Protect Service Installation

Product Installation Guide.

    Preparation

    1. Ensure that all the steps in pre-configuration are performed.

    2. Log in to the Google Cloud account where Protegrity will be installed.

    3. Select the project.

    4. Ensure that you have access to shell command on your computer or Cloud Shell with Terraform CLI v0.14 or higher installed.

    5. Ensure that the Terraform scripts provided by Protegrity are available on your local computer.

    Install Protect Function via Terraform Scripts

    Resources created with Terraform scripts include Protect Cloud Functions Service and other required resources depending on Terraform parameters. If you don’t specify the deployment bucket Terraform parameter, a new storage bucket will also be created. You can optionally choose to create a new service account with custom IAM role.

    To install using Terraform:

    1. From the command shell move to directory where you downloaded Protegrity installation bundle.

    2. Unzip the bundle. Verify that the following files are available:

      • pty-protect-gcp/
      • main.tf
      • outputs.tf
      • protegrity-cloud-api-gcp-{version}.zip
      • README.md

    3. Unzip the protegrity-cloud-protect-gcp-{version}.zip file. Verify that the following files are available:

      • pty-protect-gcp/
      • main.tf
      • outputs.tf
      • protegrity-cloud-protect-gcp-{version}.zip
      • README.md

    4. Open the main.tf file and update Terraform backend information at the top of the file:

      
terraform {
  backend "gcs" {
    bucket  = ""
    prefix  = "protegrity/terraform/pty-protect-gcp/state"
  }
}

    5. In the same main.tf file, specify the following Terraform variables: All the values were recorded in Google Cloud Project.

    Parameter

    Description

    project_id

    The project id recorded in the pre-configuration step

    region

    The Region recorded in the pre-configuration step.

    deployment_id

    Specify short name to identify deployment. This id will be added to all resources deployed with Terraform.

    deployment_bucket

    Use Deployment Bucket Name recorded in pre-configuration or leave empty to create new bucket.

    create_service_account

    Leave this as false if you created service account in pre-configuration. Otherwise set to true.

    protect_function_service_account_email

    Use Protect Function Service account recorded in pre-configuration or leave empty.

    username_regex

    If username_regex is set, the effective policy user will be extracted from the user in the request.

    max_instance_count

    GCP Cloud Functions advanced configuration

    available_memory_mb

    GCP Cloud Functions advanced configuration

    timeout_seconds

    GCP Cloud Functions advanced configuration

    gen2_available_cpu

    2nd Gen Cloud Function advanced configuration

    gen2_container_concurrency

    2nd Gen Cloud Function advanced configuration

    upgrade_step

    Set this variable when upgrading to the latest version.

    deploy_api_gateway

    Deploys GCP API Gateway proxy for Protect Cloud Function service.

    api_gateway_jwt_issuer

    Applicable when deploy_api_gateway = true. Allows setting issuer of JSON Web Token credential used to authenticate calls to API Gateway. Accepts email or URI.

    api_gateway_jwks_uri

    Applicable when deploy_api_gateway = true. Allows setting URI of the authentication provider’s public key set to validate the signature of the JSON Web Token.

    labels

    You can set this map to include labels for deployed resources. Pay attention to GCP label requirements. For more information, refer to the following link https://cloud.google.com/compute/docs/labeling-resources. For example, only use lowercase and maximum length of 63 characters.

    openid_enabled

    When set to true, every request is required to have an Authorization header with the bearer token set to a valid OAuth access token. The following configuration attributes will also be required: OPENID_AUDIENCES, OPENID_ISSUERS, OPENID_METADATA_URL.

    openid_audiences

    Applicable when OPENID_ENABLED= “true”. The JWT token must have the “aud” claim and it must match one of the values in this attribute. Can be either one value or comma separated list.

    openid_issuers

    Applicable when OPENID_ENABLED= “true”. The JWT token must have the “iss” claim and it must match one of the values in this attribute. Can be either one value or comma separated list.

    openid_metadata_url

    Applicable when OPENID_ENABLED= “true”. A URL that points to an OpenID Connect identity provider configuration document, which is also known as OpenID well-known configuration endpoint.

    openid_appid

    Applicable when OPENID_ENABLED= “true”. Validates the provided open_appid is listed in the appid claim. If value is empty, appid claim is ignored.

    Supported Values: ["<appid>", “”]

    authorization

    When equals “jwt”, Authorization Header JWT will be required in the Rest API Protect payload.

    Supported Values: [“jwt”, “”].

    When set to “jwt”, any request without Valid JWT in the Authorization header will result in an error from API Gateway: 502 Bad Gateway.

    *Applies for all configurations of jwt_verify and openid_enabled.

    allow_assume_user

    Applicable when authorization = “jwt”. If set to 0, The user from the payload will not be used, and the policy user is the JWT user.

    Supported Values: [0, 1]. Default Value: 0.

    *Applies for all configurations of jwt_verify and openid_enabled.

    jwt_user_claim

    Applicable when authorization = “jwt”. The JWT payload claim with username. Common claims: name, preferred_username, cognito:username. Default Value: cognito:username.

