Create a trigger for Cloud Run

You can create an Eventarc trigger so that your Cloud Run service receives notifications of a specified event or set of events. By specifying filters for the trigger, you can configure the routing of the event, including the event source and the target Cloud Run service.

Requests to your service are triggered by the following event types:

An audit log is created that matches the trigger's filter criteria
Direct events such as an update to a Cloud Storage bucket
Messages published to a Pub/Sub topic

You can create triggers by using the Google Cloud CLI or through the Google Cloud console.

Some of the steps in this document might not work correctly if your organization applies constraints to your Google Cloud environment. In that case, you might not be able to complete tasks like creating public IP addresses or service account keys. If you make a request that returns an error about constraints, see how to Develop applications in a constrained Google Cloud environment.

Prepare to create a trigger

Before you create a trigger, complete these prerequisites:

Enable the APIs:

gcloud services enable cloudbuild.googleapis.com \
    eventarc.googleapis.com \
    logging.googleapis.com \
    pubsub.googleapis.com \
    run.googleapis.com \
    workflows.googleapis.com

If applicable, enable the APIs related to direct integration events. For example, for Cloud IoT events, enable cloudiot.googleapis.com.
Create a user-managed service account if you don't already have one or use the default service account.
```
SERVICE_ACCOUNT=SA_NAME
gcloud iam service-accounts create ${SERVICE_ACCOUNT}
```
Replace SA_NAME with the name of the service account. It must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes. After you create a service account, you cannot change its name.
Note that the Compute Engine default service account is being used in the examples on this page.
Grant the required Identity and Access Management (IAM) roles, permissions, and flags for authenticated and unauthenticated invocations. For more information, see Eventarc roles and permissions.

Important: To accept authenticated invocations to your Cloud Run service, you must associate your trigger with a service account that has the roles/run.invoker role. When creating your trigger, use the --service-account flag, or update your trigger to have a service account.
If you are creating a trigger for a direct event from Cloud Storage, grant the pubsub.publisher role to the Cloud Storage service account:
```
SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:${SERVICE_ACCOUNT}" \
    --role='roles/pubsub.publisher'
```
Replace PROJECT_ID with your Google Cloud project ID. You can find your project ID on the Dashboard page of the Google Cloud console.

Create a trigger using gcloud

You can create a trigger by running a gcloud command along with required and optional flags.

Cloud Audit Logs events

gcloud eventarc triggers create TRIGGER \
    --location=LOCATION \
    --destination-run-service=DESTINATION_RUN_SERVICE \
    --destination-run-region=DESTINATION_RUN_REGION \
    --event-filters="type=google.cloud.audit.log.v1.written" \
    --event-filters="serviceName=SERVICE_NAME" \
    --event-filters="methodName=METHOD_NAME" \
    --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

Cloud Audit Logs triggers for Eventarc are available in specific regions and in the global region, but are not available in dual-region and multi-region locations. To avoid any performance and data residency issues caused by a global trigger, Google recommends that the location match that of the Google Cloud service that is generating events.

If you specify the global location, you will receive events from all locations yielding matches for the event filters. For example, by creating a global Eventarc trigger, you can receive events from resources such as Cloud Storage buckets in the EU and US multi-regions.
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
SERVICE_NAME: the identifier of the Google Cloud service
METHOD_NAME: the identifier of the operation
PROJECT_NUMBER: your Google Cloud project number

Notes:

These flags are required:
- --event-filters="type=google.cloud.audit.log.v1.written"
- --event-filters="serviceName=VALUE"
- --event-filters="methodName=VALUE"
After a trigger is created, --event-filters="type=google.cloud.audit.log.v1.written" can't be changed. For a different event type, you must create a new trigger.
For a list of the audit log events supported by Eventarc, including serviceName and methodName values, see Events supported by Eventarc.
Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported. See Determine event filters for Cloud Audit Logs.
The --service-account flag specifies the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, filter events for a specific resource by using the --event-filters="resourceName=VALUE" flag and specifying the complete path to the resource. Omit the flag for dynamically created resources that have identifiers generated at creation time. Or, filter events for a set of resources by using the --event-filters-path-pattern="resourceName=VALUE" flag and specifying the resource path pattern.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.

