# Deploy with GCP Startup Script

This guide provides a complete GCP Compute Engine startup script that installs and enrolls LinuxGuard, retrieving credentials from Secret Manager using the VM's attached service account — no hardcoded credentials in the script.

> **Important:** GCP Compute Engine startup scripts run on **every VM boot**, not just the first launch. The script below includes a mandatory idempotency guard to prevent re-enrollment on subsequent reboots. Do not remove this guard.

## Prerequisites

* Google Cloud SDK (`gcloud`) installed locally for one-time setup steps
* A Compute Engine instance with a service account attached (see Step 1)
* A LinuxGuard API key and tenant ID (from the LinuxGuard console)

## Step 1: Create a service account and grant access

The VM's attached service account needs the `roles/secretmanager.secretAccessor` role on each LinuxGuard secret. Create and assign it in the following steps.

```bash
# Create a service account (if you don't have one already)
gcloud iam service-accounts create linuxguard-deployer \
  --display-name="LinuxGuard Deployer"
```

> **Note:** If you already have a service account for your instances, use that — you do not need to create a new one.

## Step 2: Store credentials in Secret Manager

Store your LinuxGuard credentials as individual secrets — one value per secret, as plain text:

```bash
# Store credentials as individual secrets (plain text, one value per secret)
gcloud secrets create linuxguard-api-key --data-file=- <<< "<API_KEY>"
gcloud secrets create linuxguard-tenant-id --data-file=- <<< "<TENANT_ID>"

# Grant the service account read access to each secret
gcloud secrets add-iam-policy-binding linuxguard-api-key \
  --member="serviceAccount:<SA_EMAIL>" \
  --role="roles/secretmanager.secretAccessor"

gcloud secrets add-iam-policy-binding linuxguard-tenant-id \
  --member="serviceAccount:<SA_EMAIL>" \
  --role="roles/secretmanager.secretAccessor"
```

Replace `<SA_EMAIL>` with the service account's email address (for example, `linuxguard-deployer@<GCP_PROJECT_ID>.iam.gserviceaccount.com`).

## Step 3: Attach the service account to your instances

When creating a VM instance — via the Console, `gcloud` CLI, or Terraform — specify the service account in the instance configuration. For existing VMs, update the attached service account via the Console or `gcloud compute instances set-service-account`.

The startup script uses Application Default Credentials from the attached service account, so no key file or explicit credential configuration is required.

## Step 4: Configure and deploy the startup script

Paste the following script into the **Startup script** field when creating a VM instance, or set it via `gcloud compute instances add-metadata --metadata=startup-script=...`. Replace the values in the **Configuration** section at the top.

```bash
#!/usr/bin/env bash
set -euo pipefail

# ===========================================================
# Configuration — replace these values for your environment
# ===========================================================
PROJECT_ID="<GCP_PROJECT_ID>"
API_KEY_SECRET="linuxguard-api-key"
TENANT_ID_SECRET="linuxguard-tenant-id"
# ===========================================================

# Install LinuxGuard agent (installer is idempotent)
curl -fsSL https://packages.linuxguard.io/install-linuxguard.sh | bash -s -- --yes

# Enroll agent — file guard is REQUIRED because startup scripts run on every boot
if [ ! -f /var/lib/linuxguard/config ]; then
  API_KEY=$(gcloud secrets versions access latest \
    --secret="${API_KEY_SECRET}" \
    --project="${PROJECT_ID}")
  TENANT_ID=$(gcloud secrets versions access latest \
    --secret="${TENANT_ID_SECRET}" \
    --project="${PROJECT_ID}")

  linuxguard-agent enroll \
    --api-key="${API_KEY}" \
    --tenant-id="${TENANT_ID}"
fi
```

> **Note:** The `if [ ! -f /var/lib/linuxguard/config ]` guard prevents unnecessary Secret Manager calls and agent enrollment attempts on every reboot. See [Automated Deployment Overview](/how-to-guides/how-to/automated-deployment.md) for details on what this file indicates.

## Verifying the Deployment

After the VM boots, enrolled servers appear in the LinuxGuard console under **Infrastructure** within a few minutes.

***

**Related**: [Automated Deployment Overview](/how-to-guides/how-to/automated-deployment.md) | [Installation](/how-to-guides/how-to/installation.md) | [Configuration](/how-to-guides/how-to/configuration.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.linuxguard.io/how-to-guides/how-to/automated-deployment/deploy-with-gcp-startup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.