Deployment with Azure App Services
This guide provides step-by-step instructions to instantiate Keeper Automator as a Web App within Azure App Services. For environments such as GCC High and DoD, this service is available for hosting the Automator.
Open a command line interface and generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:
Save the resulting value produced by this command for Step (6).
From the Azure portal, create a new Web App by selecting App Services in the search bar and then selecting Create + Web App
Select or create a new Resource Group
Set the Instance Name
Set Publish to "Docker Container"
Set Operating System to "Linux"
Select the region where you would like the service hosted
Select your Linux Plan or create a new plan. Pricing plan at a minimum should be Premium V3 P0V3, but will also be dependent on the end user environment
Proceed to the Docker
section
In the "Docker" step, make the following selections:
Options: "Single Container"
Image Service: "Docker Hub"
Access Type: "Public"
Image and tag: keeper/automator:latest
Proceed to the Monitoring
section
Select "Enable Application Insights": Yes
Select or create a new Application Insights workspace
Proceed to the Review + create
section
Click "Review + Create" and then click "Create"
After a few minutes, the web app will be created and automatically start up.
Clicking on "Go to Resource" will take you to the container environment.
Make note of the Default domain value. This will be needed to setup and initialize the Automator service
Go to the Configuration section and select "New application setting"
Or your environment variables settings may be in a different section of the UI under Environment variables.
Add the following application settings:
Create the below environment variables with their respective values:
AUTOMATOR_CONFIG_KEY -> "value from Step 1 above of the setup guide"
AUTOMATOR_PORT -> 8089
SSL_MODE -> none
WEBSITES_PORT -> 8089
Click Apply
Select Diagnostic settings and then select "+ Add diagnostic setting"
Give the diagnostic setting a name.
Select "App Service Console logs"
Select "App Service Application logs"
Select "Send to Log Analytics workspace"
Select or setup a new Log Analytics workspace
Select Logs from the main menu. Click the "X" to close the Queries window.
To see the Docker deployment and startup logs: AppServicePlatformLogs
To see the application error logs: AppServiceConsoleLogs
Select App Service Logs from the main menu under the Monitoring section. Then select File System under Application logging and set a retention per user's preference
Click Save
Select Log Stream from the main menu under the Overview section to verify the Automator service is connected and logging correctly
Select Health check from the main menu under the Monitoring section. Then Enable the health check function and set the Path value to "/health". Click Save to save the configuration, and Save again to confirm changes.
In the Networking section you can setup simple access rules or configure Azure Front Door.
Select Networking from the main menu and click on "Enabled with no access restrictions"
Under Access Restrictions, select "Enabled from select virtual networks and IP addresses" and "Allow" unmatched rule action. Click +Add to add inbound access rules.
Under Add Rule, add the inbound firewall rules. You should restrict traffic to the Keeper published IP addresses marked as "Network Firewall Setup" for your respective region per the page below
Ingress RequirementsClick Add Rule
Click Save to save the configurations
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell
to open the session, then login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
Create the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This is the Default Domain value from Step 5.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team
, team_for_user
and device
).
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
At this point, the configuration is complete.
For external health checks, you can use the below URL:
https://<server>/health
Example curl
command:
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.