Example:

  gcloud eventarc triggers create helloworld-trigger \
      --location=us-central1 \
      --destination-run-service=helloworld-events \
      --destination-run-region=us-central1 \
      --event-filters="type=google.cloud.audit.log.v1.written" \
      --event-filters="serviceName=storage.googleapis.com" \
      --event-filters="methodName=storage.buckets.update" \
      --event-filters="resourceName=projects/_/buckets/eventarc-bucket/objects/random.txt" \
      --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com

This command creates a trigger called helloworld-trigger for audit logs that are written by storage.googleapis.com and for the operation identified as storage.buckets.update.

Direct events

Cloud Storage

gcloud eventarc triggers create TRIGGER \
  --location=LOCATION \
  --destination-run-service=DESTINATION_RUN_SERVICE \
  --destination-run-region=DESTINATION_RUN_REGION \
  --event-filters="type=EVENT_FILTER_TYPE" \
  --event-filters="bucket=BUCKET" \
  --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

Cloud Storage triggers for Eventarc are available in single-region, dual-region, and multi-region locations. Note that the trigger must be in the same location as the Cloud Storage bucket.
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
EVENT_FILTER_TYPE: the identifier of the Cloud Storage event and can be one of the following:
- google.cloud.storage.object.v1.finalized: event is sent when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in the bucket
- google.cloud.storage.object.v1.archived: event is sent when a live version of an object is archived or deleted. This event is only sent for versioning buckets.
- google.cloud.storage.object.v1.deleted: event is sent when an object is permanently deleted. Depending on the object versioning setting for a bucket this means:
  - For versioning buckets, this is only sent when a version is permanently deleted (but not when an object is archived).
  - For non-versioning buckets, this is sent when an object is deleted or overwritten.
- google.cloud.storage.object.v1.metadataUpdated: event is sent when the metadata of an existing object changes.
BUCKET: the globally unique identifier of the Cloud Storage bucket
PROJECT_NUMBER: your Google Cloud project number

Notes:

These flags are required:
- --event-filters="type=EVENT_FILTER_TYPE"
- --event-filters="bucket=BUCKET"
After a trigger is created, EVENT_FILTER_TYPE can't be changed. For a different event type, you must create a new trigger.
Events are delivered using Pub/Sub notifications from Cloud Storage. Setting up too many notifications registered against the same bucket might exhaust the notification limit for the bucket as indicated by the error Cloud Storage bucket ...: Pub/Sub notification limit reached. The bucket can have up to 10 notification configurations set to trigger for a specific event. See more quotas and limitations in the Cloud Storage quotas and limits page.
Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported.
The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.
The Cloud Storage bucket must reside in the same Google Cloud project and region or multi-region as the Eventarc trigger.

Example:

gcloud eventarc triggers create helloworld-trigger \
    --location=us-central1 \
    --destination-run-service=helloworld-events \
    --destination-run-region=us-central1 \
    --event-filters="type=google.cloud.storage.object.v1.finalized" \
    --event-filters="bucket=my-project-bucket" \
    --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com

This command creates a trigger called helloworld-trigger for the Cloud Storage bucket my-project-bucket and the event identified as google.cloud.storage.object.v1.finalized.

