/
PO Box support in GCP - Deployment playbook

PO Box support in GCP - Deployment playbook

Owned by Neha Chavan
Last updated: Apr 03, 2025
6 min read

Overview

This playbook provides step-by-step instructions for setting up a GCP deployment for the PO Box. It includes creating a Service Accounts with necessary permissions, setting up Google Artifact Registry (GAR), Set up cloud storage, cloud run job and trigger to run it every 24 hours with necessary configurations.

Prerequisites

  1. Make sure you have a Google Cloud Project created.

  2. Necessary permissions to create resources in the GCP project.

  3. Artifact registry API, cloud run API should be enabled.

Steps for PO Box deployment in GCP

Option 1 : Via running scripts on Google cloud shell

Login to https://console.cloud.google.com/ and go to set up project
Navigate to top right corner to open google cloud shell
Copy the below scripts and change variable names respectively to create resources.

image-20250219-190859.png

Step 1: Create cloud storage, service account to read zinc image from GAR

Copy and run the script below to create a cloud storage for storing Zilla_API_Key, service account and give permission to pull the latest zinc image from GAR

#!/bin/bash # Set Variables PROJECT_ID="zilla-pobox-project" # Replace with your project ID REGION="us-east1" # Specify your region BUCKET_NAME="pobox-storage-bucket" # GCS Bucket Name SERVICE_ACCOUNT_NAME="zincImageReader" # Service account name KEY_FILE_NAME="zincImageReader.json" # Service account key file name CLOUD_RUN_JOB_NAME="pobox-cloud-run-job" # Cloud Run Job Name CLOUD_RUN_CONTAINER_NAME="pobox-container" # Container name IMAGE="<Image name>" # Replace with your image (e.g., Docker image URL) # Folder Structure Inside the Bucket PARENT_FOLDER="zilla/" FOLDER1="pobox-config/" FOLDER2="pobox-output/" # Enable Required APIs echo "Enabling required APIs..." gcloud services enable storage.googleapis.com \ artifactregistry.googleapis.com \ run.googleapis.com \ --project=$PROJECT_ID # Create Cloud Storage Bucket and Folder Structure echo "Creating Cloud Storage bucket '$BUCKET_NAME'..." gsutil mb -p $PROJECT_ID -c STANDARD -l $REGION gs://$BUCKET_NAME/ echo "Creating folder structure inside the 'zilla' folder..." gsutil cp /dev/null gs://$BUCKET_NAME/$PARENT_FOLDER$FOLDER1/empty-file.txt gsutil cp /dev/null gs://$BUCKET_NAME/$PARENT_FOLDER$FOLDER2/empty-file.txt # Verify if the bucket was created successfully BUCKET_EXISTS=$(gsutil ls gs://$BUCKET_NAME/) if [ -n "$BUCKET_EXISTS" ]; then echo "Bucket '$BUCKET_NAME' created successfully in $REGION." else echo "Failed to create bucket '$BUCKET_NAME'." exit 1 fi # Create Service Account echo "Creating Service Account..." gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME \ --project=$PROJECT_ID \ --display-name="Service Account for Cloud Storage and Cloud Run" # Assign Permissions for Cloud Storage and Cloud Run echo "Assigning permissions to Service Account..." gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/artifactregistry.reader" # Read permission for Artifact Registry gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" # Admin permission for Cloud Storage # Create and Download Service Account Key (JSON) echo "Creating and downloading the service account key..." gcloud iam service-accounts keys create $KEY_FILE_NAME \ --iam-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com \ --project=$PROJECT_ID # Output the service account key file and verify Cloud Run Job echo "Service Account '$SERVICE_ACCOUNT_NAME' created successfully." echo "Service Account key saved to '$KEY_FILE_NAME'."

Step 2: Add Zilla_API_Key to created cloud storage

Store Zilla_API_Key provided by Customer Success team to below path

Zillapobox-config

image-20250219-192408.png

Step 3: Create cloud run job to start a container

Copy and Run the below script to create a cloud run job to start a container and mount above created bucket storage

