An Eventarc trigger declares your interest in a certain event or set of events. You can configure event routing by specifying filters for the trigger, including the event source and the target GKE service.
Requests to your service are triggered by the following event types:
- When an audit log is created that matches the trigger's filter criteria
- In response to direct events such as an update to a Cloud Storage bucket or an update to a Firebase Remote Config template
- By messages published to a Pub/Sub topic
Before you begin
Workload Identity is the recommended way to access Google Cloud services from applications running within Google Kubernetes Engine (GKE) due to its improved security properties and manageability. It is also needed to forward Cloud Run for Anthos events using Eventarc. Make sure that Workload Identity is enabled on your GKE cluster.
For more information, refer to Using Workload Identity.
Prepare to create a trigger
For each trigger that targets a GKE service, Eventarc creates an event forwarder component. Eventarc requires permissions to install the component and manage resources in the GKE cluster. Before creating an Eventarc trigger for GKE destinations, ensure that you complete the following tasks.
Enable the Eventarc API
To view and assign Identity and Access Management (IAM) roles, you must enable the Eventarc API for your project. You will not be able to see the Eventarc roles in the Cloud console until you enable the API.
gcloud services enable eventarc.googleapis.com
Create a service account
Create a user-managed service account if you don't already have one, then grant it the roles and permissions necessary so that Eventarc can manage events for GKE destinations.
Create a service account that is used when creating triggers:
TRIGGER_SA=SA_NAME gcloud iam service-accounts create ${TRIGGER_SA}
Replace
SA_NAME
with the name of the service account. It must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes. After you create a service account, you cannot change its name.Grant the appropriate roles to the service account:
Cloud Audit Logs events
gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/pubsub.subscriber" gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/eventarc.eventReceiver"
Direct events
gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/pubsub.subscriber" gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/eventarc.eventReceiver"
Pub/Sub messages
gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/pubsub.subscriber" gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter"
Replace
PROJECT_NID
with your Google Cloud project ID. You can find your project ID on the Dashboard page of the Google Cloud console.If you are creating a trigger for a direct Cloud Storage event, grant the
pubsub.publisher
role to the Cloud Storage service account:SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:${SERVICE_ACCOUNT}" \ --role='roles/pubsub.publisher'
Enable GKE destinations
To allow Eventarc to manage resources in the GKE cluster, enable GKE destinations, and bind the Eventarc service account with the required roles.
Enable GKE destinations for Eventarc:
gcloud eventarc gke-destinations init
At the prompt to bind the required roles, enter
y
.The following roles are bound:
roles/compute.viewer
roles/container.developer
roles/iam.serviceAccountAdmin
Create a trigger using the Google Cloud CLI
You can create a trigger by running a gcloud eventarc triggers create
command
along with required and optional flags.
Cloud Audit Logs events
gcloud eventarc triggers create TRIGGER \
--location=LOCATION \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=google.cloud.audit.log.v1.written" \
--event-filters="serviceName=SERVICE_NAME" \
--event-filters="methodName=METHOD_NAME" \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
LOCATION
: the location of the Eventarc trigger. To avoid any performance and data residency issues caused by a global trigger, it should match the location of the Google Cloud service that is generating events. Alternatively, you can set theeventarc/location
property; for examplegcloud config set eventarc/location us-central1
. For more information, see Eventarc locations. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. SERVICE_NAME
: the identifier of the Google Cloud service.METHOD_NAME
: the identifier of the operation.-
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
PROJECT_ID
: your Google Cloud project ID.
Notes:
- These flags are required:
--event-filters="type=google.cloud.audit.log.v1.written"
--event-filters="serviceName=VALUE"
--event-filters="methodName=VALUE"
- For a list of the audit log events supported by Eventarc,
including
serviceName
andmethodName
values, see Events supported by Eventarc. -
Each trigger can have multiple event filters, comma delimited in one
--event-filters
=[ATTRIBUTE
=VALUE
,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported. See Determining event filters for Cloud Audit Logs. - Optionally, you can filter events for a specific resource by using the
--event-filters="resourceName=VALUE"
flag and specifying the complete path to the resource. Omit the flag for dynamically created resources that have identifiers generated at creation time. Or, you can filter events for a set of resources by using the--event-filters-path-pattern="resourceName=VALUE"
flag and specifying the resource path pattern.
