DBX ON PREM GCP Communication

Andi Lamprecht ·2026-05-11· 2 min read· Accepted

ADR-0124 · Author: Sybil Melton · Date: 2025-02-07 · Products: hubops
Originally ADR-0020-DBX-ON-PREM-GCP-COMMUNICATION (v7) · Source on Confluence ↗

On-prem machine communication with GCP

Glossary

DBX Backend - a software running in GKE and orchestrates all physical DBXs.
DBX Client - a software running on actual box (orchestrates PLC(robotics), scanners, client UI).

Context

DBX Client currently uses the developer’s creds required to make a gcloud auth for access token generation to be able to pull Docker Images for Google Artifact Registry(GAR)
Secrets are currently stored on DBX Client deploy file.
The communication between DBX Client and DBX Backend is currently secured with FrontEgg M2M Auth and CATO.

Requirements

Safe access to GCP to pull Docker image
No GCP services access secrets stored on DBX

Decision

Step 1: Service Account

Generate Service Account and store its content (service account key .json file) in GSM (DBX Cloud project).
Dev and Prod environments to have have separate accounts so service account keys stored to GSM droneup-hubops-dev and droneup-hubops-prod respectively.
The service account should have access to GSM secretAccessor to DBX Cloud project and GAR read access.

Step 2: GCP Token Generation

DBX Service generates FrontEgg access token with client id and secret stored on machine which provides communication security along with CATO.
Once DBX Client updater script requests DBX Cloud for target service version and in case current version doesn’t equal to target version: Generate short TTL (fx. 15 mins) GCP access token from service account key and pass it back to DBX Client updater so it can be used to access GSM/GAR.

{
    "BoxId": "box_KNZFYP",
    "ServiceType": "DBX_SERVICE",
    "TargetVersion": "f5a0f83",
    "TargetUpdatedAt": "2024-06-03T15:41:26Z",
    "CurrentVersion": "f5a0f83",
    "CurrentUpdatedAt": "2024-06-03T17:12:23Z"
    "AccessToken": "...." // optional
}

Step 3:

DBX Service receives short lived GCP access token from DBX Backend and:

Uses access token to fetch DBX Client related secrets from GSM
Use access token to fecth Docker image from GAR

Alternatives considered

Workload Federation

With Workload Identity Federation, you can use Identity and Access Management (IAM) to grant to external identities IAM roles, direct access on Google Cloud resources. You can also grant access through service account impersonation.
We can use FrontEgg as our Identity Provider.
The downsides:

Complexity of managing FrontEgg credentials on DBXs if want per machine user.
Complexity of switching DBX Client from environment to environment as we need regenerate public part of configuration.

Last updated on May 11, 2026

Droneup Winch App MAVLink Architecture Avatar Telemetry Performance