    *Applies for all configurations of jwt_verify and openid_enabled.

    service_user

    If service_user is set the protect request will use it for the policy user. service_user should be used when the Cloud API should always run as one service_user no matter what user is in the request. service_user will always take priority over any other user in the payload or in the JWT header.

    *Applies for all configurations of jwt_verify and openid_enabled.

    pty_gcp_jwt_header

    When set to true, both Google Cloud access control and Protegrity openid will be supported in two separate headers. This is useful when having access control with GCP IAM (In Authorization header) and the OPENID verification and policy user from JWT in the X-PTY-Authorization header.

    jwt_verify

    When set to 1, jwt_secret_base64 is required. Only applicable when authorization is jwt. Supported JWT Algorithm RS256, RS384, RS512. (HS256, HS384, HS512 are supported but not recommended for use).

    Only applicable when authorization = “jwt”

    Supported Values: [1, “”]

    *Applies for all configurations of openid_enabled.

    jwt_secret_base64

    Required when jwt_verify = 1 and Authorization = JWT. The secret must be provided in base64 encoding. It is recommended to only use public key (asymmetric algorithm).

    applicable when authorization = “jwt” and jwt_verify=1

    Supported Values: [<base64 encoded secret key>, “”]

    min_log_level

    Minimum log level for log forwarder function. One of off|severe|warning|info|config|all. Defaults to ‘severe’

    pty_log_output

    Audit log output. Accepted values: “”(empty string), “pub_sub”.

    audit_log_flush_interval

    Time interval in seconds used to accumulate audit logs before sending to Pub/Sub topic. Default value: 30
                    Min value: 1
                    Max value: 900
                    

    pty_pub_sub_topic

    Pub/Sub topic where audit logs will be sent.

    6. Run the following command.
    ```
terraform init
```

    1. Terraform will download necessary providers.

    2. Run the following command to verify configuration and print out deployment plan.

      terraform plan

    3. Run the following command to deploy resources to your account.

      terraform apply

    4. Once deployment is complete Terraform will print output variables.

    5. Record the following values:

      • protect_function_name: ________________________________
      • protect_function_url: __________________________
      • api_gateway_managed_service: _____________________________
      • api_gateway_protect_service_url: ____________________
      • protect_function_resource_name: _______________________

    Deploy API Gateway (Optional)

    Terraform module provided by Protegrity allows deploying Google API Gateway proxy for the Cloud Protect Service.

    To deploy API Gateway:

    1. In the main.tf file set the following Terraform variables.

      deploy_api_gateway = true
api_gateway_jwt_issuer = "<service-account>@<google-cloud-project-id>.iam.gserviceaccount.com"
api_gateway_jwks_uri = "https://www.googleapis.com/robot/v1/metadata/x509/<service-account>@<google-cloud-project-id>.iam.gserviceaccount.com"

      Below is the brief description of each Terraform variable. You can find more information in the Terraform README file.

    2. Run terraform plan.

    3. Run terraform apply.

    4. Wait for the Terraform apply command to complete.

    5. Once Terraform apply completes, it prints out deployment resources information. Record the following information from the Terraform output.

      api_gateway_managed_service: ___________________

      api_gateway_protect_service_url: ___________________

    6. Follow instructions in the link below to generate JWT token which you can use to authorize request to Protegrity API Gateway endpoint. Use the same service account you configured in section above for api_gateway_jwks_uri.

      https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#create-jwt

      Record identity token returned in step above:

      gcloud_auth_token: ___________________

    7. Run the following CURL command to test API Gateway deployment.

      curl -X POST "{api_gateway_protect_service_url}/api/v1/unprotect" \
        -H 'Authorization:Bearer {gcloud_auth_token}' \
        -d '{ 
          "user": "test",
          "data_element":"alpha",
          "data": ["UtfVk UHgcD!"] 
        }'

    8. Verify the following output:

      {"encoding":"utf8","results":["hello world!"],"success":true}

    Test the Protect Function Installation

    Before continuing with next steps, you can verify whether Cloud Functions are installed correctly. This step is optional and can be skipped.

    1. Below you can find example CURL command to test your function.

    2. Before you can execute it, you need to obtain temporary authentication token. Run the gcloud auth login and then gcloud auth print-identity-token commands. The logged in gcloud user must have the cloudfunctions.functions.invoke permission. Record the output of print identity token command.

      gcloud_auth_token: _________________

    3. Replace {protect_function_url}; with value recorded in previous step.

    4. Replace {gcloud_auth_token} with value recorded in above step.

    5. Run the following CURL command to test Function deployment.

      curl -X POST "{protect_function_url}/pty/v1/unprotect" \
        -H 'Authorization:Bearer {gcloud_auth_token}' \
        -d '{ 
          "user": "test",
          "data_element":"alpha",
          "data": ["UtfVk UHgcD!"] 
        }'

    6. Verify the following output:

      {"encoding":"utf8","results":["hello world!"],"success":true}


    Last modified : March 31, 2026