Publish events from a Google source

You can enable the collecting and publishing of events from Google sources. For more information, see Publish events from Google sources.

This quickstart shows you how to publish and receive event messages by creating an Eventarc Advanced bus and enrollment in your Google Cloud project.

  • A bus lets you centralize the flow of messages through your system, and acts as a router. It receives event messages from a message source or published by a provider, and evaluates them according to an enrollment.

  • An enrollment identifies a subscription to a particular bus, and defines the matching criteria for messages, causing them to be routed accordingly to one or more destinations.

In this quickstart, you:

  1. Deploy an event receiver service to Cloud Run.

  2. Create an Eventarc Advanced bus.

  3. Enable events from Google sources.

  4. Create an Eventarc Advanced enrollment.

  5. Publish an event message to the bus by creating a workflow.

  6. View the event data in the Cloud Run logs.

You can complete this quickstart using the gcloud CLI.

Before you begin

Security constraints defined by your organization might prevent you from completing the following steps. For troubleshooting information, see Develop applications in a constrained Google Cloud environment.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command: 

    gcloud init

  5. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Artifact Registry, Cloud Build, Cloud Run, Eventarc, and Workflows APIs: 

    gcloud services enable artifactregistry.googleapis.com cloudbuild.googleapis.com eventarc.googleapis.com eventarcpublishing.googleapis.com run.googleapis.com workflows.googleapis.com

  8. Install the Google Cloud CLI.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. To initialize the gcloud CLI, run the following command: 

    gcloud init

  11. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. Verify that billing is enabled for your Google Cloud project.

  13. Enable the Artifact Registry, Cloud Build, Cloud Run, Eventarc, and Workflows APIs: 

    gcloud services enable artifactregistry.googleapis.com cloudbuild.googleapis.com eventarc.googleapis.com eventarcpublishing.googleapis.com run.googleapis.com workflows.googleapis.com

  14. Update gcloud components: 
    gcloud components update

  15. Sign in using your account: 
    gcloud auth login

  16. Set the configuration variable used in this quickstart: 
    REGION=REGION

    Replace REGION with a supported location for the bus—for example, us-central1.

  17. If you are the project creator, you are granted the basic Owner role (roles/owner). By default, this Identity and Access Management (IAM) role includes the permissions necessary for full access to most Google Cloud resources and you can skip this step.

    If you are not the project creator, required permissions must be granted on the project to the appropriate principal. For example, a principal can be a Google Account (for end users) or a service account (for applications and compute workloads).

    Note that by default, Cloud Build permissions include permissions to upload and download Artifact Registry artifacts.

    Required permissions

    To get the permissions that you need to complete this quickstart, ask your administrator to grant you the following IAM roles on your project:

    For more information about granting roles, see Manage access to projects, folders, and organizations.

    You might also be able to get the required permissions through custom roles or other predefined roles.

  18. Grant the following roles on the project to the Compute Engine default service account. These roles are needed when building and deploying your container image: 
    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --role=roles/artifactregistry.writer
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --role=roles/logging.logWriter
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --role=roles/storage.objectUser

    Replace PROJECT_NUMBER with your Google Cloud project number. You can find your project number on the Welcome page of the Google Cloud console or by running the following command:

    gcloud projects describe PROJECT_ID --format='value(projectNumber)'

  19. By default, only Project Owners, Project Editors, and Cloud Run Admins and Invokers can call Cloud Run services. To set up authentication, grant the Cloud Run Invoker role (run.invoker) on your Google Cloud project to a service account:
    1. Create a service account. For testing purposes, you will attach this service account to an Eventarc Advanced pipeline to represent the identity of the pipeline. 
      gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
       Replace SERVICE_ACCOUNT_NAME with a name for your service account.
    2. Grant the roles/run.invoker IAM role to the service account: 
      gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role=roles/run.invoker

    Note that you can configure who can access your Cloud Run service in either of the following ways:

    • Grant permission to select service accounts or groups to allow access to the service. All requests must have an HTTP Authorization header containing an OpenID Connect token signed by Google for one of the authorized service accounts. This is the way that access is configured in this quickstart.
    • Grant permission to allUsers to allow unauthenticated access.

    For more information, see Access control for Cloud Run.

Deploy an event receiver service to Cloud Run

Deploy a Cloud Run service as an event destination that logs the contents of an event. Other event destinations are supported such as a Pub/Sub topic, Workflows, or an HTTP endpoint. For more information, see Event providers and destinations.

  1. Create an Artifact Registry standard repository to store your container image.

    gcloud artifacts repositories create REPOSITORY \
    --repository-format=docker \
    --location=$REGION

    Replace REPOSITORY with a unique name for the Artifact Registry repository—for example, my-repo.

  2. Clone the GitHub repository:

    git clone https://github.com/GoogleCloudPlatform/eventarc-samples.git

  3. Change to the directory that contains the Cloud Run sample code:

    cd eventarc-samples/eventarc-advanced-quickstart/

  4. Build a Docker container image and push the image to your repository:

    gcloud builds submit \
    --tag $REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/log-events:v1

  5. Deploy the container image to Cloud Run:

    gcloud run deploy SERVICE_NAME \
    --image $REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/log-events:v1 \
    --platform managed \
    --ingress all \
    --no-allow-unauthenticated \
    --region=$REGION

    Replace SERVICE_NAME with the name of your service—for example, my-service.

    Note the following:

    • The --platform flag sets the target platform, in this case a fully managed version of Cloud Run.

    • The ingress setting of all allows all requests, including requests directly from the internet to the run.app URL. For more information, see Restrict network ingress for Cloud Run.

    • The --no-allow-unauthenticated flag configures the service to only allow authenticated invocations.

    • When you see the Cloud Run service URL, the deployment is complete.

