On-premise Active Directory on Google Cloud Run
This guide walks you through deploying the SlashID Collector on Google Cloud Run to monitor your on-premise Active Directory (AD) cluster.
Prerequisites
- A Google Cloud project with billing enabled
- gcloud CLI installed and configured
- Network connectivity between GCP and your on-premise AD via Serverless VPC Access
- Access to the SlashID Docker registry (request via Slack or support@slashid.com)
STEP 1: Create the connection on the SlashID Console
In the SlashID Console > Configuration > Data sources > Add data source and select Active Directory from the list.
Complete the following fields:
- Name of the connection: an arbitrary name for your new connection
- Authoritative status: whether this connection should be the primary source of truth to reconcile identities across providers
- Once the initial connector is created, it will appear in Configuration > Data sources. From this page, copy the Event streaming token and store it temporarily, as you will need it in the following step.
STEP 2: Set up VPC connectivity
Cloud Run requires a VPC Connector to reach your on-premise network.
- Create a VPC Connector:
gcloud compute networks vpc-access connectors create slashid-connector \
--region=us-central1 \
--subnet=YOUR_SUBNET \
--subnet-project=YOUR_PROJECT_ID \
--min-instances=2 \
--max-instances=3
- Ensure your VPC has connectivity to your on-premise AD via Cloud VPN or Cloud Interconnect.
Network Requirements
The VPC Connector needs to reach your domain controllers on the following ports:
- TCP 389 (LDAP) or TCP 636 (LDAPS)
- TCP 135, 445, and dynamic RPC ports (WMI)
STEP 3: Store credentials in Secret Manager
Store your AD credentials securely:
# Create secrets
gcloud secrets create slashid-ad-password --replication-policy="automatic"
echo -n "your-ad-password" | gcloud secrets versions add slashid-ad-password --data-file=-
gcloud secrets create slashid-auth-token --replication-policy="automatic"
echo -n "your-event-streaming-token" | gcloud secrets versions add slashid-auth-token --data-file=-
STEP 4: Create the service definition
Create a service.yaml file to define your Cloud Run service. This approach is recommended because it's version-controllable, reviewable, and reproducible.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: slashid-ad-collector
annotations:
run.googleapis.com/launch-stage: BETA
spec:
template:
metadata:
annotations:
# Keep one instance always running
autoscaling.knative.dev/minScale: "1"
autoscaling.knative.dev/maxScale: "1"
# Prevent CPU throttling when idle
run.googleapis.com/cpu-throttling: "false"
# VPC connector for on-premise connectivity
run.googleapis.com/vpc-access-connector: projects/YOUR_PROJECT_ID/locations/us-central1/connectors/slashid-connector
run.googleapis.com/vpc-access-egress: all-traffic
spec:
containerConcurrency: 1
timeoutSeconds: 3600
containers:
- image: slashid/agent:latest
ports:
- containerPort: 8080
resources:
limits:
memory: 512Mi
cpu: "1"
env:
# AD Snapshot configuration
- name: AD_SNAPSHOT_1_DOMAIN
value: "your.domain.local"
- name: AD_SNAPSHOT_1_USERNAME
value: "admin.user"
- name: AD_SNAPSHOT_1_TARGET_DC
value: "first.controller.your.domain.local"
- name: AD_SNAPSHOT_1_PASSWORD
valueFrom:
secretKeyRef:
key: latest
name: slashid-ad-password
- name: AD_SNAPSHOT_1_SLASHID_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: latest
name: slashid-auth-token
# WMI Event Streamer configuration
- name: WMI_1_DOMAIN
value: "your.domain.local"
- name: WMI_1_USERNAME
value: "admin.user"
- name: WMI_1_TARGET_DC
value: "first.controller.your.domain.local"
- name: WMI_1_PASSWORD
valueFrom:
secretKeyRef:
key: latest
name: slashid-ad-password
- name: WMI_1_SLASHID_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: latest
name: slashid-auth-token
Replace the following values:
YOUR_PROJECT_ID- your GCP project IDyour.domain.local- your AD domainadmin.user- your AD admin usernamefirst.controller.your.domain.local- your domain controller FQDN
STEP 5: Deploy to Cloud Run
Deploy the service using the YAML definition:
gcloud run services replace service.yaml --region=us-central1
After deployment, allow unauthenticated access to the health endpoints:
gcloud run services add-iam-policy-binding slashid-ad-collector \
--region=us-central1 \
--member="allUsers" \
--role="roles/run.invoker"
note
If you prefer to keep the service private, you can skip the IAM binding above. Cloud Run will still perform internal health checks.