Firebase Alerts

gcloud eventarc triggers create TRIGGER \
  --location=global \
  --destination-run-service=DESTINATION_RUN_SERVICE \
  --destination-run-region=DESTINATION_RUN_REGION \
  --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \
  --event-filters="alerttype=ALERT_TYPE" \
  --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
ALERT_TYPE: the type of Firebase alert and can be one of the following:
- appDistribution.inAppFeedback: event is sent when a tester submits in-app feedback for a given app
- appDistribution.newTesterIosDevice: event is sent when a new iOS tester device is registered for a given app
- billing.planAutomatedUpdate: event is sent when the billing plan for a Firebase project is automatically updated; for example, when a plan is downgraded due to payment issues
- billing.planUpdate: event is sent when the billing plan for a Firebase project is modified by a user; for example, when a billing account is attached to or detached from a project
- crashlytics.newAnrIssue: event is sent when an app experiences a new application not responding (ANR) error (not for any subsequent, identical events)
- crashlytics.newFatalIssue: event is sent when an app experiences a new fatal crash (not for any subsequent, identical events)
- crashlytics.newNonfatalIssue: event is sent when an app experiences a new non-fatal error (not for any subsequent, identical events)
- crashlytics.regression: event is sent when an app experiences a crash for an issue marked as closed for a previous app version
- crashlytics.stabilityDigest: event is sent when there is a notification of the top trending issues in Crashlytics
- crashlytics.velocity: event is sent when a single issue is responsible for causing a significant number of app sessions to crash
- performance.threshold: event is sent when the performance of a metric crosses the set threshold
PROJECT_NUMBER: your Google Cloud project number

Notes:

The --location flag must be global. For more information, see Eventarc locations.
The --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" and --event-filters="alerttype=ALERT_TYPE" flags are required.
After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
Optionally, you can filter events for a specific Firebase App ID by using the --event-filters="appid=APP_ID" flag and by specifying an exact match.
The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.

Example:

gcloud eventarc triggers create helloworld-trigger \
    --location=global \
    --destination-run-service=helloworld-events \
    --destination-run-region=us-central1 \
    --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \
    --event-filters="alerttype=crashlytics.velocity" \
    --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com

This command creates a trigger called helloworld-trigger for the event identified as google.firebase.firebasealerts.alerts.v1.published, and for a crashlytics.velocity alert type.

Firebase Realtime Database

gcloud eventarc triggers create TRIGGER \
  --location=LOCATION \
  --destination-run-service=DESTINATION_RUN_SERVICE \
  --destination-run-region=DESTINATION_RUN_REGION \
  --event-filters="type=EVENT_FILTER_TYPE" \
  --event-filters="instance=INSTANCE" \
  --event-filters-path-pattern="ref=REF" \
  --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1. Firebase Realtime Database triggers for Eventarc are only available in the following locations:
- us-central1
- europe-west1
- asia-southeast1
Note that the trigger must be in the same location as the Firebase Realtime Database instance. For more information, see Realtime Database locations.
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
EVENT_FILTER_TYPE: the identifier of the Firebase Realtime Database event and can be one of the following:
- google.firebase.database.ref.v1.created: event is sent when data is created in the database
- google.firebase.database.ref.v1.updated: event is sent when data is updated in the database
- google.firebase.database.ref.v1.deleted: event is sent when data is deleted in the database
- google.firebase.database.ref.v1.written: event is sent when data is created, updated, or deleted in the database
INSTANCE: a single database instance and the operator can be one of the following:
- Equal; for example, --event-filters="instance=INSTANCE"
- Path pattern; for example, --event-filters-path-pattern="instance=INSTANCE". For more information, see Understand path patterns.
REF: the path within the database instance for which you want to receive events from when data is created, updated, or deleted in that path, or any of its children.
PROJECT_NUMBER: your Google Cloud project number

Notes:

These flags are required:
- --event-filters="type=EVENT_FILTER_TYPE"
- --event-filters="instance=INSTANCE" or --event-filters-path-pattern="instance=INSTANCE"
- --event-filters-path-pattern="ref=REF"
After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.

Example:

gcloud eventarc triggers create helloworld-trigger \
    --location=us-central1 \
    --destination-run-service=helloworld-events \
    --destination-run-region=us-central1 \
    --event-filters="type=google.firebase.database.ref.v1.created" \
    --event-filters="instance=test-instance" \
    --event-filters-path-pattern="ref=users/*" \
    --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com

This command creates a trigger called helloworld-trigger for the event identified as google.firebase.database.ref.v1.created.

