> For the complete documentation index, see [llms.txt](https://docs.bluerock.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bluerock.io/deployment-guides/gcp-deployments/gcp-deployment-with-cli.md).

# GCP Deployment with CLI

This guide provides the necessary technical steps to install the Google Cloud CLI, configure your project environment, and deploy BlueRock-hardened instances on Google Cloud Platform (GCP).

### Prerequisites

* Google Cloud CLI tools (`gcloud`), for installation refer to the official [Google Cloud CLI installation](https://docs.cloud.google.com/sdk/docs/install-sdk) guide.
* BlueRock images: BlueRock provides pre-packaged images of BlueRock Ubuntu 2404 Linux Distribution - (Free or Full version), contact [BlueRock support](https://www.bluerock.io/contact) for the images. 

<table><thead><tr><th width="99.90625">Version</th><th width="132.58984375">OS</th><th width="101.7109375">Kernel Version</th><th width="201.23828125">GCP Image Name</th><th>Description</th></tr></thead><tbody><tr><td>Free</td><td>Ubuntu 24.04</td><td>6.12.63</td><td>bluerock-release-26-08-0-ubuntu2404-6.12.63-free</td><td>Loads default policy in observe mode and policy changes are not allowed.</td></tr><tr><td>Full</td><td>Ubuntu 24.04</td><td>6.12.63</td><td>bluerock-release-26-08-0-ubuntu2404-6.12.63</td><td>Provides full policy configuration control. Allow switching policy action from observe to enforce mode.</td></tr></tbody></table>

### Procedure

To deploy the BlueRock-hardened instances on GCP with CLI following is the procedure:

1. [Instance Deployment](#instance-deployment)
2. [Create Storage Bucket](#create-a-storage-bucket)
3. [Instance Configuration](#bluerock-instance-configuration)
4. [Updating Configuration Source](#updating-configuration-source)
5. [OTEL Event Collection](#otel-event-collection)
6. [View Logs in GCP](#view-logs-in-gcp)

### Instance Deployment

Deploy the instance to provision the virtual hardware and Identity (Service Account) required for BlueRock. This command initializes a pre-configured environment with the security protocols needed to securely pull your configuration from GCP storage buckets.

```shell
gcloud compute instances create <instance-name> \
--zone us-central1-a \
--machine-type n1-standard-2 \
--image bluerock-release-26-08-0-ubuntu2404-6.12.63-free \
--image-project <project-name> \
--boot-disk-size <insert-size-in-GB> \
--boot-disk-type <insert-disk-type> \
--tags <insert-tags>
```

<table data-header-hidden><thead><tr><th width="190.9296875"></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Parameter (Flag)</strong></td><td><strong>Description</strong></td><td><strong>Example Value</strong></td></tr><tr><td><code>--zone</code></td><td>Defines the specific physical data center location where the VM resides.</td><td><code>us-central1-a</code></td></tr><tr><td><code>--machine-type</code></td><td>Specifies the hardware configuration (CPU and RAM). </td><td><code>n1-standard-2</code></td></tr><tr><td><code>--image</code></td><td>The image name or OS template to install on the boot disk.</td><td><code>bluerock-release-26-08-0-ubuntu2404-6.12.63-free</code></td></tr><tr><td><code>--image-project</code></td><td>The Project ID where the specific image is stored (crucial for custom images in other projects).</td><td><code>project-1234</code></td></tr><tr><td><code>--scopes</code></td><td>Grants the VM permissions to interact with other GCP services (like Cloud Storage or Logging).</td><td><code>cloud-platform</code></td></tr><tr><td><code>--boot-disk-size</code></td><td>Sets the total storage capacity of the primary (OS) disk.</td><td><code>20GB</code></td></tr><tr><td><code>--boot-disk-type</code></td><td>Defines the performance tier of the disk (Standard, Balanced, or SSD).</td><td><code>pd-balanced</code></td></tr><tr><td><code>--tags</code></td><td>Metadata labels for the instance.</td><td><code>bluerock-instance</code></td></tr></tbody></table>

To validate the instance status:&#x20;

```sh
gcloud compute instances describe <instance-name> --zone=us-central1-a --format="value(status)"
```

To connect with instance using **SSH:**

```shell
gcloud compute ssh <instance-name> --zone=<zone-id>
```

> **Note**:
>
> SSH may give some warnings and prompts to generate an SSH key for the first time. While generating SSH key leave the passphrase as empty by pressing Enter. It will automatically create the key and add the key permanently to the host.

