Interact with GCP directly from Morpheus

Description:
Morpheus is only able to interact with GCP directly using a blueprint. You can add tags or ephemeral IP addresses during this stage. Once the blueprint has run, there is no way to interact with GCP directly from Morpheus. Morpheus already has the GCP service account embedded, but it lacks the ability to call commands using Google cloud shell which would greatly help with workflows.


Example/Use case(s):
Changing or adding network tags, removing ephemeral IP addresses, etc.


I use Azure/AWS/GCP SDK that I install locally on my Morpheus appliances. I ensure morpheus-local has access to those modules. I then use local shell task types to execute against them. That said, there is an RBAC to prevent users access to local shell executions for a good precautionary reason.

1 Like

How are you handling the authentication of the service account password that runs the shell task? A Key file stored on the morpheus appliance? Thanks.

I utilize credentials contained within cypher and use the <%=cyper.read('secret/whatever')%> in my scripts / automation. Cypher doesn’t have to just be a singular string.

Any examples available? I am not seeing anywhere in morpheus to upload a .json key file for that to work. Thank you.

Anything recent with GCP I’ve been using TF. I think you’ll have the same concept with the sdk. That said, I pasted the contents of the JSON into cypher (cypher does not have to be single string).

My heavily edited cypher of ‘secret/gcpkey’ is something like:

{
  "type": "service_account",
  "project_id": "mo9",
  "private_key_id": "dae4c944f138",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEse3jvdb79kUnJLPvpSodHd\nYzuf3BZxV0CVYRgDy5EGBk=\n-----END PRIVATE KEY-----\n",
  "client_email": "s@mo9.iam.gserviceaccount.com",
  "client_id": "1099978",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/s%40mo9.iam.gserviceaccount.com"
}

Curious if this was able to get you in a good direction @Matt_Sarich

Thanks for the example, I will test this out. Thanks!