STEP 6: Verify health checks
Cloud Run automatically uses the /health endpoint exposed by the collector on port 8080. The collector exposes:
| Endpoint | Purpose |
|---|---|
/health | Detailed health status of all agents |
/health/live | Liveness probe (is the process running?) |
/health/ready | Readiness probe (are agents healthy?) |
Configuration reference
| Variable | Required | Description |
|---|---|---|
AD_SNAPSHOT_N_DOMAIN | Yes | Your AD domain name |
AD_SNAPSHOT_N_USERNAME | Yes | Username (Domain Admins member, RID 512) |
AD_SNAPSHOT_N_PASSWORD | Yes | Password for the admin user |
AD_SNAPSHOT_N_TARGET_DC | Yes | Domain controller FQDN or IP |
AD_SNAPSHOT_N_SLASHID_AUTH_TOKEN | Yes | Token from STEP 1 |
AD_SNAPSHOT_N_LDAPS | No | Enable LDAPS (default: false) |
AD_SNAPSHOT_N_LDAPS_PORT | No | LDAPS port (default: 636) |
AD_SNAPSHOT_N_COLLECTION_METHOD | No | All or Computers |
AD_SNAPSHOT_N_FQDN_RESOLVER | No | DNS server IP for FQDN resolution |
WMI_N_DOMAIN | Yes | Your AD domain name |
WMI_N_USERNAME | Yes | Username (Domain Admins member) |
WMI_N_PASSWORD | Yes | Password for the admin user |
WMI_N_TARGET_DC | Yes | Domain controller FQDN or IP |
WMI_N_SLASHID_AUTH_TOKEN | Yes | Token from STEP 1 |
WMI_N_KERBEROS_AUTH | No | Use Kerberos auth (default: false) |
WMI_N_AES_KEY | No | AES key for Kerberos auth |
HEALTH_PORT | No | Health server port (default: 8080) |
HEALTH_SERVER_ENABLED | No | Enable health server (default: true) |
note
- Configure one
AD_SNAPSHOT_Nentry per AD domain - Configure one
WMI_Nentry per domain controller - Replace
Nwith sequential numbers (1, 2, 3...)
Example: Multiple domains
For multiple domains, add additional environment variables to your service.yaml:
env:
# First domain
- name: AD_SNAPSHOT_1_DOMAIN
value: "north.sevenkingdoms.local"
# ... other AD_SNAPSHOT_1 and WMI_1 variables
# Second domain
- name: AD_SNAPSHOT_2_DOMAIN
value: "south.sevenkingdoms.local"
- name: AD_SNAPSHOT_2_USERNAME
value: "arya.stark"
- name: AD_SNAPSHOT_2_TARGET_DC
value: "braavos.south.sevenkingdoms.local"
- name: AD_SNAPSHOT_2_PASSWORD
valueFrom:
secretKeyRef:
key: latest
name: slashid-ad-password-south
- name: AD_SNAPSHOT_2_SLASHID_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: latest
name: slashid-auth-token
# Second domain WMI
- name: WMI_2_DOMAIN
value: "south.sevenkingdoms.local"
- name: WMI_2_USERNAME
value: "arya.stark"
- name: WMI_2_TARGET_DC
value: "braavos.south.sevenkingdoms.local"
- name: WMI_2_PASSWORD
valueFrom:
secretKeyRef:
key: latest
name: slashid-ad-password-south
- name: WMI_2_SLASHID_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: latest
name: slashid-auth-token
Then redeploy:
gcloud run services replace service.yaml --region=us-central1
Verify the deployment
- Check the service status:
gcloud run services describe slashid-ad-collector --region=us-central1
- View logs:
gcloud run services logs read slashid-ad-collector --region=us-central1 --limit=50
- Test the health endpoint:
SERVICE_URL=$(gcloud run services describe slashid-ad-collector --region=us-central1 --format='value(status.url)')
curl "$SERVICE_URL/health"
Updating the service
To update configuration, edit your service.yaml and redeploy:
gcloud run services replace service.yaml --region=us-central1
To update secrets:
# Add a new version of the secret
echo -n "new-password" | gcloud secrets versions add slashid-ad-password --data-file=-
# Redeploy to pick up the new secret (if using "latest")
gcloud run services replace service.yaml --region=us-central1
Troubleshooting
Container keeps restarting
Check the logs for errors:
gcloud run services logs read slashid-ad-collector --region=us-central1 --limit=100
Common causes:
- Invalid AD credentials
- Network connectivity issues to domain controllers
- Missing environment variables
Cannot connect to domain controller
- Verify the VPC Connector is properly configured
- Check that your VPC has routes to your on-premise network
- Verify firewall rules allow the required ports
# Check VPC Connector status
gcloud compute networks vpc-access connectors describe slashid-connector --region=us-central1
Health check failures
If Cloud Run reports health check failures:
- Ensure the collector is listening on port 8080
- Check that
HEALTH_SERVER_ENABLEDis not set tofalse - Review logs for startup errors
Authentication failures
- Verify the credentials belong to a Domain Admins (RID 512) member
- Check that the username format matches your AD configuration
- Ensure secrets are properly mounted (check for typos in secret names)
# Verify secrets exist
gcloud secrets list --filter="name:slashid"
# Check secret access
gcloud secrets versions access latest --secret=slashid-ad-password
YAML validation errors
Validate your service definition before deploying:
# Check YAML syntax
gcloud run services replace service.yaml --region=us-central1 --dry-run