Example:
gcloud eventarc triggers create cal-gke-trigger \
--location=us-central1 \
--destination-gke-cluster=gke-events-cluster \
--destination-gke-location=us-central1-a \
--destination-gke-namespace=default \
--destination-gke-service=helloworld-events \
--destination-gke-path=/ \
--event-filters="type=google.cloud.audit.log.v1.written" \
--event-filters="serviceName=storage.googleapis.com" \
--event-filters="methodName=storage.buckets.update" \
--event-filters="resourceName=projects/_/buckets/eventarc-bucket/objects/random.txt" \
--service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com
This creates a trigger called cal-gke-trigger
for audit logs that are
written by storage.googleapis.com
and for the operation identified as
storage.buckets.update
.
Direct events
Cloud Storage
gcloud eventarc triggers create TRIGGER \
--location=LOCATION \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=EVENT_FILTER_TYPE" \
--event-filters="bucket=BUCKET" \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
LOCATION
: the location of the Eventarc trigger. The Cloud Storage bucket must reside in the same Google Cloud project and region or multi-region as the Eventarc trigger. Alternatively, you can set theeventarc/location
property; for examplegcloud config set eventarc/location us-central1
. For more information, see Eventarc locations. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. EVENT_FILTER_TYPE
: the identifier of the Cloud Storage event and can be one of the following:google.cloud.storage.object.v1.finalized
: Event is sent when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in the bucketgoogle.cloud.storage.object.v1.archived
: Event is sent when a live version of an object is archived or deleted. This event is only sent for versioning buckets.google.cloud.storage.object.v1.deleted
: Event is sent when an object is permanently deleted. Depending on the object versioning setting for a bucket this means:- For versioning buckets, this is only sent when a version is permanently deleted (but not when an object is archived).
- For non-versioning buckets, this is sent when an object is deleted or overwritten.
google.cloud.storage.object.v1.metadataUpdated
: Event is sent when the metadata of an existing object changes.
BUCKET
is the globally unique identifier of the Cloud Storage bucket.-
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
PROJECT_ID
: your Google Cloud project ID.
Notes:
- These flags are required:
--event-filters="type=EVENT_FILTER_TYPE"
--event-filters="bucket=BUCKET"
- Once a trigger is created,
EVENT_FILTER_TYPE
cannot be modified. Instead, create a new trigger and delete the old one. - Events are delivered using Pub/Sub notifications from Cloud Storage.
Setting up too many notifications registered against the same bucket might
exhaust the notification limit for the bucket as indicated by the error
Cloud Storage bucket ...: Pub/Sub notification limit reached
. The bucket can have up to 10 notification configurations set to trigger for a specific event. See more quotas and limitations in the Cloud Storage quotas and limits page. -
Each trigger can have multiple event filters, comma delimited in one
--event-filters
=[ATTRIBUTE
=VALUE
,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported. - The
--service-account
flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
.
Example:
gcloud eventarc triggers create storage-gke-trigger \ --location=us-central1 \ --destination-gke-cluster=gke-events-cluster \ --destination-gke-location=us-central1-a \ --destination-gke-namespace=default \ --destination-gke-service=helloworld-events \ --destination-gke-path=/ \ --event-filters="type=google.cloud.storage.object.v1.finalized" \ --event-filters="bucket=my-project-bucket" \ --service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com
This command creates a trigger called storage-gke-trigger
for the
Cloud Storage bucket my-project-bucket
and the event
identified as google.cloud.storage.object.v1.finalized
.
Firebase Alerts
gcloud eventarc triggers create TRIGGER \
--location=global \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \
--event-filters="alerttype=ALERT_TYPE" \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. ALERT_TYPE
is the type of Firebase alert and can be one of the following:appDistribution.newTesterIosDevice
: event is sent when a new iOS device is registered from a given appbilling.planAutomatedUpdate
: event is sent when the billing plan for a Firebase project is automatically updated; for example, when a plan is downgraded due to payment issuesbilling.planUpdate
: event is sent when the billing plan for a Firebase project is modified by a user; for example, when a billing account is attached to or detached from a projectcrashlytics.newAnrIssue
: event is sent when an app experiences a new application not responding (ANR) error (not for any subsequent, identical events)crashlytics.newFatalIssue
: event is sent when an app experiences a new fatal crash (not for any subsequent, identical events)crashlytics.newNonfatalIssue
: event is sent when an app experiences a new non-fatal error (not for any subsequent, identical events)crashlytics.regression
: event is sent when an app experiences a crash for an issue marked as closed for a previous app versioncrashlytics.stabilityDigest
: event is sent when there is a notification of the top trending issues in Crashlyticscrashlytics.velocity
: event is sent when a single issue is responsible for causing a significant number of app sessions to crash
-
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
PROJECT_ID
: your Google Cloud project ID..
