Cased Documentation
Search…
⌃K

Deploying Cased Shell on Google Cloud Run

A guide on how to deploy Cased Shell on Google Cloud Run.

Setup

  1. 1.
    Begin by running these commands.
gcloud iam service-accounts create cased-shell
gcloud run deploy cased-shell \
--service-account=cased-shell \
--port=8888 \
--allow-unauthenticated \
--source=. \
--set-env-vars="CASED_SHELL_SECRET=default"
2. Obtain the URL of the deployed service
3. Create a Cased Shell instance with a matching hostname at https://app.cased.com
4. Obtain the value of CASED_SHELL_SECRET from the settings tab
5. Enable Certificate Authentication on the settings tab

Deployment

gcloud run deploy cased-shell \
--service-account=cased-shell \
--port=8888 \
--allow-unauthenticated \
--source=. \
--set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>"

Connecting to resources in a VPC

Create a VPC:
gcloud compute networks create cased-shell-example-vpc --subnet-mode=auto --mtu=1460 --bgp-routing-mode=regional
gcloud compute firewall-rules create allow-ssh --network cased-shell-example-vpc --allow tcp:22,icmp
And an instance within the VPC:
gcloud compute instances create example-bastion --image-project debian-cloud --image-family debian-11 --zone=us-central1-a --network=cased-shell-example-vpc
Update jump.yaml to point it to the internal IP address of the bastion node.
Note: Stay tuned for support for auto-detecting Google Cloud Compute instances in the near future!

Configure the bastion instance

Create a user on the instance and add the SSH certificate to the user's authorized_keys file:
gcloud compute ssh [email protected] --command="curl https://<Cased Shell Hostname>/.ssh/authorized_keys >> ~/.ssh/authorized_keys"
Optionally, add the following to the end of ~/.bashrc to individually authenticate users of bastion node with their own Google Cloud accounts:
# Create and enter a temporary directory
dir=$HOME/$$
mkdir -p $dir
cd $dir
# Clean it up when we're done
trap "rm -rf $dir" EXIT
export HOME=$dir
# Login to gcloud when commands are interactive or gcloud related
if [ "$0" == "-bash" ] || grep -q "gcloud" <<< "$BASH_EXECUTION_STRING"; then
gcloud config set account NONE
gcloud auth login --brief --no-launch-browser
fi

Create a VPC Connector

gcloud compute networks vpc-access connectors create cased-shell-vpc-connector \
--network cased-shell-example-vpc \
--region us-central1 \
--range 10.8.0.0/28

Re-deploy the shell and connect it to your VPC

gcloud run deploy cased-shell \
--service-account=cased-shell \
--port=8888 \
--allow-unauthenticated \
--source=. \
--set-env-vars="CASED_SHELL_HOSTNAME=<your hostname>,CASED_SHELL_SECRET=<your secret>" \
--vpc-connector=cased-shell-vpc-connector

Connect to Google Cloud OAuth to enable Cloud Shell integration

  • Visit the Cloud Console: https://console.cloud.google.com
  • Select or create a project from the top right project dropdown
  • In the project Dashboard center pane, choose "API Manager"
  • In the left Nav pane, choose "Credentials"
  • In the center pane, choose "OAuth consent screen" tab. Fill in "Product name shown to users" and hit save.
  • In the center pane, choose "Credentials" tab.
    • Open the "New credentials" drop down
    • Choose "OAuth client ID"
    • Choose "Web application"
    • Application name is freeform, choose something appropriate
    • Authorized JavaScript origins can be blank
    • Authorized redirect URIs is https://$CASED_SHELL_HOSTNAME/oauth/auth/callback
  • Choose "Create"
  • Add Client ID and Client Secret to .env:
echo "GCLOUD_OAUTH_CLIENT_ID=EXAMPLE_1234" >> .env
echo "GCLOUD_OAUTH_CLIENT_SECRET=YOUR_SECRET_000000000000" >> .env
  • Generate cookie encryption tokens and add to .env:
echo "COOKIE_SECRET=$(openssl rand -hex 32)" >> .env
echo "COOKIE_ENCRYPT=$(openssl rand -hex 16)" >> .env
Now deploy again:
gcloud run deploy cased-shell \
--source=. \
--region=us-central1 \
--service-account=cased-shell \
--port=8888 \
--allow-unauthenticated \
--vpc-connector=cased-shell-vpc-connector \
--set-env-vars="$(cat .env | tr '\n' ',')"

Setting up persistent, pluggable storage for custom deployments on Google Cloud

Cased uses the official Google Cloud client directly so credentials are automatically managed using this pattern.
gsutil mb gs://cased-shell-EXAMPLE
Grant the service account the objectAdmin role on the bucket:
gsutil iam ch \\
<serviceAccount:cased-[email protected]>:objectAdmin,legacyBucketReader \\
gs://cased-shell-EXAMPLE
Add the bucket name to the environment:
echo "STORAGE_GOOGLE_CLOUD_BUCKET=cased-shell-EXAMPLE" >> .env
echo "STORAGE_BACKEND=gcs" >> .env
Now deploy again:
gcloud run deploy cased-shell \
--source=. \
--region=us-central1 \
--service-account=cased-shell \
--port=8888 \
--allow-unauthenticated \
--vpc-connector=cased-shell-vpc-connector \
--set-env-vars="$(cat .env | tr '\n' ',')"