cloudrun-secure.sh

Overview

The cloudrun-secure.sh script is designed to deploy the Zoo Animal MCP server to Google Cloud Run with enforced authentication, ensuring secure access to the service. Unlike public or unauthenticated deployments, this script configures the Cloud Run service to require valid identity tokens for any incoming requests, thereby protecting the server endpoints from unauthorized access.

This deployment approach is essential for production environments or sensitive applications where data privacy and access control are critical. The script leverages Google Cloud CLI commands to generate identity tokens and invoke the deployment with appropriate flags to disable unauthenticated access.

Script Breakdown and Functionality

The script is a short shell script containing two main steps:

echo "Deploying Cloud Run End Point in Secure Mode"

export ID_TOKEN=$(gcloud auth print-identity-token)

gcloud run deploy zoo-mcp-server \
    --no-allow-unauthenticated \
    --region=europe-west1 \
    --source=. \
    --labels=dev-tutorial=codelab-gde-medium-secure

Detailed Explanation

• echo "Deploying Cloud Run End Point in Secure Mode"
  Prints a message indicating the start of a secure deployment process.

• export ID_TOKEN=$(gcloud auth print-identity-token)
  Generates and exports an identity token for the currently authenticated user or service account.

  • Purpose: This token is used for authenticating requests to the deployed Cloud Run service.

  • Usage: Although not directly used in the deployment command here, exporting the token makes it available in the environment for subsequent API calls or scripts that interact with the service securely.

• gcloud run deploy zoo-mcp-server </code>
Executes the deployment command for the Cloud Run service named zoo-mcp-server.
Key flags and parameters used:

  • --no-allow-unauthenticated: Disables public access, requiring requests to present valid authentication tokens.

  • --region=europe-west1: Specifies the geographic region where the Cloud Run service will be deployed.

  • --source=.: Indicates that the source code and container build context is the current directory.

  • --labels=dev-tutorial=codelab-gde-medium-secure: Adds metadata labels tagging the deployment for identification and management.

Usage Example

To use this script effectively, the user should ensure:

1. They are authenticated with gcloud CLI and have the necessary IAM roles to deploy Cloud Run services.

2. The Google Cloud project and environment variables are properly configured (typically via sourcing set_env.sh and running init.sh as per Cloud Run Deployment Automation).

3. Run the script from the root directory of the source code containing the MCP server:

./cloudrun-secure.sh

This will initiate a secure deployment that enforces authentication for all requests to the zoo-mcp-server.

Important Implementation Details

• Identity Token Generation:
The script explicitly exports an identity token using gcloud auth print-identity-token. This token is essential for secured API clients to authenticate with the Cloud Run service after deployment. Token generation must happen in an authenticated CLI session.

• Authentication Enforcement:
The flag --no-allow-unauthenticated instructs Cloud Run to reject any requests that do not have a valid identity token, ensuring that only authorized users or services can access the MCP server APIs.

• Source-Based Build:
Deploying with --source=. triggers Cloud Run to build the container image directly from the source code in the current directory. This avoids the need to push pre-built images to container registries.

• Labeling:
The deployment is tagged with labels, which aid in resource management, filtering, and identification within the Google Cloud Console.

Interaction with Other System Components

• Prerequisite Environment Setup:
This script relies on environment variables and authentication context established by other scripts such as set_env.sh and init.sh described in Cloud Run Deployment Automation and Environment Initialization. Proper setup ensures that project IDs, regions, and credentials are consistent.

• Complement to Unauthenticated Deployment:
This script contrasts with cloudrun.sh (see Unauthenticated Deployment), which allows open public access. It is part of the same deployment automation framework but targeted for secure, production-grade deployments.

• Service Consumers:
Clients interacting with the deployed service must acquire identity tokens to authenticate requests. This aligns with the token-based access control mechanism enforced by Cloud Run and described in Secure Deployment.

• MCP Server Functionality:
The secure deployment protects the MCP server API endpoints as defined in Zoo Animal Query API, ensuring that only authorized consumers can query animal data.

Visual Diagram of Deployment Workflow

flowchart TD
Start[Start Deployment] --> GenerateToken[Generate Identity Token]
GenerateToken --> DeployCmd[Run gcloud deploy with --no-allow-unauthenticated]
DeployCmd --> CloudRun["Cloud Run Service (Secure)"]
CloudRun -->|Requires Token| Client[Authorized Client]
Client -->|Sends Token| CloudRun
CloudRun --> MCPServer[Zoo Animal MCP Server]

• Generate Identity Token: gcloud auth print-identity-token generates token for authentication.

• Deploy Command: Deploys the MCP server to Cloud Run with enforced authentication.

• Cloud Run Service: Rejects unauthenticated requests; only accepts requests with valid tokens.

• Client: Must send identity token in requests to access the MCP server API.

Reference to Related Topics

• For automation context and deployment lifecycle, see Cloud Run Deployment Automation.

• For specifics on authentication and access control, see Secure Deployment.

• For environment setup prerequisites, refer to Environment Initialization.

• For the underlying API functionality secured by this deployment, see Zoo Animal Query API.

• For comparison with open access deployment, see Unauthenticated Deployment.