SCIM Bridge VM Reprovisioning

We're taking advantage of firewall rules in 1Password. We've had the SCIM bridge operating successfully for months. A few days ago, provisioning started failing. I checked the activity logs and found that our service account was being blocked due to firewall rules. I investigated the project in GCP and identified that the app had done something which had generated new VM's with ephemeral IP's (the static external IP's we had reserved were still in the project, but not associated with any resources). Can you explain how this could happen? It's very frustrating.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • graham_1Pgraham_1P

    Team Member

    Hi @jbck,

    Unfortunately as we are not GCP experts it is hard to say. That being said, let me take a guess.

    The reason we deploy on a kubernetes cluster in the first place is because in the case of a VM dying, the kubernetes agent will bring up a new pod to replace the failed VM. This ensures you SCIM Bridge will continue to function no matter what. It sounds like your VM died, and then got replaced. To the best of my knowledge, each VM has a distinct outbound IP address which is discrete from the inbound IP address you previously set as static. Therefore the new IP was being used to communicate with 1Password.

    Unless there is more you have not mentioned, I am surprised you got the Firewall rules to work successfully on the static inbound IP address.

    No matter the cause of the VM IP to change, there is a solution. To anchor the IP address you communicate with, on GCP you can create a VPC network with a Cloud NAT gateway. That should ensure you communicate with the static IP associated with the VPC network, rather than the IP of the Kubernetes pod.

    However while we are aware of it, setting up and configuring that system is beyond the scope of our support. We will not be able to assist you in setting up a VPC network with a Cloud NAT gateway on GCP. We remain happy to answer any questions you have regarding the SCIM Bridge or its interactions.

    Let me know what questions you have.

    Graham

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file