You can deploy an image hosted by Artifact Registry to Cloud Run.
Permissions required to deploy
To deploy to Cloud Run, you must have the Owner or Editor role, or both the Cloud Run Admin and Service Account User roles, or any custom role that includes this specific list of permissions.
By default Cloud Run uses the Compute Engine service account as the identity for revisions. This default service account has read-only access to Artifact Registry repositories in the same Google Cloud project. If your repositories are in a different project or if you use a user-managed service account as the identity for your revisions, you must grant Artifact Registry Reader permissions to the Runtime service account.
Deploying from local source
For supported languages, Cloud Run can automatically:
- Containerize local source code.
- Push the container image to an Artifact Registry repository.
- Deploy the container image Cloud Run from the repository.
Cloud Run pushes and pulls images using the repository
cloud-run-source-deploy in the region that you specify at deploy time.
If the repository does not exist, Cloud Run creates it for you if
your account has the required permissions.
Deploying container images
You deploy an image by tag or digest that is stored in Artifact Registry.
Deploying to a service for the first time creates its first revision. Note that revisions are immutable. If you deploy from a container image tag, it will be resolved to a digest and the revision will always serve this particular digest.
You can deploy a container using the Cloud Console or the
To deploy a container image:
Click Create service to display the Create service page.
Under Deployment platform:
Select Cloud Run as the deployment platform.
Select the region where you want your service located.
Enter the service name. Service names must be unique per region and project or per cluster. A service name cannot be changed later and is publicly visible when using Cloud Run.
- If you are creating a public API or website, select
Allow unauthenticated invocations. Selecting this assigns the
IAM Invoker role to the special identifier
allUser. You can use IAM to edit this setting later after you create the service.
- If you want a secure service protected by authentication, select Require authentication.
- If you are creating a public API or website, select Allow unauthenticated invocations. Selecting this assigns the IAM Invoker role to the special identifier
Click Next to continue to the second page of the service creation form:
In the Container image URL textbox, supply the URL of an image, for example:
Optionally, click Show Advanced Settings and the subsequent tabs to set:
Click Create to deploy the image to Cloud Run and wait for the deployment to finish.
Click the displayed URL link to open the endpoint of your deployed service.
To deploy a container image:
Run the following command.
gcloud run deploy SERVICE --image REPO-LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE \ [--platform managed --region RUN-REGION]
- REPO-LOCATION is the location of the repository.
- SERVICE is the name of the service you want to deploy to. If the service does not exist yet, this command creates the service during the deployment. You can omit this parameter entirely, but you will be prompted for the service name if you omit it.
- PROJECT-ID is the Google Cloud project ID.
- REPOSITORY is the name of the repository where the image is stored.
- IMAGE is the name of your image, for example,
- RUN-REGION is the Cloud Run location for the
deployment. If you set a default Cloud Run
location set with the
run/region, you can omit
--platform managed -region RUN-REGION].
If you are creating a public API or website, you can allow unauthenticated invocations of your service using the
--allow- unauthenticatedflag. This assigns the Cloud Run Invoker IAM role to
allUsers. You can also specify
--no-allow-unauthenticatedto not allow unauthenticated invocations. If you omit either of these flags, you are prompted to confirm when the
- REPO-LOCATION is the location of the repository. For example,
Wait for the deployment to finish. Upon successful completion, a success message is displayed along with the URL of the deployed service.