As a continuation of the Google CSE Labels Integration, please follow these steps to successfully configure the Attribute-based Access Control (ABAC) feature on your Linux server. This document assumes you have completed the Google Console/Admin Changes.
Prior to making on your server, we recommend creating a copy of the existing /cse directory on your Linux server.
Step 1: Deploy CSE labels
- Create a file on your Linux server called
keyFile.jsonin/var/virtru/cseand add the contents of the private key that was generated with the Service Account in Step 2 of the GCP portion. - Add the bolded line to your existing
run.shfile. This is the file path to thekeyFile.jsonthat the Docker run script will reference. cd /var/virtru/cse/ chmod 644 keyFile.json
docker run --detach\
--env-file ./cse.env\
-p 443:9000 \
-v /var/virtru/cse/server.cert:/run/secrets/server.cert \
-v /var/virtru/cse/server.key:/run/secrets/server.key \
-v /var/virtru/cse/secrets.json:/app/cse/secrets.json \
-v /var/virtru/cse/keyFile.json:/app/cse/credentials.json \
--restart unless-stopped \
--name cse-v<Latest Tagged Version> \
containers.virtru.com/cse:v<Latest Tagged Version>-
Add the following variables in the
cse.envfile to enable the Drive Labels feature:Important:
Enter a Google Workspace domain-wide admin account for
SERVICE_ACCOUNT_EMAILin the .env file. The service account fromcredentials.jsonshould only be used if it has already been granted domain-wide administrator rights.
SERVICE_ACCOUNT_EMAIL=<admin-email@customerdomain.com>
DRIVE_LABELS=true
DRIVE_TIME=15
DRIVE_LABELS_TIME=15
ADMIN_TIME=15
GOOGLE_APPLICATION_CREDENTIALS=/app/cse/credentials.json
Step 2: Deploy, Verify and Test
- If you have an existing container running please stop and remove
docker stop <container-id>docker rm <container-id> - Execute your run script with new variables from your
var/virtru/csedirectory.sh run.sh - Verify the deployment:
docker psdocker logs -f <containter-name>
- Test by creating a blank encrypted file in Google Drive
- Apply a label to the file that matches the parameters from previous steps
- Share the file with authorized parties, and also with a user(s) that should not have access to viewing, or editing the file, as a test.
The intended experience will be:
- Authorized parties: Will be able to view, edit the file (depending on permissions set)
- Unauthorized parties: Will be presented with a message “Key service responded with an error. Contact your admin.”
Usage Limits
As this feature flag leverages the Drive Labels API, there are some Google-specific limitations to keep in mind. These limitations and details are linked below for your reference: