Deploy with GCP Startup Script

This guide provides a complete GCP Compute Engine startup script that installs and enrolls LinuxGuard, retrieving credentials from Secret Manager using the VM's attached service account — no hardcoded credentials in the script.

Important: GCP Compute Engine startup scripts run on every VM boot, not just the first launch. The script below includes a mandatory idempotency guard to prevent re-enrollment on subsequent reboots. Do not remove this guard.

Prerequisites

• Google Cloud SDK (gcloud) installed locally for one-time setup steps

• A Compute Engine instance with a service account attached (see Step 1)

• A LinuxGuard API key and tenant ID (from the LinuxGuard console)

Step 1: Create a service account and grant access

The VM's attached service account needs the roles/secretmanager.secretAccessor role on each LinuxGuard secret. Create and assign it in the following steps.

# Create a service account (if you don't have one already)
gcloud iam service-accounts create linuxguard-deployer \
  --display-name="LinuxGuard Deployer"

Note: If you already have a service account for your instances, use that — you do not need to create a new one.

Step 2: Store credentials in Secret Manager

Store your LinuxGuard credentials as individual secrets — one value per secret, as plain text:

# Store credentials as individual secrets (plain text, one value per secret)
gcloud secrets create linuxguard-api-key --data-file=- <<< "<API_KEY>"
gcloud secrets create linuxguard-tenant-id --data-file=- <<< "<TENANT_ID>"

# Grant the service account read access to each secret
gcloud secrets add-iam-policy-binding linuxguard-api-key \
  --member="serviceAccount:<SA_EMAIL>" \
  --role="roles/secretmanager.secretAccessor"

gcloud secrets add-iam-policy-binding linuxguard-tenant-id \
  --member="serviceAccount:<SA_EMAIL>" \
  --role="roles/secretmanager.secretAccessor"

Replace <SA_EMAIL> with the service account's email address (for example, linuxguard-deployer@<GCP_PROJECT_ID>.iam.gserviceaccount.com).

Step 3: Attach the service account to your instances

When creating a VM instance — via the Console, gcloud CLI, or Terraform — specify the service account in the instance configuration. For existing VMs, update the attached service account via the Console or gcloud compute instances set-service-account.

The startup script uses Application Default Credentials from the attached service account, so no key file or explicit credential configuration is required.

Step 4: Configure and deploy the startup script

Paste the following script into the Startup script field when creating a VM instance, or set it via gcloud compute instances add-metadata --metadata=startup-script=.... Replace the values in the Configuration section at the top.

Note: The if [ ! -f /var/lib/linuxguard/config ] guard prevents unnecessary Secret Manager calls and agent enrollment attempts on every reboot. See Automated Deployment Overview for details on what this file indicates.

Verifying the Deployment

After the VM boots, enrolled servers appear in the LinuxGuard console under Infrastructure within a few minutes.

Related: Automated Deployment Overview | Installation | Configuration