  6. Copy and save the Cloud Run service URL as you will use it in a subsequent step.

Create an Eventarc Advanced bus

A bus receives event messages from a message source or published by a provider and acts as a message router.

For more information, see Create a bus to route messages.

Create an Eventarc Advanced bus in your project by using the gcloud eventarc message-buses create command:

gcloud eventarc message-buses create BUS_NAME \
    --location=$REGION

Replace BUS_NAME with the ID of your bus or a fully qualified name—for example, my-bus.

Enable events from Google sources

To publish events from Google sources, you must create a GoogleApiSource resource. This resource represents a subscription to Google API events for a particular Eventarc Advanced bus in a specific Google Cloud project and region.

Enable events from Google sources by using the gcloud eventarc google-api-sources create command:

gcloud eventarc google-api-sources create GOOGLE_API_SOURCE_NAME \
    --destination-message-bus=BUS_NAME \
    --destination-message-bus-project=PROJECT_ID \
    --location=$REGION

Replace GOOGLE_API_SOURCE_NAME with the ID of your GoogleApiSource resource or a fully qualified name—for example, my-google-api-source.

All supported Google event types sent directly from a Google source are now collected and published to your bus.

Create an Eventarc Advanced enrollment

An enrollment determines which messages are routed to a destination and it also specifies the pipeline that is used to configure a destination for the event messages.

For more information, see Create an enrollment to receive events.

When using the gcloud CLI, you first create a pipeline, and then create an enrollment:

  1. Create a pipeline by using the gcloud eventarc pipelines create command:

    gcloud eventarc pipelines create PIPELINE_NAME \
    --destinations=http_endpoint_uri='CLOUD_RUN_SERVICE_URL',google_oidc_authentication_service_account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
    --location=$REGION

    Replace the following:

    • PIPELINE_NAME: the ID of the pipeline or a fully qualified name—for example, my-pipeline.
    • CLOUD_RUN_SERVICE_URL: the fully qualified URL of your Cloud Run service—for example, https://SERVICE_NAME-abcdef-uc.a.run.app. This is the destination for your event messages.

    Note that the google_oidc_authentication_service_account key specifies a service account email which is used to generate an OIDC token.

  2. Create an enrollment by using the gcloud eventarc enrollments create command:

    gcloud eventarc enrollments create ENROLLMENT_NAME \
    --cel-match=MATCH_EXPRESSION \
    --destination-pipeline=PIPELINE_NAME \
    --message-bus=BUS_NAME \
    --message-bus-project=PROJECT_ID \
    --location=$REGION

    Replace the following:

    • ENROLLMENT_NAME: the ID of the enrollment or a fully qualified name—for example, my-enrollment.

    • MATCH_EXPRESSION: the matching expression for this enrollment using CEL—for example, to publish event messages whenever a Workflows workflow is created, use the following expression:

      "message.type == 'google.cloud.workflows.workflow.v1.created'"

Publish an event message to the bus by creating a workflow

Workflows is a fully managed orchestration platform that executes services in an order that you define: a workflow. Create a workflow to generate a supported event type from a Google source.

  1. In your home directory, create a new file called myWorkflow.yaml.

  2. Copy and paste the following workflow into the new file, then save it:

    - getCurrentTime:
    call: http.get
    args:
      url: https://timeapi.io/api/Time/current/zone?timeZone=Europe/Amsterdam
    result: currentTime
- readWikipedia:
    call: http.get
    args:
      url: https://en.wikipedia.org/w/api.php
      query:
        action: opensearch
        search: ${currentTime.body.dayOfWeek}
    result: wikiResult
- returnResult:
    return: ${wikiResult.body[1]}

    This workflow passes the current day of the week as a search term to the Wikipedia API. A list of related Wikipedia articles is returned.

  3. Deploy the workflow and associate it with the specified service account by using the gcloud workflows deploy command:

    gcloud workflows deploy myWorkflow --source=myWorkflow.yaml \
    --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
    --location=$REGION

View the event data in the Cloud Run logs

After publishing an event to your Eventarc Advanced bus, you can check the logs of your Cloud Run service to verify that the event was received as expected.

  1. Filter the log entries and return the output by using the gcloud logging read command:

    gcloud logging read 'textPayload: "google.cloud.workflows.workflow.v1.created"'

  2. Look for a log entry similar to the following:

    insertId: 689644c30004cde066603b3a
labels:
  instanceId: 0069c7a98846e3b870396a63478212b9642512ef362b67c33090846e10498949c671ccfefbc66f4f093796406e9a714bebc6fbb82f321578134ef95e56f9e9986c3265d2820b56f7994617ba7172ab
logName: projects/PROJECT_ID/logs/run.googleapis.com%2Fstderr
receiveTimestamp: '2025-08-08T18:41:07.632226222Z'
resource:
  labels:
  ...
  type: cloud_run_revision
textPayload: 'Ce-Type: google.cloud.workflows.workflow.v1.created'
timestamp: '2025-08-08T18:41:07.314848Z'

You have successfully created an Eventarc Advanced bus and enrollment, enabled the publishing of events from Google sources, created a workflow to generate a supported event type from a Google provider, and then verified the expected outcome in the logs of the event receiver service.

Clean up

When you finish the tasks that are described in this quickstart, you can avoid continued billing by deleting the resources that you created:

  1. Delete an Artifact Registry repository.

  2. Delete a Cloud Run service.

  3. Delete a Workflows workflow.

  4. Delete Eventarc Advanced resources:

    1. Delete an enrollment.

    2. Delete a pipeline.

    3. Delete a bus.

Alternatively, you can delete your Google Cloud project to avoid incurring charges. Deleting your Google Cloud project stops billing for all the resources used within that project.

Delete a Google Cloud project:

gcloud projects delete PROJECT_ID

What's next