Firebase Remote Config

gcloud eventarc triggers create TRIGGER \
  --location=global \
  --destination-run-service=DESTINATION_RUN_SERVICE \
  --destination-run-region=DESTINATION_RUN_REGION \
  --event-filters="type=google.firebase.remoteconfig.remoteConfig.v1.updated" \
  --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
PROJECT_NUMBER: your Google Cloud project number

Notes:

The --location flag must be global. For more information, see Eventarc locations.
The --event-filters flag is required and the type must be google.firebase.remoteconfig.remoteConfig.v1.updated. An event is sent when a Remote Config template is updated.
After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.

Example:

gcloud eventarc triggers create helloworld-trigger \
    --location=global \
    --destination-run-service=helloworld-events \
    --destination-run-region=us-central1 \
    --event-filters="type=google.firebase.remoteconfig.remoteConfig.v1.updated" \
    --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com

This command creates a trigger called helloworld-trigger for the event identified as google.firebase.remoteconfig.remoteConfig.v1.updated.

Firebase Test Lab

gcloud eventarc triggers create TRIGGER \
  --location=global \
  --destination-run-service=DESTINATION_RUN_SERVICE \
  --destination-run-region=DESTINATION_RUN_REGION \
  --event-filters="type=google.firebase.testlab.testMatrix.v1.completed" \
  --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
PROJECT_NUMBER: your Google Cloud project number

Notes:

The --location flag must be global. For more information, see Eventarc locations.
The --event-filters flag is required and the type must be google.firebase.testlab.testMatrix.v1.completed. An event is sent when a TestMatrix has completed.
Once a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.

Example:

gcloud eventarc triggers create helloworld-trigger \
    --location=global \
    --destination-run-service=helloworld-events \
    --destination-run-region=us-central1 \
    --event-filters="type=google.firebase.testlab.testMatrix.v1.completed" \
    --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com

This command creates a trigger called helloworld-trigger for the event identified as google.firebase.testlab.testMatrix.v1.completed.

Cloud IoT

gcloud eventarc triggers create TRIGGER \
  --location=LOCATION \
  --destination-run-service=DESTINATION_RUN_SERVICE \
  --destination-run-region=DESTINATION_RUN_REGION \
  --event-filters="type=EVENT_FILTER_TYPE" \
  --event-filters="COLLECTION_ID=RESOURCE_ID" \
  --event-filters-path-pattern="COLLECTION_ID=PATH_PATTERN" \
  --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
EVENT_FILTER_TYPE: the identifier of the event. An event is emitted when an API call for the method succeeds. For long-running operations, the event is only emitted at the end of the operation, and only if the action is performed successfully. For example, for the type, google.cloud.iot.v1.DeviceManager.CreateDeviceRegistry, an event is emitted when a registry is created through the version v1 in Cloud IoT. For more information on event types, see Event types supported by Eventarc.
COLLECTION_ID (optional): the identifier of the event type. For example, for a Cloud IoT event, the COLLECTION_ID can be one of the following:
- device
- registry
RESOURCE_ID: the identifier of the resource for the associated collection. For more information, see Resource ID.
PATH_PATTERN: the path pattern to apply when filtering for the resource.
SERVICE_ACCOUNT_NAME: the name of your user-managed service account.
PROJECT_ID: your Google Cloud project ID.

Notes:

The --event-filters="type=EVENT_FILTER_TYPE" flag is required. If no other event filter is set, events for all resources are matched.
EVENT_FILTER_TYPE cannot be changed after creation. To change EVENT_FILTER_TYPE, create a new trigger and delete the old one.
Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported; however, when using the --event-filters-path-pattern flag, you can define a resource path pattern.
The following are some path pattern examples:
- --event-filters-path-pattern="registry=my-registry-*" (matches events for registries whose name starts with my-registry-)
- --event-filters-path-pattern="device=my-device-*" and --event-filters-path-pattern="registry=my-registry" (matches events for all devices whose name starts with "my-device-" in a registry named my-registry)
- --event-filters-path-pattern="device=my-device-*" (matches events for all devices in any registry whose name starts with my-device-)
The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.