#!/bin/bash # Set Variables PROJECT_ID="zilla-pobox-project" # Replace with your project ID REGION="us-east1" # Specify your region CLOUD_RUN_JOB_NAME="pobox-cloud-run-job" # Cloud Run Job Name CLOUD_RUN_CONTAINER_NAME="pobox-container" # Updated container name IMAGE=<Image name provided by CS team> # Replace with your image (e.g., Docker image URL) # Cloud Storage Bucket details BUCKET_NAME="zilla-storage-bucket" # GCS Bucket Name created in above step PARENT_FOLDER="zilla/" FOLDER1="pobox-config/" FOLDER2="pobox-output/" # Service Account Details SERVICE_ACCOUNT_NAME="zincImageReader-test" # Service account name # Environment Variables to be passed to the Cloud Run job ZILLA_URL="https://app.zillasecurity.com" TENANT_DOMAIN="<tenant domain>" # Added TENANT_DOMAIN value USE_FILE_SYSTEM='true' SECRETS_DIRECTORY_PATH='/mnt/zilla/pobox-config' STORAGE_DIRECTORY_PATH='/mnt/zilla/pobox-output' # Enable Required APIs echo "Enabling required APIs..." gcloud services enable run.googleapis.com storage.googleapis.com artifactregistry.googleapis.com --project=$PROJECT_ID # Create Cloud Run Job echo "Creating Cloud Run Job '$CLOUD_RUN_JOB_NAME'..." gcloud beta run jobs create $CLOUD_RUN_JOB_NAME \ --image=$IMAGE \ --project=$PROJECT_ID \ --region=$REGION \ --service-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com \ --tasks=1 \ --max-retries=3 \ --task-timeout=168h \ --set-env-vars="ZILLA_URL=$ZILLA_URL,TENANT_DOMAIN=$TENANT_DOMAIN,USE_FILE_SYSTEM=$USE_FILE_SYSTEM,SECRETS_DIRECTORY_PATH=$SECRETS_DIRECTORY_PATH,STORAGE_DIRECTORY_PATH=$STORAGE_DIRECTORY_PATH" \ --cpu=1 \ --memory=1Gi \ --add-volume name=volume1,type=cloud-storage,bucket=$BUCKET_NAME \ --add-volume-mount volume=volume1,mount-path=/mnt # Cloud Run job should access the bucket directly during runtime echo "Cloud Run job is now created. During execution, you can use 'gsutil' or Cloud Storage client libraries to access the bucket." echo "For example, you can use the following command inside the container to download a file from the bucket:" echo "gsutil cp gs://$BUCKET_NAME/$PARENT_FOLDER$FOLDER1/your-file.txt /mnt/zilla/pobox-config/" # Verify if Cloud Run Job was created successfully CLOUD_RUN_JOB_EXISTS=$(gcloud run jobs list --project=$PROJECT_ID --region=$REGION --filter="name=$CLOUD_RUN_JOB_NAME" --format="value(name)") if [ "$CLOUD_RUN_JOB_EXISTS" == "$CLOUD_RUN_JOB_NAME" ]; then echo "Cloud Run Job '$CLOUD_RUN_JOB_NAME' created successfully." else echo "Failed to create Cloud Run Job '$CLOUD_RUN_JOB_NAME'." exit 1 fi echo "Cloud Run Job '$CLOUD_RUN_JOB_NAME' created successfully."

Navigate to created job and click on EXECUTE to start job

image-20250219-192747.png

Verify logs for successful deployment

image-20250219-192947.png
image-20250219-193014.png

Step 4: Restart container every 24 hour to pull latest zinc image

Option 2 : Manually through google cloud platform

Step 1: Create Service Account for reading zinc image from GAR and give necessary permissions

image-20250207-070614.png

  • Click on the Create Service Account button at the top.

image-20250207-071317.png
image-20250207-071654.png

Serivice account name : zincImageReader

Service account ID This will be auto-generated based on the name you provide (you can leave this as it is).

Service account description: Optionally, provide a description like "Service account for reading zinc image to Artifact Registry".

You can skip the optional steps and Click Create and ContinueDone

Copy above created service account email and send it to customer success team for further giving Artifact Registry Reader permissions to GAR

Step 2: Create cloud storage bucket to add access token provided by zilla

image-20250213-092427.png

 

image-20250214-080059.png

Click CONTINUECREATE

image-20250214-081333.png

create folder names zillapobox-config and pobox-output

Stored zilla access token provided by cs team inside pobox-config folder

Step 3: Create Cloud run job with service account to pull the image

Ensure your Zinc image is stored in Google Artifact Registry (GAR) and that you’ve already created a service account with the Artifact Registry Reader role (as described in the previous step).

  • In the left-hand menu, go to Menu (☰) > Cloud Run.
    Click on DEPLOY CONTAINERJob to create a new service.

image-20250218-091344.png
image-20250218-091639.png
image-20250218-091732.png
image-20250218-091842.png
image-20250218-092030.png
image-20250218-092130.png
image-20250218-092213.png
image-20250218-092251.png
image-20250218-092351.png
image-20250218-092444.png

Step 4: Set up cron job/trigger to pull image every 24 hours

Navigate to the job which is created in previous step → TRIGGERSADD SCHEDULER TRIGGER

image-20250217-090313.png

Add details like Name Region FrequencyCONTINUECREATE

image-20250217-090428.png

 

image-20250217-090637.png

Related content