Notes:
- The
--location
flag must beglobal
. For more information, see Eventarc locations. - The
--event-filters="type=google.firebase.firebasealerts.alerts.v1.published"
and flags are required.--event-filters="alerttype=ALERT_TYPE"
- Optionally, you can filter events for a specific Firebase App ID by
using the
--event-filters="appid=APP_ID"
flag and by specifying an exact match. - Once a trigger is created, the event filter type cannot be modified. Instead, create a new trigger and delete the old one.
- The
--service-account
flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Example:
gcloud eventarc triggers create firealert-gke-trigger \ --location=us-central1 \ --destination-gke-cluster=gke-events-cluster \ --destination-gke-location=us-central1-a \ --destination-gke-namespace=default \ --destination-gke-service=helloworld-events \ --destination-gke-path=/ \ --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \ --event-filters="alerttype=crashlytics.velocity" \ --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"
This command creates a trigger called firealert-gke-trigger
for
the event identified as google.firebase.firebasealerts.alerts.v1.published
,
and for a crashlytics.velocity
alert type.
Firebase Remote Config
gcloud eventarc triggers create TRIGGER \
--location=global \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=google.firebase.remoteconfig.remoteConfig.v1.updated" \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. -
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
PROJECT_ID
: your Google Cloud project ID.
Notes:
- The
--location
flag must beglobal
. For more information, see Eventarc locations. - The
--event-filters
flag is required and the type must begoogle.firebase.remoteconfig.remoteConfig.v1.updated
. An event is sent when a Remote Config template is updated. - Once a trigger is created, the event filter type cannot be modified. Instead, create a new trigger and delete the old one.
- The
--service-account
flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Example:
gcloud eventarc triggers create rc-gke-trigger \ --location=global \ --destination-gke-cluster=gke-events-cluster \ --destination-gke-location=us-central1-a \ --destination-gke-namespace=default \ --destination-gke-service=helloworld-events \ --destination-gke-path=/ \ --event-filters="type=google.firebase.remoteconfig.remoteConfig.v1.updated" \ --service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com
This command creates a trigger called rc-gke-trigger
for the event
identified as google.firebase.remoteconfig.remoteConfig.v1.updated
.
Firebase Test Lab
gcloud eventarc triggers create TRIGGER \
--location=global \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=google.firebase.testlab.testMatrix.v1.completed" \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. -
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
PROJECT_ID
: your Google Cloud project ID.
Notes:
- The
--location
flag must beglobal
. For more information, see Eventarc locations. - The
--event-filters
flag is required and the type must begoogle.firebase.testlab.testMatrix.v1.completed
. An event is sent when a TestMatrix has completed. - Once a trigger is created, the event filter type cannot be modified. Instead, create a new trigger and delete the old one.
- The
--service-account
flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.
Example:
gcloud eventarc triggers create tl-gke-trigger \ --location=global \ --destination-gke-cluster=gke-events-cluster \ --destination-gke-location=us-central1-a \ --destination-gke-namespace=default \ --destination-gke-service=helloworld-events \ --destination-gke-path=/ \ --event-filters="type=google.firebase.testlab.testMatrix.v1.completed" \ --service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com
This command creates a trigger called tl-gke-trigger
for the event
identified as google.firebase.testlab.testMatrix.v1.completed
.