Example:

gcloud eventarc triggers create helloworld-trigger \
    --location=us-central1 \
    --destination-run-service=helloworld-events \
    --destination-run-region=us-central1 \
    --event-filters="type=google.cloud.iot.v1.DeviceManager.CreateDeviceRegistry" \
    --event-filters-path-pattern="registry=my-registry-*" \
    --service-account=$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com

This command creates a trigger called helloworld-trigger for the event identified as google.cloud.iot.v1.DeviceManager.CreateDeviceRegistry and matches events for registry names starting with my-registry-.

Pub/Sub messages (existing topic)

gcloud eventarc triggers create TRIGGER \
    --location=LOCATION \
    --destination-run-service=DESTINATION_RUN_SERVICE \
    --destination-run-region=DESTINATION_RUN_REGION \
    --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
    --transport-topic=projects/PROJECT_ID/topics/TOPIC_NAME

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

Pub/Sub triggers for Eventarc are only available in single-region locations, and you cannot create a global Eventarc trigger.
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.
PROJECT_ID: your Google Cloud project ID
TOPIC_NAME: the name of the existing Pub/Sub topic. The topic must be in the same project as the trigger.

Notes:

The --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" flag is required and can't be changed. For a different event type, you must create a new trigger.
Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported.
The --transport-topic flag is used to specify the ID of the existing Pub/Sub topic or its fully qualified identifier.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.
By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

  gcloud eventarc triggers create pubsub-trigger-existing \
      --location=us-central1 \
      --destination-run-service=helloworld-events-pubsub \
      --destination-run-region=us-central1 \
      --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
      --transport-topic=projects/${PROJECT_ID}/topics/${TOPIC_NAME}

This command creates a trigger called pubsub-trigger-existing for the Pub/Sub topic identified by projects/${PROJECT_ID}/topics/${TOPIC_NAME}.

Pub/Sub messages (new topic)

gcloud eventarc triggers create TRIGGER \
    --location=LOCATION \
    --destination-run-service=DESTINATION_RUN_SERVICE \
    --destination-run-region=DESTINATION_RUN_REGION \
    --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished"

Replace the following:

TRIGGER: the ID of the trigger or a fully qualified identifier
LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

Pub/Sub triggers for Eventarc are only available in single-region locations, and you cannot create a global Eventarc trigger.
DESTINATION_RUN_SERVICE: the name of the Cloud Run service that receives the events for the trigger. The service can be in any of the Cloud Run supported locations and does not need to be in the same location as the trigger. However, the service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/), whenever the event is generated.
DESTINATION_RUN_REGION: the region in which the destination Cloud Run service can be found. If not specified, it is assumed that the service is in the same region as the trigger.

Notes:

The --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" flag is required and can't be changed. For a different event type, you must create a new trigger.
Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported.
Optionally, specify a relative path on the destination Cloud Run service to which the events for the trigger should be sent by using the --destination-run-path flag.
By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

  gcloud eventarc triggers create pubsub-trigger-new \
      --location=us-central1 \
      --destination-run-service=helloworld-events-pubsub \
      --destination-run-region=us-central1 \
      --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished"

This creates a new Pub/Sub topic and a trigger for it called pubsub-trigger-new.

As a best practice, Google recommends not to reuse the Pub/Sub topic created by a trigger because deleting an Eventarc trigger also deletes any Pub/Sub topics that were created by the trigger.

Create a trigger through the console

You can use the Cloud Run console page to create triggers for Cloud Audit Logs and Pub/Sub event types. However, to create triggers for direct events (for example, from Cloud Storage or Firebase Alerts), you must use the gcloud CLI or the Eventarc console page.

If necessary, enable the Eventarc API.

Enable the API
In the Google Cloud console, go to Cloud Run.

Go to Cloud Run
From the list of services, click an existing service, or create a new service.
On the Service details page, click the Triggers tab.
Click Add Eventarc trigger.

The Eventarc trigger pane opens. To determine how best to route events, see Event routing options.
Type a Trigger name.