### Create a Storage Bucket

Ensure to create a GCP Storage Bucket to save the Configuration files and Policy files as the BlueRock Instance picks these files from a separate bucket using `config.source` file that contains this Bucket's URL/URI.

To create a bucket run the following command:

{% code overflow="wrap" %}

```shell
gcloud storage buckets create gs://<your-bucket-name> --location=<insert-location>
```

{% endcode %}

Bucket URL example: `gs://bluerock-bucket/`&#x20;

Refer to the [About Cloud Storage buckets](https://docs.cloud.google.com/storage/docs/buckets) guide to learn more about storage buckets in GCP.

### BlueRock Instance Configuration

BlueRock instances require a configuration file (`config.toml` or `config.yaml`) to define telemetry and policy settings. Create `config.toml` or `config.yaml` either one of them.

{% tabs %}
{% tab title="Free version" %}
{% code title="config.yaml" overflow="wrap" lineNumbers="true" %}

```yaml
event_format: "OTEL"
event_url: "http://<your-internal-ip>:4318"
ucpcm:
```

{% endcode %}

{% code title="config.toml" overflow="wrap" lineNumbers="true" %}

```toml
event_format = "OTEL"
event_url = "http://<your-internal-ip>:4318"
[ucpcm]
```

{% endcode %}
{% endtab %}

{% tab title="Full version" %}
{% code title="config.yaml" overflow="wrap" lineNumbers="true" %}

```yaml
event_format: "OTEL"
event_url: "http://<your-internal-ip>:4318"
ucpcm:
  policy_url: "gs://<policy-url>"
  policy: "policy.json"
  policy_sig: "policy.json.sig"
  public_key: "gs://<policy-key-url>"
  transport:
    transport_type: "gcs"  # or "gs"
    auth_method: "default" # Uses Application Default Credentials (ADC) / Service Account
    region: "us-central1"
```

{% endcode %}

{% code title="config.toml" overflow="wrap" lineNumbers="true" %}

```toml
event_format = "OTEL"
event_url = "http://<your-internal-ip>:4318"
[ucpcm]
policy_url = "gs://<policy-url>"
policy = "policy.json"
policy_sig = "policy.json.sig"
public_key = "gs://<policy-key-url>"
[ucpcm.transport]
transport_type = "gcs"  # or "gs"
auth_method = "default" # Uses Application Default Credentials (ADC) / Service Account
region = "us-central1"
```

{% endcode %}
{% endtab %}
{% endtabs %}

<table data-header-hidden><thead><tr><th width="271.0390625"></th><th width="107.80859375"></th><th></th></tr></thead><tbody><tr><td><strong>Parameter</strong></td><td><strong>Type</strong></td><td><strong>Description</strong></td></tr><tr><td><code>hostid</code></td><td>String</td><td>A unique identifier for this specific machine or agent (e.g., <code>bluerock</code>). This flag is optional.</td></tr><tr><td><code>event_format</code></td><td>String</td><td>The data schema used for logging/events. <code>OTEL</code> stands for OpenTelemetry.</td></tr><tr><td><code>event_url</code></td><td>URL</td><td>The endpoint where the agent sends its telemetry data (usually an OTEL Collector).</td></tr><tr><td><code>ucpcm.policy_url</code></td><td>GCS Path</td><td>The Google Cloud Storage bucket path where the master policy file is stored.</td></tr><tr><td><code>ucpcm.policy</code></td><td>File Name</td><td>The specific JSON file name that contains the configuration rules.</td></tr><tr><td><code>ucpcm.policy_sig</code></td><td>File Name</td><td>The digital signature file used to verify that the <code>policy.json</code> hasn't been tampered with.</td></tr><tr><td><code>ucpcm.public_key</code></td><td>GCS Path</td><td>The location of the public key used to validate the <code>policy_sig</code>.</td></tr><tr><td><code>ucpcm.metrics_timer</code></td><td>Integer</td><td>How often (in seconds) the agent pushes its performance metrics (1800s = 30 mins).</td></tr><tr><td><code>ucpcm.policy_poll_period</code></td><td>Integer</td><td>How often (in seconds) the agent checks GCS for a new policy version (60s = 1 min).</td></tr><tr><td><code>ucpcm.transport_type</code></td><td>String</td><td>The protocol used to fetch files. <code>gcs</code> or <code>gs</code> indicates Google Cloud Storage.</td></tr><tr><td><code>ucpcm.auth_method</code></td><td>String</td><td>Authentication type. <code>default</code> uses the VM's attached Service Account (ADC).</td></tr><tr><td><code>ucpcm.region</code></td><td>String</td><td>The GCP region where the storage resources are located.</td></tr></tbody></table>

