You can deploy a container image stored in Artifact Registry to Cloud Run. You can also deploy directly from source to Cloud Run, which includes automatically creating a container image for your built source and storing the image in Artifact Registry.
Permissions required to deploy
- Deploying from source
- To deploy from source, you must have permissions to build, store the built container image, and deploy.
- Deploying container images
To deploy to Cloud Run, you must have the Owner or Editor role, or both the Cloud Run Admin and Service Account User roles, or any custom role that includes a specific set of permissions.
By default Cloud Run uses the Compute Engine service account as the identity for revisions. This default service account has read-only access to Artifact Registry repositories in the same Google Cloud project. If your repositories are in a different project or if you use a user-managed service account as the identity for your revisions, you must grant Artifact Registry Reader permissions to the Runtime service account.
Deploying from local source
For supported languages, Cloud Run can automatically:
- Containerize local source code.
- Push the container image to an Artifact Registry repository.
- Deploy the container image Cloud Run from the repository.
Cloud Run pushes and pulls images using the repository
cloud-run-source-deploy in the region that you specify at deploy time.
If the repository does not exist, Cloud Run creates it for you if
your account has the required permissions.
Deploying container images
You deploy an image by tag or digest that is stored in Artifact Registry.
Deploying to a service for the first time creates its first revision. Note that revisions are immutable. If you deploy from a container image tag, it will be resolved to a digest and the revision will always serve this particular digest.
You can deploy a container using the Google Cloud console or the
command line. For instructions see, Deploying container images.