Receive direct events from Cloud Storage (gcloud CLI)

Standard

This quickstart shows you how to receive direct events from Cloud Storage (without using Cloud Audit Logs) in an unauthenticated Cloud Run service using Eventarc.

You can configure the triggering of notifications in response to various events inside a Cloud Storage bucket—object creation, deletion, archiving, and metadata updates. For more information, see Create a trigger to route Cloud Storage events to Cloud Run.

In this quickstart, you:

Create a Cloud Storage bucket to be the event source.
Deploy an event receiver service to Cloud Run.
Create an Eventarc trigger.
Generate an event by uploading a file to the Cloud Storage bucket, and view it in the Cloud Run logs.

Before you begin

Security constraints defined by your organization might prevent you from completing the following steps. For troubleshooting information, see Develop applications in a constrained Google Cloud environment.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Create or select a Google Cloud project.

Create a Google Cloud project:
```
gcloud projects create PROJECT_ID
```
Replace PROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project name.

Make sure that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Create or select a Google Cloud project.

Create a Google Cloud project:
```
gcloud projects create PROJECT_ID
```
Replace PROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project name.

Make sure that billing is enabled for your Google Cloud project.

Enable the Cloud Run, Cloud Storage, Eventarc, and Pub/Sub APIs.

gcloud services enable \
eventarc.googleapis.com \
pubsub.googleapis.com \
run.googleapis.com \
storage.googleapis.com

Update gcloud components:
```
gcloud components update
```
Sign in using your account:
```
gcloud auth login
```

Set the configuration variables used in this quickstart:

gcloud config set run/region us-central1
gcloud config set run/platform managed
gcloud config set eventarc/location us-central1

If you are the project creator, you are granted the basic Owner role (roles/owner). By default, this Identity and Access Management (IAM) role includes the permissions necessary for full access to most Google Cloud resources and you can skip this step.

If you are not the project creator, required permissions must be granted on the project to the appropriate principal. For example, a principal can be a Google Account (for end users) or a service account (for applications and compute workloads). For more information, see the Roles and permissions page for your event destination.
Required permissions

To get the permissions that you need to complete this tutorial, ask your administrator to grant you the following IAM roles on your project:
- Cloud Run Admin (roles/run.admin)
- Eventarc Admin (roles/eventarc.admin)
- Logs View Accessor (roles/logging.viewAccessor)
- Project IAM Admin (roles/resourcemanager.projectIamAdmin)
- Service Account Admin (roles/iam.serviceAccountAdmin)
- Service Account User (roles/iam.serviceAccountUser)
- Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
- Storage Admin (roles/storage.admin)
For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.
Make note of the Compute Engine default service account as you will you attach it to an Eventarc trigger to represent the identity of the trigger for testing purposes. This service account is automatically created after enabling or using a Google Cloud service that uses Compute Engine, and with the following email format:
```
PROJECT_NUMBER-compute@developer.gserviceaccount.com
```
Replace PROJECT_NUMBER with your Google Cloud project number. You can find your project number on the Welcome page of the Google Cloud console or by running the following command:
```
gcloud projects describe PROJECT_ID --format='value(projectNumber)'
```
For production environments, we strongly recommend creating a new service account and granting it one or more IAM roles that contain the minimum permissions required and follow the principle of least privilege.

Note:
The iam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint prevents the Editor role from being automatically granted to default service accounts. If you created your organization after May 3, 2024, this constraint is enforced by default.

We strongly recommend that you enforce this constraint to disable the automatic role grant. If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.

If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles. To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.
Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) on the project to the Compute Engine default service account so that the Eventarc trigger can receive events from event providers.
```
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --role=roles/eventarc.eventReceiver
```

Before creating a trigger for direct events from Cloud Storage, grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the Cloud Storage service agent:

SERVICE_ACCOUNT="$(gcloud storage service-agent --project=PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:${SERVICE_ACCOUNT}" \
    --role='roles/pubsub.publisher'

If you enabled the Cloud Pub/Sub service agent on or before April 8, 2021, to support authenticated Pub/Sub push requests, grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the service agent. Otherwise, this role is granted by default:
```
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \
    --role=roles/iam.serviceAccountTokenCreator
```

Create a Cloud Storage bucket

Create a Cloud Storage bucket to use as the event source:

gsutil mb -l us-central1 gs://PROJECT_ID-bucket/

After the event source is created, you can deploy the event receiver service on Cloud Run.

Deploy the event receiver service to Cloud Run

Deploy a Cloud Run service that will receive and log events using a prebuilt image, us-docker.pkg.dev/cloudrun/container/hello:

gcloud run deploy helloworld-events \
    --image=us-docker.pkg.dev/cloudrun/container/hello \
    --allow-unauthenticated

When the deployment succeeds, the command line displays the service URL.

Now that you have deployed a event receiver service called helloworld-events to Cloud Run, you can set up your trigger.

Create an Eventarc trigger

The Eventarc trigger sends events from the Cloud Storage bucket to the helloworld-events Cloud Run service.

Create a trigger that filters Cloud Storage events and that uses the Compute Engine default service account.
```
  gcloud eventarc triggers create storage-events-trigger \
      --destination-run-service=helloworld-events \
      --destination-run-region=us-central1 \
      --event-filters="type=google.cloud.storage.object.v1.finalized" \
      --event-filters="bucket=PROJECT_ID-bucket" \
      --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com
```
This creates a trigger called storage-events-trigger.

Note that when creating an Eventarc trigger for the first time in a Google Cloud project, there might be a delay in provisioning the Eventarc service agent. This issue can usually be resolved by attempting to create the trigger again. For more information, see Permission denied errors.

To confirm storage-events-trigger was successfully created, run:

  gcloud eventarc triggers list --location=us-central1

The output is similar to the following:

 NAME                    TYPE                                      DESTINATION_RUN_SERVICE  DESTINATION_RUN_PATH  ACTIVE
 storage-events-trigger  google.cloud.storage.object.v1.finalized  helloworld-events                              Yes

Generate and view an event

To generate an event, upload a text file to Cloud Storage:
```
 echo "Hello World" > random.txt
 gsutil cp random.txt gs://PROJECT_ID-bucket/random.txt
```
The upload generates an event and the Cloud Run service logs the event's message.

To view the log entry, filter the log entries, and return the output in JSON format:

gcloud logging read 'jsonPayload.message: "Received event of type google.cloud.storage.object.v1.finalized."'

Look for a log entry similar to the following:

jsonPayload:
  event:
  ...
  eventType: google.cloud.storage.object.v1.finalized
  message: |
    Received event of type google.cloud.storage.object.v1.finalized. Event data: {
      "kind": "storage#object",
      "id": "PROJECT_ID-bucket/random.txt/1713970683868432",
      "selfLink": "https://www.googleapis.com/storage/v1/b/PROJECT_ID-bucket/o/random.txt",
      "name": "random.txt",
      "bucket": "PROJECT_ID-bucket",
      ...
    }

Congratulations! You have successfully deployed an event receiver service to Cloud Run, created an Eventarc trigger, generated an event from Cloud Storage, and viewed it in the Cloud Run logs.

Clean up

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created.

You can:

Alternatively, you can delete your Google Cloud project to avoid incurring charges. Deleting your Google Cloud project stops billing for all the resources used within that project.

Delete a Google Cloud project:

gcloud projects delete PROJECT_ID

If you plan to explore multiple tutorials and quickstarts, reusing projects can help you avoid exceeding project quota limits.