Deploying Cased Shell on Google Cloud Run

A guide on how to deploy Cased Shell on Google Cloud Run.

Setup
1.Begin by running these commands.
gcloud iam service-accounts create cased-shell
​
gcloud run deploy cased-shell \
  --service-account=cased-shell \
  --port=8888 \
  --allow-unauthenticated \
  --source=. \
  --set-env-vars="CASED_SHELL_SECRET=default"

2. Obtain the URL of the deployed service
3. Create a Cased Shell instance with a matching hostname at https://app.cased.com​
4. Obtain the value of CASED_SHELL_SECRET from the settings tab
5. Enable Certificate Authentication on the settings tab
Deployment
gcloud run deploy cased-shell \
  --service-account=cased-shell \
  --port=8888 \
  --allow-unauthenticated \
  --source=. \
  --set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>"
Connecting to resources in a VPC
Create a VPC:
gcloud compute networks create cased-shell-example-vpc --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
gcloud compute firewall-rules create allow-ssh --network cased-shell-example-vpc --allow tcp:22,icmp
And an instance within the VPC:
gcloud compute instances create example-bastion --image-project debian-cloud --image-family debian-11 --zone=us-central1-a --network=cased-shell-example-vpc
Update jump.yaml to point it to the internal IP address of the bastion node.
Note: Stay tuned for support for auto-detecting Google Cloud Compute instances in the near future!
Configure the bastion instance
Create a user on the instance and add the SSH certificate to the user's authorized_keys file:
gcloud compute ssh [email protected] --command="curl https://<Cased Shell Hostname>/.ssh/authorized_keys >> ~/.ssh/authorized_keys"
Optionally, add the following to the end of ~/.bashrc to individually authenticate users of bastion node with their own Google Cloud accounts:
# Create and enter a temporary directory
dir=$HOME/$$
mkdir -p $dir
cd $dir
​
# Clean it up when we're done
trap "rm -rf $dir" EXIT
​
export HOME=$dir
​
# Login to gcloud when commands are interactive or gcloud related
if [ "$0" == "-bash" ] || grep -q "gcloud" <<< "$BASH_EXECUTION_STRING"; then
  gcloud config set account NONE
  gcloud auth login --brief --no-launch-browser
fi
Create a VPC Connector
​https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#create-connector​
gcloud compute networks vpc-access connectors create cased-shell-vpc-connector \
--network cased-shell-example-vpc \
--region us-central1 \
--range 10.8.0.0/28
Re-deploy the shell and connect it to your VPC
gcloud run deploy cased-shell \
  --service-account=cased-shell \
  --port=8888 \
  --allow-unauthenticated \
  --source=. \
  --set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>" \
  --vpc-connector=cased-shell-vpc-connector
Connect to Google Cloud OAuth to enable Cloud Shell integration
Visit the Cloud Console: https://console.cloud.google.com​
Select or create a project from the top right project dropdown
In the project Dashboard center pane, choose "API Manager"
In the left Nav pane, choose "Credentials"
In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
In the center pane, choose "Credentials" tab.
Open the "New credentials" drop down
Choose "OAuth client ID"
Choose "Web application"
Application name is freeform, choose something appropriate
Authorized JavaScript origins can be blank
Authorized redirect URIs is https://$CASED_SHELL_HOSTNAME/oauth/auth/callback
Choose "Create"
Add Client ID and Client Secret to .env:
echo "GCLOUD_OAUTH_CLIENT_ID=EXAMPLE_1234" >> .env
echo "GCLOUD_OAUTH_CLIENT_SECRET=YOUR_SECRET_000000000000" >> .env
Generate cookie encryption tokens and add to .env:
echo "COOKIE_SECRET=$(openssl rand -hex 32)" >> .env
echo "COOKIE_ENCRYPT=$(openssl rand -hex 16)" >> .env
Now deploy again:
gcloud run deploy cased-shell \
  --source=. \
  --region=us-central1 \
  --service-account=cased-shell \
  --port=8888 \
  --allow-unauthenticated \
  --vpc-connector=cased-shell-vpc-connector \
  --set-env-vars="$(cat .env | tr '\n' ',')"
Setting up persistent, pluggable storage for custom deployments on Google Cloud
Cased uses the official Google Cloud client directly so credentials are automatically managed using this pattern.
​Create a bucket:
gsutil mb gs://cased-shell-EXAMPLE
Grant the service account the objectAdmin role on the bucket:
gsutil iam ch \\
  <serviceAccount:cased-[email protected]>:objectAdmin,legacyBucketReader \\
  gs://cased-shell-EXAMPLE
Add the bucket name to the environment:
echo "STORAGE_GOOGLE_CLOUD_BUCKET=cased-shell-EXAMPLE" >> .env
echo "STORAGE_BACKEND=gcs" >> .env
Now deploy again:
gcloud run deploy cased-shell \
  --source=. \
  --region=us-central1 \
  --service-account=cased-shell \
  --port=8888 \
  --allow-unauthenticated \
  --vpc-connector=cased-shell-vpc-connector \
  --set-env-vars="$(cat .env | tr '\n' ',')"
​

Deploying Cased Shell to AWS using Terraform

Deploying Cased Shell on Heroku

Last modified 1yr ago