enable cloudbuild.googleapis.comgcloud builds submit --config cloudbuild.yamlgcloud run deploy keeper-automator \
--image us-east1-docker.pkg.dev/[PROJECT ID]/keeper-automator-repo/keeper-automator:latest \
--platform managed \
--region us-east1 \
--allow-unauthenticated \
--ingress internal-and-cloud-load-balancing \
--min-instances 1 \
--max-instances 2 \
--set-env-vars "AUTOMATOR_CONFIG_KEY=XXX,AUTOMATOR_PORT=8080,DISABLE_SNI_CHECK=true,SSL_MODE=none"gcloud compute ssl-certificates create automator-compute-certificate \
--domains gcpautomator.lurey.com \
--globalgcloud compute network-endpoint-groups create keeper-automator-neg \
--region us-east1 \
--network-endpoint-type=serverless \
--cloud-run-service keeper-automatorgcloud compute backend-services create keeper-automator-backend \
--global \
--protocol HTTPgcloud compute backend-services add-backend keeper-automator-backend \
--global \
--network-endpoint-group keeper-automator-neg \
--network-endpoint-group-region us-east1gcloud compute url-maps create keeper-automator-url-map \
--default-service keeper-automator-backendgcloud compute target-https-proxies create keeper-automator-target-proxy \
--url-map keeper-automator-url-map \
--ssl-certificates automator-compute-certificategcloud compute addresses create keeper-automator-ip --globalgcloud compute addresses listgcloud compute forwarding-rules create keeper-automator-forwarding-rule \
--global \
--target-https-proxy keeper-automator-target-proxy \
--ports 443 \
--address keeper-automator-ipgcloud compute security-policies create allow-specific-ips-policy --description "Allow specific IPs"gcloud compute security-policies rules create 1000 \
--security-policy allow-specific-ips-policy \
--src-ip-ranges 54.208.20.102,34.203.159.189 \
--action allowgcloud compute security-policies rules create 2000 \
--security-policy allow-specific-ips-policy \
--action deny-404 \
--src-ip-ranges '*'gcloud compute backend-services update keeper-automator-backend \
--global \
--security-policy allow-specific-ips-policy$ keeper shell
My Vault> login [email protected]
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
v16.x.xxx |_|
password manager & digital vault
Logging in to Keeper Commander
Enter password for [email protected]
Password: ********************
Successfully authenticated with Master Password
Syncing...
Decrypted [58] record(s)
My Vault>My Vault> automator create --name "My Automator" --node "Azure Cloud" Automator ID: XXXX
Name: My Automator
URL:
Enabled: No
Initialized: No
Skills: Device Approvalautomator edit --url https://gcpautomator.lurey.com --skill=team --skill=team_for_user --skill=device "My Automator"automator setup "My Automator"automator init "My Automator"automator enable "My Automator"