Pub/Sub messages (existing topic)
gcloud eventarc triggers create TRIGGER \
--location=LOCATION \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
--transport-topic=projects/PROJECT_ID/topics/TOPIC_ID \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
LOCATION
: the location of the Eventarc trigger. To avoid any performance and data residency issues caused by a global trigger, it should match the location of the Google Cloud service that is generating events. Alternatively, you can set theeventarc/location
property; for examplegcloud config set eventarc/location us-central1
. For more information, see Eventarc locations. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. PROJECT_ID
your Google Cloud project ID.TOPIC_ID
: the ID of the existing Pub/Sub topic. The topic must be in the same project as the trigger.-
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
Notes:
- The
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished"
flag is required. -
Each trigger can have multiple event filters, comma delimited in one
--event-filters
=[ATTRIBUTE
=VALUE
,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported. - The
--transport-topic
flag is used to specify the ID of the existing Pub/Sub topic or its fully qualified identifier. - By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Managing subscriptions.
Example:
gcloud eventarc triggers create pubsub-gke-trigger-existing \
--destination-gke-cluster=gke-events-cluster \
--destination-gke-location=us-central1-a \
--destination-gke-namespace=default \
--destination-gke-service=helloworld \
--destination-gke-path=/ \
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
--transport-topic=projects/${PROJECT_ID}/topics/${TOPIC_ID} \
--service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com
This creates a trigger called pubsub-gke-trigger-existing
for the Pub/Sub
topic identified by projects/${PROJECT_ID}/topics/${TOPIC_ID}
.
Pub/Sub messages (new topic)
gcloud eventarc triggers create TRIGGER \
--location=LOCATION \
--destination-gke-cluster=DESTINATION_GKE_CLUSTER \
--destination-gke-location=DESTINATION_GKE_LOCATION \
--destination-gke-namespace=DESTINATION_GKE_NAMESPACE \
--destination-gke-service=DESTINATION_GKE_SERVICE \
--destination-gke-path=DESTINATION_GKE_PATH \
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
--service-account=TRIGGER_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com
Replace the following:
-
TRIGGER
: the ID of the trigger or a fully qualified identifier. -
LOCATION
: the location of the Eventarc trigger. To avoid any performance and data residency issues caused by a global trigger, it should match the location of the Google Cloud service that is generating events. Alternatively, you can set theeventarc/location
property; for examplegcloud config set eventarc/location us-central1
. For more information, see Eventarc locations. -
DESTINATION_GKE_CLUSTER
: the name of the GKE cluster in which the target GKE service that receives events is running. -
DESTINATION_GKE_LOCATION
: the location in which the destination GKE service can be found. If not specified, it is assumed that the service is in the same region as the trigger. For more information see Cloud Run for Anthos on Google Cloud locations. -
DESTINATION_GKE_NAMESPACE
: the namespace in which the destination GKE service is running. If not specified, thedefault
namespace is used. -
DESTINATION_GKE_SERVICE
: the name of the GKE service that receives the events for the trigger. The service must be in the same region as the trigger, unless the trigger's location is global. The service must be in the same project as the trigger and will receive events as HTTP POST requests sent to its root URL path (/
), whenever the event is generated. -
(Optional)
DESTINATION_GKE_PATH
: the relative path you specify on the destination GKE service to which the events for the trigger should be sent. For example:/
,/route
,route
,route/subroute
. -
TRIGGER_SERVICE_ACCOUNT
: the IAM service account email associated with the trigger and to which you previously granted specific roles required by Eventarc. For example,$TRIGGER_SA@PROJECT_ID.iam.gserviceaccount.com
PROJECT_ID
your Google Cloud project ID.
Notes:
- The
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished"
flag is required. -
Each trigger can have multiple event filters, comma delimited in one
--event-filters
=[ATTRIBUTE
=VALUE
,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported. - By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Managing subscriptions.
Example:
gcloud eventarc triggers create pubsub-gke-trigger-new \
--location=us-central1 \
--destination-gke-cluster=gke-events-cluster \
--destination-gke-location=us-central1-a \
--destination-gke-namespace=default \
--destination-gke-service=helloworld \
--destination-gke-path=/ \
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
--service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com
This creates a new Pub/Sub topic and a trigger for it called
pubsub-gke-trigger-new
.
List a trigger using the Google Cloud CLI
You can confirm the creation of a trigger by listing Eventarc triggers:
gcloud eventarc triggers list --location=LOCATION
Replace LOCATION
with the ID or fully qualified
identifier of the Eventarc trigger location; for example,
us-central1
.
For more information on managing Eventarc triggers, see Manage triggers.
What's next
To get started using Eventarc for GKE, see the quickstarts.