Interact with GCP directly from Morpheus

Matt_Sarich · January 2, 2024, 2:45pm

Description:
Morpheus is only able to interact with GCP directly using a blueprint. You can add tags or ephemeral IP addresses during this stage. Once the blueprint has run, there is no way to interact with GCP directly from Morpheus. Morpheus already has the GCP service account embedded, but it lacks the ability to call commands using Google cloud shell which would greatly help with workflows.

Example/Use case(s):
Changing or adding network tags, removing ephemeral IP addresses, etc.

cbunge · January 2, 2024, 2:48pm

I use Azure/AWS/GCP SDK that I install locally on my Morpheus appliances. I ensure morpheus-local has access to those modules. I then use local shell task types to execute against them. That said, there is an RBAC to prevent users access to local shell executions for a good precautionary reason.

Matt_Sarich · January 3, 2024, 9:51pm

How are you handling the authentication of the service account password that runs the shell task? A Key file stored on the morpheus appliance? Thanks.

cbunge · January 4, 2024, 7:23pm

I utilize credentials contained within cypher and use the <%=cyper.read('secret/whatever')%> in my scripts / automation. Cypher doesn’t have to just be a singular string.

Matt_Sarich · January 5, 2024, 9:03pm

Any examples available? I am not seeing anywhere in morpheus to upload a .json key file for that to work. Thank you.

cbunge · January 5, 2024, 10:29pm

Anything recent with GCP I’ve been using TF. I think you’ll have the same concept with the sdk. That said, I pasted the contents of the JSON into cypher (cypher does not have to be single string).

My heavily edited cypher of ‘secret/gcpkey’ is something like:

{
  "type": "service_account",
  "project_id": "mo9",
  "private_key_id": "dae4c944f138",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEse3jvdb79kUnJLPvpSodHd\nYzuf3BZxV0CVYRgDy5EGBk=\n-----END PRIVATE KEY-----\n",
  "client_email": "s@mo9.iam.gserviceaccount.com",
  "client_id": "1099978",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/s%40mo9.iam.gserviceaccount.com"
}

cbunge · January 10, 2024, 9:43pm

Curious if this was able to get you in a good direction @Matt_Sarich

Matt_Sarich · January 22, 2024, 2:27pm

Thanks for the example, I will test this out. Thanks!

cbunge · May 4, 2024, 12:00pm

This topic was automatically closed after 3 days. New replies are no longer allowed.

Topic		Replies	Views
Google Cloud Source Repo Automation/IaC integrations	2	314	September 28, 2023
Edit Instance Configuration Before Deployment Provisioning & Self Service automation , python , variables , workflows , provisioning	3	698	June 29, 2022
Changing the instance hostname with a workflow/task Provisioning & Self Service automation	8	486	July 21, 2023
Creating a custom Task Plugin that can access secrets from Cypher and HashiCorp Vault Plugins automation , cypher , plugins , tasks	0	351	October 11, 2023
Power Shell Task execution on Windows Instance Automation/IaC automation	3	273	September 20, 2023

Interact with GCP directly from Morpheus

Related topics