- Created by Dev Raj Gautam, last modified on Aug 22, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 3 Next »
This document outlines the necessary steps to deploy the GCP Connector and correctly configure the environment. It covers the instructions for,
Project Creation in GCP:
A new project will be created in Google Cloud Platform (GCP) where the EID SCIM microservice will be deployed.Artifacts for Account Store Creation:
After deployment, the following artifacts will be available for use in the Account Store creation wizard:Service Account Email (SA2)
.p12 Service Account Key Certificate
App Engine Host Name: The base URL where the microservice is deployed.
JWT Target Audience (TA1)
This document is intended for readers involved in deploying the microservice or troubleshooting related issues. It provides step-by-step instructions tailored for deployment teams. Additionally, it offers crucial information on key service accounts and configurations to be done in GCP that may be essential during troubleshooting .
This document assumes that readers have expertise in system deployment and installation. It may be subject to further revisions and updates to accommodate the needs of other administrative users.
Service Accounts & JWT Target Audiences.
This section outlines the service accounts and JWT target audiences essential for deploying the GCP Connector environment. Two service accounts, SA1 and SA2, are utilized for authentication and authorization purposes. Additionally, two JWT target audiences, TA1 and TA2, are used.
Service Accounts
Two service accounts will be used:
SA1: This is an App Engine default service account (or another specific account you configure). It is attached to the microservice running in the App Engine. The microservice uses this service account to authenticate with the Google API. It is an ambient account available to the microservice and is only used for deployment purposes.
SA2: This service account is used for OAuth2 authentication from EID to the microservice. The microservice needs to be deployed behind the Identity-Aware Proxy (IAP), which will check for authentication. This is the service account to enter in EID during the Account Creation wizard.
JWT Target Audiences
Two different JWT target audience values will be used:
TA1: This is the target audience to be entered in EID during Account Store creation. The value is the OAuth 2.0 Client ID of the Credentials in the APIs & Services of the GCP. It typically looks like
636363636363-p97kufa1jh000800m2k6cu01ork7xxxx.apps.googleusercontent.com
.TA2: This is the target audience of the verification JWT token attached by the IAP in the requests to the microservice. It is verified by the microservice and usually appears as
/projects/741662800000/apps/appname
and is only used for deployment purposes.
Installation Steps
Open the Cloud Console: https://console.cloud.google.com/
Create a new project
Enable the APIs for that project
IAM Service Account Credentials API
Admin SDK API
Cloud Resource Manager API
Identity and Access Management (IAM) API
Cloud Asset API
Deploy the microservice to the app engine
Get the gcloud CLI: Install the gcloud CLI | Google Cloud CLI Documentation
From the command line, run: gcloud init
Navigate to the package folder and run: gcloud app deploy
Note: you’ll need to deploy it twice. Below, you’ll find another step requiring you to deploy it with the updated config. This time is for the app to get created and to enable the Identity-Aware Proxy, and the second time - to deploy it with the updated appsettings.json containing the correct IAP OAuth Client ID for the JWT token verification.
Enable the domain-wide delegation for the App Engine service account (SA1)
Get the ClientID of the App Engine service account (SA1)
Go to App Engine → Settings of your project
See the service account email
Go to IAM & Admin → Service Accounts
Find that service account and see the Client ID column
Open the Admin console: https://admin.google.com/
Security → Access and Data Control → API Controls → Manage Domain-wide Delegation
Input the Client ID obtained at the previous step
Scopes:
At the project level, grant the Service Account Token Creator role to the App Engine service account (SA1)
In the Cloud Console, Go to IAM & Admin → IAM
Click Grant Access
Enter the service account (SA1) email address and select the role
Create an IAP service account (SA2) for EID → MS connectivity and generate or upload a key for it
Go to IAM & Admin → Service Accounts
Create a service account
Navigate to the newly created service account page
Navigate to Keys
Add Key → Create New Key → .p12
Note: alternatively, you can upload an existing certificate public key.
Enable the identity-aware proxy
Go to IAM & Admin → Identity-Aware Proxy
When enabling, configure the OAuth consent screen. Choosing “Only for internal users” is ok.
Enable it for the microservice app (App Engine app).
Grant the IAP-secured Web App User role to service account 2 (SA2) for the microservice app.
Get the JWT target audience for EID (TA1):
Go to APIs & Services → Credentials
See the OAuth 2.0 Client IDs section. Find your application and copy the Client ID value, that is your TA1, target audience to enter on the Account Store creation in EmpowerID.
Get the JWT target audience of the IAP JWT token for the microservice (TA2):
Go to IAM & Admin → Identity-Aware Proxy
Find the App Engine App in the table, scroll right, click the three dots icon, click Get JWT Audience Code
Configure the JWT verification values in the appsettings.json:
MicroserviceConfiguration.DomainWideDelegationUser - organization admin email
MicroserviceConfiguration.IapJwtExpectedAudience: set it to the value obtained at the previous step (TA2)
Deploy again (gcloud app deploy)
Get the app engine's’s public URL
Go to App Engine → Services
In the grid, see the “default” hyperlink in the Service column. That hyperlink address is the microservice base url. It looks like https://yourappname.uc.r.appspot.com/
Navigating to that will actually not work, the IAP will ask you to authenticate and you won’t be able to (unless you’ve granted your own account the IAP-secured Web App User role too, like you did to the SA2).
Verify Deployment
While there are various methods to test if the deployment was successful, you can use the following techniques to validate its functionality:
Account Store and Inventory:
Create an account store to manage user accounts.
Perform an inventory to verify the correct population of data within the account store.
IAM Role Verification
Grant yourself the "IAP-secured Web App User" role to access your App Engine or at the project level.
Navigate to the app's public URL. Wait for the role grant to take effect (typically takes around 2 minutes). Check for a 404 error. If you see a 404 error, it indicates that the role grant has taken effect and the application is working as expected.
Access the
/QueryOrganizations
endpoint. If the deployment is successful, you should see a JSON response containing information about one organization.Revoke the "IAP-secured Web App User" role to ensure security.
IN THIS ARTICLE
- No labels