Deploying Cased Shell on Google Cloud Run

Setup
1.Begin by running these commands.
1
gcloud iam service-accounts create cased-shell
2
​
3
gcloud run deploy cased-shell \
4
  --service-account=cased-shell \
5
  --port=8888 \
6
  --allow-unauthenticated \
7
  --source=. \
8
  --set-env-vars="CASED_SHELL_SECRET=default"
Copied!

2. Obtain the URL of the deployed service
3. Create a Cased Shell instance with a matching hostname at https://app.cased.com​
4. Obtain the value of CASED_SHELL_SECRET from the settings tab
5. Enable Certificate Authentication on the settings tab
Deployment
1
gcloud run deploy cased-shell \
2
  --service-account=cased-shell \
3
  --port=8888 \
4
  --allow-unauthenticated \
5
  --source=. \
6
  --set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>"
Copied!
Connecting to resources in a VPC
Create a VPC:
1
gcloud compute networks create cased-shell-example-vpc --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
2
gcloud compute firewall-rules create allow-ssh --network cased-shell-example-vpc --allow tcp:22,icmp
Copied!
And an instance within the VPC:
1
gcloud compute instances create example-bastion --image-project debian-cloud --image-family debian-11 --zone=us-central1-a --network=cased-shell-example-vpc
Copied!
Update jump.yaml to point it to the internal IP address of the bastion node.
Note: Stay tuned for support for auto-detecting Google Cloud Compute instances in the near future!
Configure the bastion instance
Create a user on the instance and add the SSH certificate to the user's authorized_keys file:
1
gcloud compute ssh [email protected] --command="curl https://<Cased Shell Hostname>/.ssh/authorized_keys >> ~/.ssh/authorized_keys"
Copied!
Optionally, add the following to the end of ~/.bashrc to individually authenticate users of bastion node with their own Google Cloud accounts:
1
# Create and enter a temporary directory
2
dir=$HOME/$
3
mkdir -p $dir
4
cd $dir
5
​
6
# Clean it up when we're done
7
trap "rm -rf $dir" EXIT
8
​
9
export HOME=$dir
10
​
11
# Login to gcloud when commands are interactive or gcloud related
12
if [ "$0" == "-bash" ] || grep -q "gcloud" <<< "$BASH_EXECUTION_STRING"; then
13
  gcloud config set account NONE
14
  gcloud auth login --brief --no-launch-browser
15
fi
Copied!
Create a VPC Connector
​https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#create-connector​
1
gcloud compute networks vpc-access connectors create cased-shell-vpc-connector \
2
--network cased-shell-example-vpc \
3
--region us-central1 \
4
--range 10.8.0.0/28
Copied!
Re-deploy the shell and connect it to your VPC
1
gcloud run deploy cased-shell \
2
  --service-account=cased-shell \
3
  --port=8888 \
4
  --allow-unauthenticated \
5
  --source=. \
6
  --set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>" \
7
  --vpc-connector=cased-shell-vpc-connector
Copied!
Connect to Google Cloud OAuth to enable Cloud Shell integration
Visit the Cloud Console: https://console.cloud.google.com​
Select or create a project from the top right project dropdown
In the project Dashboard center pane, choose "API Manager"
In the left Nav pane, choose "Credentials"
In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
In the center pane, choose "Credentials" tab.
Open the "New credentials" drop down
Choose "OAuth client ID"
Choose "Web application"
Application name is freeform, choose something appropriate
Authorized JavaScript origins can be blank
Authorized redirect URIs is https://$CASED_SHELL_HOSTNAME/oauth/auth/callback
Choose "Create"
Add Client ID and Client Secret to .env:
1
echo "GCLOUD_OAUTH_CLIENT_ID=EXAMPLE_1234" >> .env
2
echo "GCLOUD_OAUTH_CLIENT_SECRET=YOUR_SECRET_000000000000" >> .env
Copied!
Generate cookie encryption tokens and add to .env:
1
echo "COOKIE_SECRET=$(openssl rand -hex 32)" >> .env
2
echo "COOKIE_ENCRYPT=$(openssl rand -hex 16)" >> .env
Copied!
Now deploy again:
1
gcloud run deploy cased-shell \
2
  --source=. \
3
  --region=us-central1 \
4
  --service-account=cased-shell \
5
  --port=8888 \
6
  --allow-unauthenticated \
7
  --vpc-connector=cased-shell-vpc-connector \
8
  --set-env-vars="$(cat .env | tr '\n' ',')"
Copied!
Setting up persistent, pluggable storage for custom deployments on Google Cloud
Cased uses the official Google Cloud client directly so credentials are automatically managed using this pattern.
​Create a bucket:
1
gsutil mb gs://cased-shell-EXAMPLE
Copied!
Grant the service account the objectAdmin role on the bucket:
1
gsutil iam ch \\
2
  <serviceAccount:cased-[email protected]>:objectAdmin,legacyBucketReader \\
3
  gs://cased-shell-EXAMPLE
Copied!
Add the bucket name to the environment:
1
echo "STORAGE_GOOGLE_CLOUD_BUCKET=cased-shell-EXAMPLE" >> .env
2
echo "STORAGE_BACKEND=gcs" >> .env
Copied!
Now deploy again:
1
gcloud run deploy cased-shell \
2
  --source=. \
3
  --region=us-central1 \
4
  --service-account=cased-shell \
5
  --port=8888 \
6
  --allow-unauthenticated \
7
  --vpc-connector=cased-shell-vpc-connector \
8
  --set-env-vars="$(cat .env | tr '\n' ',')"
Copied!
​

Web Shell - Previous

Deploying Cased Shell to Amazon ECS

Next - Web Shell

Deploying Cased Shell on Heroku

Last modified 21d ago

Copy link

Contents

Setup

Deployment

Connecting to resources in a VPC

Configure the bastion instance

Create a VPC Connector

Re-deploy the shell and connect it to your VPC

Connect to Google Cloud OAuth to enable Cloud Shell integration

Setting up persistent, pluggable storage for custom deployments on Google Cloud