Search…
Deploying Cased Shell on Google Cloud Run
A guide on how to deploy Cased Shell on Google Cloud Run.

Setup

  1. 1.
    Begin by running these commands.
1
gcloud iam service-accounts create cased-shell
2
3
gcloud run deploy cased-shell \
4
--service-account=cased-shell \
5
--port=8888 \
6
--allow-unauthenticated \
7
--source=. \
8
--set-env-vars="CASED_SHELL_SECRET=default"
Copied!
2. Obtain the URL of the deployed service
3. Create a Cased Shell instance with a matching hostname at https://app.cased.com
4. Obtain the value of CASED_SHELL_SECRET from the settings tab
5. Enable Certificate Authentication on the settings tab

Deployment

1
gcloud run deploy cased-shell \
2
--service-account=cased-shell \
3
--port=8888 \
4
--allow-unauthenticated \
5
--source=. \
6
--set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>"
Copied!

Connecting to resources in a VPC

Create a VPC:
1
gcloud compute networks create cased-shell-example-vpc --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
2
gcloud compute firewall-rules create allow-ssh --network cased-shell-example-vpc --allow tcp:22,icmp
Copied!
And an instance within the VPC:
1
gcloud compute instances create example-bastion --image-project debian-cloud --image-family debian-11 --zone=us-central1-a --network=cased-shell-example-vpc
Copied!
Update jump.yaml to point it to the internal IP address of the bastion node.
Note: Stay tuned for support for auto-detecting Google Cloud Compute instances in the near future!

Configure the bastion instance

Create a user on the instance and add the SSH certificate to the user's authorized_keys file:
1
gcloud compute ssh [email protected] --command="curl https://<Cased Shell Hostname>/.ssh/authorized_keys >> ~/.ssh/authorized_keys"
Copied!
Optionally, add the following to the end of ~/.bashrc to individually authenticate users of bastion node with their own Google Cloud accounts:
1
# Create and enter a temporary directory
2
dir=$HOME/$
3
mkdir -p $dir
4
cd $dir
5
6
# Clean it up when we're done
7
trap "rm -rf $dir" EXIT
8
9
export HOME=$dir
10
11
# Login to gcloud when commands are interactive or gcloud related
12
if [ "$0" == "-bash" ] || grep -q "gcloud" <<< "$BASH_EXECUTION_STRING"; then
13
gcloud config set account NONE
14
gcloud auth login --brief --no-launch-browser
15
fi
Copied!

Create a VPC Connector

1
gcloud compute networks vpc-access connectors create cased-shell-vpc-connector \
2
--network cased-shell-example-vpc \
3
--region us-central1 \
4
--range 10.8.0.0/28
Copied!

Re-deploy the shell and connect it to your VPC

1
gcloud run deploy cased-shell \
2
--service-account=cased-shell \
3
--port=8888 \
4
--allow-unauthenticated \
5
--source=. \
6
--set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>" \
7
--vpc-connector=cased-shell-vpc-connector
Copied!

Connect to Google Cloud OAuth to enable Cloud Shell integration

  • Visit the Cloud Console: https://console.cloud.google.com
  • Select or create a project from the top right project dropdown
  • In the project Dashboard center pane, choose "API Manager"
  • In the left Nav pane, choose "Credentials"
  • In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
  • In the center pane, choose "Credentials" tab.
    • Open the "New credentials" drop down
    • Choose "OAuth client ID"
    • Choose "Web application"
    • Application name is freeform, choose something appropriate
    • Authorized JavaScript origins can be blank
    • Authorized redirect URIs is https://$CASED_SHELL_HOSTNAME/oauth/auth/callback
  • Choose "Create"
  • Add Client ID and Client Secret to .env:
1
echo "GCLOUD_OAUTH_CLIENT_ID=EXAMPLE_1234" >> .env
2
echo "GCLOUD_OAUTH_CLIENT_SECRET=YOUR_SECRET_000000000000" >> .env
Copied!
  • Generate cookie encryption tokens and add to .env:
1
echo "COOKIE_SECRET=$(openssl rand -hex 32)" >> .env
2
echo "COOKIE_ENCRYPT=$(openssl rand -hex 16)" >> .env
Copied!
Now deploy again:
1
gcloud run deploy cased-shell \
2
--source=. \
3
--region=us-central1 \
4
--service-account=cased-shell \
5
--port=8888 \
6
--allow-unauthenticated \
7
--vpc-connector=cased-shell-vpc-connector \
8
--set-env-vars="$(cat .env | tr '\n' ',')"
Copied!

Setting up persistent, pluggable storage for custom deployments on Google Cloud

Cased uses the official Google Cloud client directly so credentials are automatically managed using this pattern.
1
gsutil mb gs://cased-shell-EXAMPLE
Copied!
Grant the service account the objectAdmin role on the bucket:
1
gsutil iam ch \\
2
<serviceAccount:cased-[email protected]>:objectAdmin,legacyBucketReader \\
3
gs://cased-shell-EXAMPLE
Copied!
Add the bucket name to the environment:
1
echo "STORAGE_GOOGLE_CLOUD_BUCKET=cased-shell-EXAMPLE" >> .env
2
echo "STORAGE_BACKEND=gcs" >> .env
Copied!
Now deploy again:
1
gcloud run deploy cased-shell \
2
--source=. \
3
--region=us-central1 \
4
--service-account=cased-shell \
5
--port=8888 \
6
--allow-unauthenticated \
7
--vpc-connector=cased-shell-vpc-connector \
8
--set-env-vars="$(cat .env | tr '\n' ',')"
Copied!