This is the ID of the trigger and it must start with a letter. It can contain up to 63 lowercase letters, numbers, or hyphens.
Select an Event provider.

This is the Google or partner service that is the source of events. For example, select BigQuery.
Select an Event.
- Custom events—Applies to a Cloud Pub/Sub event provider
- Direct events—Applies to some event providers only
- via Cloud Audit Logs events—Applies to all event providers
Custom
Requests to your service are triggered when a message is published to a Pub/Sub topic. This applies to a Cloud Pub/Sub event provider.
1. From the events listed under Custom, select Cloud Pub/Sub topic.
2. Select an existing topic or accept the default of None so that a new topic is created for the trigger.
  
  The existing Pub/Sub topic must be in the same project as the trigger.
  
  By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.
  
  As a best practice, we recommend not to reuse the Pub/Sub topic created by a trigger because deleting an Eventarc trigger also deletes any Pub/Sub topics that were created by the trigger.
3. Select a Region.
  
  Pub/Sub triggers for Eventarc are only available in single-region locations, and you cannot create a global Eventarc trigger.
Direct
Cloud Storage
Requests to your service are triggered in response to an event inside a Cloud Storage bucket—object creation, deletion, archiving, and metadata updates. This applies to a Cloud Storage event provider.

From the events listed under Direct, select one of the following:

google.cloud.storage.object.v1.archived: Event is sent when a live version of an object is archived or deleted. This event is only sent for versioning buckets.

google.cloud.storage.object.v1.delete: Event is sent when an object is permanently deleted. Depending on the object versioning setting for a bucket this means:

For versioning buckets, this is only sent when a version is permanently deleted (but not when an object is archived).

For non-versioning buckets, this is sent when an object is deleted or overwritten.

google.cloud.storage.object.v1.finalized: Event is sent when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in the bucket

google.cloud.storage.object.v1.metadataUpdated: Event is sent when the metadata of an existing object changes.

Specify or browse for the globally unique identifier of the Cloud Storage Bucket.

The Cloud Storage bucket must reside in the same Google Cloud project and region or multi-region as the Eventarc trigger.

Select a Region.

Cloud Storage triggers for Eventarc are available in single-region, dual-region, and multi-region locations. Note that the Cloud Storage bucket must reside in the same Google Cloud project and region or multi-region as the Eventarc trigger.

Events are delivered using Pub/Sub notifications from Cloud Storage. Setting up too many notifications registered against the same bucket might exhaust the notification limit for the bucket as indicated by the error Cloud Storage bucket ...: Pub/Sub notification limit reached. The bucket can have up to 10 notification configurations set to trigger for a specific event. See more quotas and limitations in the Cloud Storage quotas and limits page.
Firebase Alerts
Requests to your service are triggered in response to an event when a Firebase alert is published by a Firebase service.

From the events listed under Direct, select google.firebase.firebasealerts.alerts.v1.published.

In the Region list, select global (Global).

For more information, see Eventarc locations.

In the Filters section, in the alerttype list, select one of the following:

appDistribution.inAppFeedback: event is sent when a tester submits in-app feedback for a given app

appDistribution.newTesterIosDevice: event is sent when a new iOS tester device is registered for a given app

billing.planAutomatedUpdate: event is sent when the billing plan for a Firebase project is automatically updated; for example, when a plan is downgraded due to payment issues

billing.planUpdate: event is sent when the billing plan for a Firebase project is modified by a user; for example, when a billing account is attached to or detached from a project

crashlytics.newAnrIssue: event is sent when an app experiences a new application not responding (ANR) error (not for any subsequent, identical events)

crashlytics.newFatalIssue: event is sent when an app experiences a new fatal crash (not for any subsequent, identical events)

crashlytics.newNonfatalIssue: event is sent when an app experiences a new non-fatal error (not for any subsequent, identical events)

crashlytics.regression: event is sent when an app experiences a crash for an issue marked as closed for a previous app version

crashlytics.stabilityDigest: event is sent when there is a notification of the top trending issues in Crashlytics

crashlytics.velocity: event is sent when a single issue is responsible for causing a significant number of app sessions to crash

performance.threshold: event is sent when the performance of a metric crosses the set threshold

Optionally, you can filter events for a specific Firebase App ID. Click Add filter and specify the appid.

