Cloud Run enables you to run stateless containers in a serverless environment. Using Cloud Build, you can deploy container images from Container Registry (Deprecated) and Artifact Registry to Cloud Run. You can deploy an existing image, build and deploy an image, or automate the deployment.
Before you begin
-
Enable the Cloud Build, Cloud Run, Container Registry, and Resource Manager APIs.
Have your application source code ready. Your source code needs to be stored in a repository, such as Cloud Source Repositories, GitHub, or Bitbucket.
To run the
gcloud
commands in this page, install the Google Cloud CLI.If you're using VPC Service Controls, set up a private pool in the VPC Service Controls perimeter. You must also configure Cloud Run for VPC Service Controls.
Required IAM permissions
If your image is stored in the same Google Cloud project as the one you want to deploy to or if your image is public in Container Registry, you require the following IAM permissions:
To deploy to Cloud Run grant the Cloud Run Admin and Service Account User roles to the service account you are using for the build:
Open the Cloud Build settings page in the Google Cloud console:
From the drop-down list, select the service account whose roles you want to change.
In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED:
In the Additional steps may be required pop-up, click GRANT ACCESS TO ALL SERVICE ACCOUNTS.
Building and deploying a container
Cloud Build enables you to build the container image, store the built image in Container Registry, and then deploy the image to Cloud Run.
To build and deploy a container image:
In your project root directory, create a config file named
cloudbuild.yaml
.In the build config file, add
docker
build steps to build the image and push it to Container Registry, and then add agcloud
build step to invoke thegcloud run deploy
command to deploy the image on Cloud Run:steps: # Build the container image - name: 'gcr.io/cloud-builders/docker' args: ['build', '-t', 'gcr.io/PROJECT_ID/IMAGE', '.'] # Push the container image to Container Registry - name: 'gcr.io/cloud-builders/docker' args: ['push', 'gcr.io/PROJECT_ID/IMAGE'] # Deploy container image to Cloud Run - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk' entrypoint: gcloud args: ['run', 'deploy', 'SERVICE_NAME', '--image', 'gcr.io/PROJECT_ID/IMAGE', '--region', 'SERVICE_REGION'] images: - gcr.io/PROJECT_ID/IMAGE
Where:
SERVICE_NAME
is the name of the Cloud Run service.SERVICE_REGION
is the region of the Cloud Run service you are deploying.PROJECT_ID
is your Google Cloud project ID where your image is stored.IMAGE
is the name of your image in Container Registry.
Navigate to your project root directory and run the following command, where
BUILD_REGION
is one of the supported build regions to run the build:gcloud builds submit --region=BUILD_REGION
After successful completion, a success message is displayed along with the URL of the deployed service.
Continuous deployment
You can automate the deployment of your software to Cloud Run by creating Cloud Build triggers. You can configure your triggers to build and deploy images whenever you update your source code.
To automate your deployment:
In your repository root, add a config file named
cloudbuild.yaml
with steps to build the image, push the image to Container Registry, and then invoke thegcloud run deploy
command:steps: # Build the container image - name: 'gcr.io/cloud-builders/docker' args: ['build', '-t', 'gcr.io/$PROJECT_ID/SERVICE_NAME:$COMMIT_SHA', '.'] # Push the container image to Container Registry - name: 'gcr.io/cloud-builders/docker' args: ['push', 'gcr.io/$PROJECT_ID/SERVICE_NAME:$COMMIT_SHA'] # Deploy container image to Cloud Run - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk' entrypoint: gcloud args: - 'run' - 'deploy' - 'SERVICE_NAME' - '--image' - 'gcr.io/$PROJECT_ID/SERVICE_NAME:$COMMIT_SHA' - '--region' - 'SERVICE_REGION' images: - 'gcr.io/$PROJECT_ID/SERVICE_NAME:$COMMIT_SHA'
Where:
SERVICE_NAME
is the name of the Cloud Run service.SERVICE_REGION
is the region of the Cloud Run service you are deploying.
The use of the
$COMMIT_SHA
substitution variable is populated by Cloud Build when triggered from a Git repository.Create a build trigger with the config file created in the previous step:
Open the Triggers page:
Click Create Trigger.
In the Name field, enter a name for your trigger.
Under Region, select the region for your trigger.
Under Event, select the repository event to start your trigger.
Under Source, select your repository and the branch or tag name that will start your trigger. For more information on specifying which branches to autobuild, see Creating a build trigger.
Under Configuration, select Cloud Build configuration file (YAML or JSON).
In the Cloud Build configuration file location field, type
cloudbuild.yaml
after the/
.Click Create to save your build trigger.
You are finished! From now on, whenever you push to your repository, a build and a deployment to your service is automatically invoked.
Anytime you push new code to your repository, you will automatically trigger a build and deploy to your Cloud Run service.
For more information on creating Cloud Build triggers, see Creating and managing build triggers.
Using minimal IAM permissions
When a container is deployed to a Cloud Run service, it runs with the identity of the Runtime Service Account of this Cloud Run service. Because Cloud Build can deploy new containers automatically, Cloud Build needs to be able to act as the Runtime Service Account of your Cloud Run service.
To grant limited access to Cloud Build to deploy to a Cloud Run service:
Console
Go to the Service accounts page of the Google Cloud console:
Click the email address of your Cloud Run service's Runtime Service Account (by default, it is
PROJECT_NUMBER-compute@developer.gserviceaccount.com
).Click the Permissions tab.
Click
Grant access.Enter the Cloud Build Service Account (
PROJECT_NUMBER@cloudbuild.gserviceaccount.com
)In the Select a role dropdown, select the Service Accounts > Service Account User role.
Click Save.
gcloud
Use the gcloud iam service-accounts add-iam-policy-binding
command, where
PROJECT_NUMBER
is the numeric ID of your project:
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser"
Replace PROJECT_NUMBER with the numeric ID of your project.
If using Cloud Run using a customized service identity,
replace PROJECT_NUMBER-compute@developer.gserviceaccount.com
with your service
account address.
See Deployment permissions for more information.
Code examples
Here are some sample repositories, each of which contains a sample application and a build config file to deploy application to Cloud Run:
- deploy-prebuilt: A code example that shows how to deploy a prebuilt image to Cloud Run.
- run-example-builddeploy: A code example that shows how to build and deploy an image to Cloud Run.
What's next
- Learn how to use Cloud Deploy to deploy to Cloud Run.
- Learn how to deploy on GKE.
- Learn how to deploy on Cloud Run functions.
- Learn how to deploy on App Engine.
- Learn how to deploy on Firebase.
- Learn how to perform blue/green deployments on Compute Engine.
- Learn how to troubleshoot build errors.