Cloud Build features

This page describes some optional configurations to build the Cortex Framework Data Foundation with Cloud Build features, such as creating a service account, building in a specific region or using a private worker pool. These configurations offer significant benefits in terms of data privacy, performance, security, and customization. The best approach depends on your specific requirements and the nature of your application.

Deployment with user created service account

You can run the deployment through a service account, by adding the substitution parameter _BUILD_ACCOUNT.

  gcloud builds submit \
    --config=./cloudbuild.yaml \
    --substitutions=_GCS_BUCKET=<BUCKET_FOR_LOGS>, \
    _BUILD_ACCOUNT='projects/SOURCE_PROJECT/serviceAccounts/SERVICE_ACCOUNT@SOURCE_PROJECT.iam.gserviceaccount.com'

Replace the following:

  • BUCKET_FOR_LOGS with the bucket name for the logs.
  • SERVICE_ACCOUNT with the service account for Cortex Framework Data Foundation deployment.
  • SOURCE_PROJECT with the source project for Cortex Framework Data Foundation deployment.

This service account triggers a Cloud Build job that in turn runs specific steps through the Cloud Build service account. This lets you trigger a deployment process without direct access to the resources.

For creating a new Service account follow these steps:

Console

  1. Go the Service accounts page.

    Service accounts

  2. Grant this Service Account access to the project.

  3. Grant users access to this Service Account.

    1. Add the ID of all users (including your own) who can run the deployment through the service account.
    2. Assign the Service Account Token Creator role. For more information about this role, see Service account roles.

If you already have a service account, follow these steps:

  1. Go to Service accounts.
  2. Click the Service account.
  3. Click the Permissions tab.
  4. Click Grant Access.
    1. Add the ID of all users (including your own) who can run the deployment through the service account.
    2. Assign the Service Account Token Creator role.

gcloud

  1. Create a Service account through an IAM policy with the following command:

    gcloud iam service-accounts create SERVICE_ACCOUNT \
    --description="Service account for Cortex Framework Data Foundation deployment" \
    --display-name="my-cortex-service-account"

  2. Add the IAM policy to your Google Cloud Project with the following command:

    gcloud projects add-iam-policy-binding SOURCE_PROJECT \
--member="serviceAccount:SERVICE_ACCOUNT@SOURCE_PROJECT.iam.gserviceaccount.com" \
--role="roles/cloudbuild.builds.editor"

  3. Add the ID of all users (including your own) who can run the deployment through the service account, and assign them the Service Account Token Creator role with the following command:

      gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT\
  --member="user:USER_EMAIL" \
  --role="roles/iam.serviceAccountTokenCreator"

    Replace the following:

    • SERVICE_ACCOUNT with the service account for Cortex Framework Data Foundation deployment.
    • SOURCE_PROJECT with the source project for Cortex Framework Data Foundation deployment.
    • USER_EMAIL with the executing user email.

Build in a specific region

Regional Building ensures that your data remains within a specific geographic region. This can help you to comply with local data privacy regulation, availability and latency reduction. For more information, see Cloud Build locations.

To run the deployment through a specific region, add the substitution parameter _CLOUD_BUILD_REGION with --region bash parameter, as the following command:

gcloud builds submit \
  --config=./cloudbuild.yaml \
  --substitutions=_GCS_BUCKET=BUCKET_FOR_LOGS,_CLOUD_BUILD_REGION=REGION \
  --region=REGION

Replace the following:

  • BUCKET_FOR_LOGS with the bucket name for the logs.
  • REGION with the region for your deployment. For more information about available regions, see Geography and regions.

Build with a private worker pool

Using a private worker pool provides a more secure environment for your builds. Private pools are private, dedicated pools of workers that offer customization over the build environment, including the ability to access resources in a private network. For more information, see Private pools overview.

To configure a private worker, add the _WORKER_POOL_NAME with corresponding _CLOUD_BUILD_REGION parameter, as the following command:

gcloud builds submit \
  --config=./cloudbuild.yaml
  --substitutions=_GCS_BUCKET=BUCKET_FOR_LOGS,_WORKER_POOL_NAME='projects/SOURCE_PROJECT/locations/us-central1/workerPools/YOUR_WORKER_POOL_NAME',_CLOUD_BUILD_REGION=REGION \
  --region=REGION

Replace the following:

  • BUCKET_FOR_LOGS with the bucket name for the logs.
  • SOURCE_PROJECT with the source project for Cortex Framework Data Foundation deployment.
  • YOUR_WORKER_POOL_NAME with the name for your worker pool.
  • REGION with the region for your deployment. For more information about available regions, see Geography and regions.