> **Note**:
>
> BlueRock Secure MCP Server enforces runtime security controls through configurable MCP Protection Policies. Refer to [Policy Configuration](https://app.gitbook.com/o/74BjxmiFTrYtJFoO0CYX/s/Cj4nQ903CxyVJLmoOyKU/~/edit/~/changes/41/policy-configuration) guide to learn more about these policies.

Upload this config file to your bucket:

{% code overflow="wrap" %}

```shell
gcloud storage cp config.toml gs://<bucket-name>/
```

{% endcode %}

### Updating Configuration Source

To ensure Bluerock agent stays synchronized with the latest policies, link your local environment to the cloud-hosted configuration. This is done by updating the `config.source` file's parameter with the **gsutil URI**.

To save the **gsutil URI** in the `config.source` file:

1. **Locate your file:** Ensure your `config.toml` or `config.yaml` is uploaded to your GCP Bucket.
2. **Get the URI:** The address should follow this format: `gs://<bucket-name>/<filename>`

   *Example: `gs://bluerock-bucket/config.toml`*

<figure><img src="/files/5j1oeEzuUIHSAcu0NyZN" alt=""><figcaption></figcaption></figure>

3. Navigate to `config.source` file at:

<pre class="language-shellscript"><code class="lang-shellscript"><strong>$ cd /opt/bluerock/etc
</strong></code></pre>

4. Save the `config.source` file with `gsutil URI`  from the bucket in GCP web console.

{% code title="config.source" overflow="wrap" lineNumbers="true" %}

```yaml
gs://bluerock-dg-internal/config.toml

# Bluerock Configuration
# ---------------------------
# `config.source` tells where to fetch the configuration file.
```

{% endcode %}

### OTEL Event Collection

1. Locate the docker files at:

```shellscript
$ cd /opt/bluerock/otel

$ ls

docker-compose.yaml  otel-config.yaml
```

2. Run the docker:

{% code overflow="wrap" %}

```shell
$ sudo docker-compose up -d
```

{% endcode %}

3. List all the running dockers

{% code overflow="wrap" %}

```shell
$ sudo docker ps

CONTAINER ID   IMAGE                                                                                                      COMMAND                  CREATED              STATUS              PORTS                                                             NAMES
03c2db3abd92   us-docker.pkg.dev/cloud-ops-agents-artifacts/google-cloud-opentelemetry-collector/otelcol-google:0.141.0   "/otelcol-google --f…"   About a minute ago   Up About a minute   0.0.0.0:4317-4318->4317-4318/tcp, [::]:4317-4318->4317-4318/tcp   otel-collector
178d03129e78   ultracontrol:latest  
```

{% endcode %}

3. Start or Restart BlueRock control plane service to load the configuration.

{% tabs %}
{% tab title="Free version" %}
For Free version, the BlueRock control plane starts by default. Restart the service to apply new configurations.

```shell
$ sudo systemctl restart uc-docker.service
```

{% endtab %}

{% tab title="Full version" %}
For Full version, the BlueRock control plane must be enabled manually and started before use.

```shell
$ sudo systemctl enable uc-docker.service
$ sudo systemctl start uc-docker.service
$ sudo systemctl status uc-docker.service
```

{% endtab %}
{% endtabs %}

4. To check the logs

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">$ sudo docker log otel-collector
   </code></pre>

### View Logs in GCP

To view logs In GCP:

1. Log in to your GCP account in a browser navigate to **Compute Engine** > **VM Instances**.
2. Select the required instance.
3. Select **Logging**.<br>

   <figure><img src="/files/gEiTfLIKbmxtZUBGYfPh" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.bluerock.io/deployment-guides/gcp-deployments/gcp-deployment-with-cli.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.