This document describes how to deploy the pseudonymization proxy to GCP using minimal working configuration. The whole list of advanced configuration options is available in the README.
You will need the following configuration values:
Use this command to generate API token:
$ LC_CTYPE=C tr -dc A-Za-z0-9 </dev/urandom | head -c 48 ; echo ''Use this command to generate salt:
$ LC_CTYPE=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32 ; echo ''- Log into GCP Cloud Console. Select or create a project if needed.
- In Cloud Console, go to API Library - Gmail
- Check that Gmail API is enabled, if not, click
Enable
- Check that Gmail API is enabled, if not, click
- In Cloud Console, go to API Library - Calendar
- Check that Calendar API is enabled, if not, click
Enable
- Check that Calendar API is enabled, if not, click
Go to https://console.cloud.google.com/iam-admin/serviceaccounts. Click Create Service Account.
- Use
til-pseudonymization-serviceas aService account namename - Click
Done - Select the created account from the list
- On the
Detailstab, expandShow domain-wide delegation - Select
Enable Google Workspace Domain-wide Delegation - Click
Save - Now move to the
Keystab - Click
Add Key->Create new key->JSON->Create - Private key gets downloaded to you. Keep the file.
This will provide the service account access to the gsuite data.
Go to https://admin.google.com/
- Click
Securitypanel - Click
API controls - Under
Domain wide delegation, clickManage domain wide delegation - On the next page, click
Add new. - Set client ID. You can find the value in the downloaded private key.
- Set
OAuth scopestohttps://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/calendar.readonly - Click
Authorize
Go to https://console.cloud.google.com/security/secret-manager.
For every of the following secrets, click Create secret, set the Name, e.g. api-token and Secret value.
api-token(use the generated API token)anonymization-salt(use the generated salt)gsuite-client-email(use valueclient_emailfrom the downloaded private key file - without the outer quotation marks)gsuite-private-key(use valueprivate_keyfrom the downloaded private key file - without the outer quotation marks)
This will allow our service account to read the created secrets and write to logs.
Go to https://console.cloud.google.com/iam-admin/iam
- Click
Add - Select your service account in
New members - In
Role:- Select
Secret Manager->Secret Manager Secret Accessor - Select
Logging->Logs Writer
- Select
- Click
Save
Note: for security reasons, we generally recommend creating two different service accounts, one with access to gsuite data (used by proxy itself), one to have access to secrets (used by VM instance). To not overcomplicate things in this howto, we will follow with a single one.
Go to https://console.cloud.google.com/run. Click Create service.
- Select
Deploy one revision from an existing container image- Set
Container image URLtoeu.gcr.io/proxy-272310/proxy:<version>(list of versions)
- Set
- Set
Container portto80 - Set
Service nametotil-pseudonymization-app. - Set
Regionto one ofus-central1oreurope-west-1(based on location).
- Select
CPU is only allocated during request processing
- Set
Minimum number of instancesto0 - Set
Maximum number of instancesto10
- Select
Allow all traffic
- Select
Allow unauthenticated invocations
- Set
Memoryto1 GiB - Set
CPUto2 - Set
Request timeoutto300 - Set
Maximum requests per containerto10
- Set
Service accountcreated in step 5).
- Set the following
Environment variablesusingAdd variable:HTTP_PORT=80GSUITE_SCOPES=https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/calendar.readonlyINTERNAL_DOMAIN_LIST= you internal domainsANONYMIZE_INTERNAL_EMAIL_USERNAME=false(Depending on your anonymization setup)ANONYMIZE_INTERNAL_EMAIL_DOMAIN=false(Depending on your anonymization setup)ANONYMIZE_EXTERNAL_EMAIL_USERNAME=false(Depending on your anonymization setup)ANONYMIZE_EXTERNAL_EMAIL_DOMAIN=false(Depending on your anonymization setup)
Tip: on top of these, you can also set GSUITE_TEST_USER with value being any of your domain accounts,
e.g. somename@yourdomain.com. Pseudonymization service will use it to perform a check upon its start to confirm
it's deployed with a correct configuration. The output is then printed to stdout
and can be viewed in Logs panel.
-
Set the following
SecretsusingReference a secret (Exposed as environment variable)- Secret:
api-token-> Environment:API_TOKEN - Secret:
anonymization-salt-> Environment:ANONYMIZATION_SALT - Secret:
gsuite-client-email-> Environment:GSUITE_CLIENT_EMAIL - Secret:
gsuite-private-key-> Environment:GSUITE_PRIVATE_KEY
- Secret:
-
Click
Create
View logs using View logs in the context menu of your VM instance available here.
You should see a report from the proxy either confirming successful deployment or providing one or more error messages,
which might help to fix the issue.
Example report showing a successful deployment:
==============
RUNNING CHECKS
==============
------
CONFIG
------
• Server options are set - OK
• Can read secrets from Azure Vault - SKIPPED: Azure Key Vault not configured.
• Can read secrets from Google Secret Manager - SKIPPED: Google Secret Manager not configured.
• API token is set - OK
---
APP
---
• Healthcheck is responding - OK
• Diag is responding - OK
• Routes are registered - OK
------
GSUITE
------
• Get calendar list - OK
• Get messages list - OK
Checks total: 9, skipped: 2, failed: 0.
You can also check that proxy is responding to your requests sent from tools like cURL or Postman. To do this, replace these placeholders with real values:
your_url- URL address of the instance in Cloud Runyour_email@your_company.com- any of your GSuite email addressyour_api_key- your API key
curl -X GET https://your_url/healthcheck
curl -X GET https://your_url/www.googleapis.com/gmail/v1/users/your_email@your_company.com/messages \
-H 'Authorization: Bearer your_api_key'
Please contact your account manager and provide him:
- The API key
- Cloud Run URL address