It must be an exact match.
Firebase Realtime Database
Requests to your service are triggered in response to an event when data is created, updated, or deleted in the Firebase Realtime Database.

From the events listed under Direct, select one of the following:

google.firebase.database.ref.v1.created: event is sent when data is created in the database

google.firebase.database.ref.v1.updated: event is sent when data is updated in the database

google.firebase.database.ref.v1.deleted: event is sent when data is deleted in the database

google.firebase.database.ref.v1.written: event is sent when data is created, updated, or deleted in the database

In the Region list, select a region.

Note that this region should match the region of the Firebase Realtime Database instance. For more information, see Eventarc locations.

In the Filters section, select the following:

For the database instance attribute, select one of the following as the operator:

Equal

Path pattern
For more information, see Understand path patterns.

In the Attribute value 1 field, type the name of the database instance to receive events from. Depending on the operator that you chose in the previous step, the attribute value should be the database instance name exactly as is or in a path pattern format.

For the ref attribute, select the operator as Path pattern.

In the Attribute value 2 field, type the path in the database instance to receive events from if data is created, updated, or deleted in that path or any of its children.
Firebase Remote Config
Requests to your service are triggered in response to an event when a Remote Config template is updated.

From the events listed under Direct, select google.firebase.remoteconfig.remoteConfig.v1.updated.

In the Region list, select global (Global).

For more information, see Eventarc locations.
Firebase Test Lab
Requests to your service are triggered in response to an event when a TestMatrix has completed.

From the events listed under Direct, select google.firebase.testlab.testMatrix.v1.completed.

In the Region list, select global (Global).

For more information, see Eventarc locations.
via Cloud Audit Logs
Requests to your service are triggered when an audit log is created that matches the trigger's filter criteria. This type of event applies to all event providers.
1. From the events listed under via Cloud Audit Logs, select one.
2. Select one of the following:
  - Any resource—This is the default and includes dynamically created resources that have identifiers generated at creation time.
  - Specific resource—You must provide the full resource name.
  - Path pattern—You can filter for resources using a path pattern. For example, type projects/_/buckets/eventarc-bucket/objects/random.txt or type projects/_/buckets/**/r*.txt.
3. Select a Region.
  
  Cloud Audit Logs triggers for Eventarc are available in specific regions and in the global region, but are not available in dual-region and multi-region locations. To avoid any performance and data residency issues caused by a global trigger, we recommend that the location match that of the Google Cloud service that is generating events.
  
  If you specify the global location, you will receive events from all locations for which the event filters match. For example, by creating a global Eventarc trigger, you can receive events from resources in the EU and US multi-regions.
For more information about capturing events that are triggered when an audit log is created that matches the trigger's filter criteria, see Determine event filters for Cloud Audit Logs.
Select the Service account that invokes your Cloud Run service.

Or, create a new service account.

This specifies the IAM service account email associated with the trigger. For Cloud Run destinations, this service account is used to generate identity tokens when invoking the service.
Optionally, specify the Service URL path to send the incoming request to.

This is the relative path on the destination service to which the events for the trigger should be sent. For example: /, /route, route, route/subroute.
After creating the trigger, verify its health by ensuring that there is a checkmark on the Triggers tab.

Create a trigger for Cloud Run

Prepare to create a trigger

Create a trigger using gcloud

Cloud Audit Logs events

Direct events

Cloud Storage

Firebase Alerts

Firebase Realtime Database

Firebase Remote Config

Firebase Test Lab

Cloud IoT

Pub/Sub messages (existing topic)

Pub/Sub messages (new topic)

Create a trigger through the console

Custom

Direct

Cloud Storage

Firebase Alerts

Firebase Realtime Database

Firebase Remote Config

Firebase Test Lab

via Cloud Audit Logs

What's next