Learn how to deploy 1Password SCIM Bridge on Cloud Run using the Cloud Shell in Google Cloud.
This guide can be used to deploy 1Password SCIM Bridge as an ingress container for a single replica Cloud Run service with the required Redis cache deployed as a sidecar container. Credentials are stored in Secret Manager and mounted as volumes attached to the SCIM bridge container.
The included Cloud Run service YAML manifests are suitable for use in a production environment without modification, but are intentionally minimal for simplicity, to allow any identity provider to connect to its public endpoint, and to facilitate its use as a base for a customized deployment.
Complete the necessary preparation steps to deploy 1Password SCIM Bridge. You'll also need a Google Cloud account with permissions to create a project, set up billing, and enable Google Cloud APIs to create and manage secrets in Secret Manager.
Note
If you don't have a Google Cloud account, you can sign up for a free trial with starting credit: https://console.cloud.google.com/freetrial
-
Sign in to the Google Cloud console and activate Cloud Shell: https://console.cloud.google.com?cloudshell=true
-
Create a project to organize the Google Cloud resources for your 1Password SCIM Bridge deployment, and set it as the default project for your Cloud Shell environment:
gcloud projects create op-scim-bridge --set-as-default
Tip
If you have already created a project for your SCIM bridge, set it as the default project for this Cloud Shell session. For example:
gcloud config set project op-scim-bridge
-
Enable the Secret Manager and Cloud Run APIs for your project:
gcloud services enable secretmanager.googleapis.com run.googleapis.com
-
Set the default region for Cloud Run:
gcloud config set run/region us-central1
Note
All region-bound resources created in the following steps will be created in the specified region. You may replace us-central1
in the above commmand with your preferred region.
The Cloud Run service for the SCIM bridge will be configured to mount volume using a secret from Secret Manager. Follow these steps to upload your scimsession
credentials file to the Cloud Shell, create a secret, and store the file contents as its first secret version:
- Click ⋮ (More) > Upload in the Cloud Shell terminal menu bar.
- Click Choose Files. Select the
scimsession
file that you saved to your computer. - Use the suggested destination directory. Click Upload.
Note
If the file is saved to a different directory or using a different file name, make a note of the full path to the file.
-
Create a secret with the contents of this file as its first secret version using the following command:
gcloud secrets create scimsession --data-file=$HOME/scimsession
Tip
The command above is expected work as is if the file is named scimsession
and if it was saved to the home
directory when uploading the file. If not, replace $HOME/scimsession
with the actual path to the file. For
example:
gcloud secrets create scimsession --data-file=/example/path/to/scimsession.file
-
Enable Cloud Run to access the secret using the Compute Engine default service account for the project:
gcloud secrets add-iam-policy-binding scimsession --member=serviceAccount:$( gcloud iam service-accounts list --filter="$( gcloud projects describe op-scim-bridge --format="value(projectNumber)" )[email protected]" --format="value(email)" ) --role=roles/secretmanager.secretAccessor
Run this command to stream op-scim-bridge.yaml
Cloud Run service YAML from this repository, use it to deploy 1Password SCIM Bridge inline, and enable public ingress for your SCIM bridge so that you and your identity provider can connect to its public endpoint:
curl --silent --show-error \
https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/op-scim-bridge.yaml |
gcloud run services replace - &&
gcloud run services add-iam-policy-binding op-scim-bridge --member=allUsers --role=roles/run.invoker &&
gcloud run services describe op-scim-bridge --format="value(status.url)"
The final line of the above chained command should output a URL for the HTTPS endpoint provided by Cloud Run. This is your SCIM bridge URL.
Use your SCIM bridge URL to test the connection and view status information. For example:
curl --silent --show-error --request GET --header "Accept: application/json" \
--header "Authorization: Bearer mF_9.B5f-4.1JqM" \
https://op-scim-bridge-example-uc.a.run.app/health
Replace mF_9.B5f-4.1JqM
with your bearer token and https://op-scim-bridge-example-uc.a.run.app
with your SCIM bridge URL.
Example JSON response:
{
"build": "209031",
"version": "2.9.3",
"reports": [
{
"source": "ConfirmationWatcher",
"time": "2024-04-25T14:06:09Z",
"expires": "2024-04-25T14:16:09Z",
"state": "healthy"
},
{
"source": "RedisCache",
"time": "2024-04-25T14:06:09Z",
"expires": "2024-04-25T14:16:09Z",
"state": "healthy"
},
{
"source": "SCIMServer",
"time": "2024-04-25T14:06:56Z",
"expires": "2024-04-25T14:16:56Z",
"state": "healthy"
},
{
"source": "StartProvisionWatcher",
"time": "2024-04-25T14:06:09Z",
"expires": "2024-04-25T14:16:09Z",
"state": "healthy"
}
],
"retrievedAt": "2024-04-25T14:06:56Z"
}
Similar information is presented graphically by accessing your SCIM bridge URL in a web browser. Sign in with your bearer token to view status information and download container log files.
Important
If Google Workspace is your identity provider, additional steps are required: connect your 1Password SCIM Bridge to Google Workspace.
To finish setting up automated user provisioning, connect your identity provider to your SCIM bridge.
Important
If Google Workspace is your identity provider, alternate steps are required: update your SCIM bridge when Google Workspace is your IdP
-
Sign in to the Google Cloud console and activate Cloud Shell: https://console.cloud.google.com?cloudshell=true
-
Redeploy your SCIM bridge using the latest version of the Cloud Run services YAML from this directory in our repository:
curl --silent --show-error \ https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/op-scim-bridge.yaml | gcloud run services replace -
Tip
Check for 1Password SCIM Bridge updates on the SCIM bridge releases notes website.
- Test your SCIM bridge deployment using your bearer token.
The new version number that you updated to should appear in the health check, the container logs for 1Password SCIM Bridge, and the top left-hand side of the page if signing in to the SCIM bridge at its URL in a web browser. After you sign in to your SCIM bridge, the Automated User Provisioning page in your 1Password account will also update with the latest access time and SCIM bridge version.