This tutorial shows how to deploy a containerized application using an authenticated Cloud Run service that receives events using Pub/Sub. Pub/Sub is a fully-managed real-time messaging service that allows you to send and receive messages between independent applications.
Objectives
In this tutorial, you will:
Deploy an event receiver service to Cloud Run that requires authenticated invocations.
Create an Eventarc trigger that connects a Pub/Sub topic to the Cloud Run service.
Publish a message to the Pub/Sub topic to generate an event.
View the event in the Cloud Run logs.
Costs
This tutorial uses the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
- Install and initialize the Google Cloud CLI.
- Update gcloud components:
gcloud components update
- Log in using your account:
gcloud auth login
- Enable the APIs:
gcloud services enable run.googleapis.com \ eventarc.googleapis.com \ pubsub.googleapis.com \ cloudbuild.googleapis.com
- Set the configuration variables used in this tutorial:
export REGION=us-central1 gcloud config set project PROJECT_ID gcloud config set run/region ${REGION} gcloud config set run/platform managed gcloud config set eventarc/location ${REGION}
ReplacePROJECT_ID
with your Google Cloud project ID. - Create a service account for the project. For example:
gcloud iam service-accounts create sample-service-account \ --description="A sample service account" \ --display-name="Sample service account"
After you create a service account, it can take up to 7 minutes before you can use the service account. If you try to use a service account immediately after you create it, and you receive an error, wait at least 60 seconds and try again. - Confirm that
sample-service-account
has been created, run:gcloud iam service-accounts list
The output should be similar to the following:DISPLAY NAME EMAIL DISABLED Default compute service account PROJECT_NUMBER-compute@developer.gserviceaccount.com False Sample service account sample-service-account@PROJECT_ID.iam.gserviceaccount.com False
- Grant the
run.invoker
role to the service account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \ --role="roles/run.invoker"
Replace the following:
-
PROJECT_ID
: the project ID. -
SERVICE_ACCOUNT_EMAIL
: the service account email address returned in the previous step.
-
- Grant the
eventarc.admin
role to the user account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:USER_EMAIL" \ --role='roles/eventarc.admin'
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.USER_EMAIL
: the email address for the user.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
- Grant the
iam.serviceAccountUser
role to the user account:gcloud iam service-accounts add-iam-policy-binding \ SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \ --member="user:USER_EMAIL" \ --role="roles/iam.serviceAccountUser"
Replace the following values:
PROJECT_ID
: the Google Cloud project ID.SERVICE_ACCOUNT_ID
: the service account ID; for example,sample-service-account
.USER_EMAIL
: the email address for the user.Examples:
user:test-user@gmail.com
,group:admins@example.com
,serviceAccount:test123@example.domain.com
, ordomain:example.domain.com
Some of the steps in this document might not work correctly if your organization applies constraints to your Google Cloud environment. In that case, you might not be able to complete tasks like creating public IP addresses or service account keys. If you make a request that returns an error about constraints, see how to Develop applications in a constrained Google Cloud environment.
Deploy an event receiver to Cloud Run
Deploy a Cloud Run service that logs the contents of an event.
Clone the repository:
Node.js
git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Python
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Go
git clone https://github.com/GoogleCloudPlatform/golang-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Java
git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Ruby
git clone https://github.com/GoogleCloudPlatform/ruby-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
C#
git clone https://github.com/GoogleCloudPlatform/dotnet-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Change to the directory that contains the Cloud Run sample code:
Node.js
cd nodejs-docs-samples/eventarc/pubsub/
Python
cd python-docs-samples/eventarc/pubsub/
Go
cd golang-samples/eventarc/pubsub/
Java
cd java-docs-samples/eventarc/pubsub/
Ruby
cd ruby-docs-samples/eventarc/pubsub/
C#
cd dotnet-docs-samples/eventarc/pubsub/
Build the container for the Cloud Run service:
export PROJECT_ID=$(gcloud config get-value project) export SERVICE_NAME=trigger-pubsub gcloud builds submit --tag gcr.io/${PROJECT_ID}/${SERVICE_NAME}
Deploy the container image to Cloud Run:
gcloud run deploy ${SERVICE_NAME} \ --image gcr.io/${PROJECT_ID}/${SERVICE_NAME} \ --region=${REGION}
At the Allow unauthenticated invocations to trigger-pubsub (y/N)? prompt, respond
n
for "No".
When you see the Cloud Run service URL, the deployment is complete.
Create an Eventarc trigger
When a message is published to the Pub/Sub topic, the event triggers the Cloud Run service. The service requires authentication, and the event should be triggered by a caller that has a service account with the required IAM roles and permissions to use the resource.
Create a trigger to listen for Pub/Sub messages:
New Pub/Sub topic
gcloud eventarc triggers create ${SERVICE_NAME} \ --destination-run-service=${SERVICE_NAME} \ --destination-run-region=${REGION} \ --location=${REGION} \ --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \ --service-account=SERVICE_ACCOUNT_USER_EMAIL
Replace
SERVICE_ACCOUNT_EMAIL
with the email address for the service account. This creates a new Pub/Sub topic and a trigger for it calledtrigger-pubsub
.Existing Pub/Sub topic
gcloud eventarc triggers create ${SERVICE_NAME} \ --destination-run-service=${SERVICE_NAME} \ --destination-run-region=${REGION} \ --location=${REGION} \ --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \ --transport-topic=projects/PROJECT_ID/topics/TOPIC_ID \ --service-account=SERVICE_ACCOUNT_EMAIL
Replace the following:
PROJECT_ID
is your Google Cloud project ID.TOPIC_ID
is the ID of the existing Pub/Sub topic.SERVICE_ACCOUNT_EMAIL
is the email address for the service account.This creates a trigger called
trigger-pubsub
for the existing Pub/Sub topic.
Confirm that the trigger was successfully created:
gcloud eventarc triggers list --location=us-central1
The returned trigger status should be
ACTIVE: Yes
.
Generate and view an event
Publish a message to a Pub/Sub topic to generate an event and trigger the Cloud Run service. The Cloud Run service logs the messages on the service logs.
Find and set the Pub/Sub topic as an environment variable:
export TOPIC_ID=$(basename $(gcloud eventarc triggers describe ${SERVICE_NAME} \ --format='value(transport.pubsub.topic)'))
Send a message to the Pub/Sub topic to generate an event:
gcloud pubsub topics publish $TOPIC_ID --message "Hello there"
The event is sent to the Cloud Run service, which logs the event message.
View the event-related log entries created by your service:
gcloud logging read 'textPayload: "Hello there!"'
The log entry should be similar to the following:
textPayload: 'Hello, Hello there!'
Logs might take a few moments to appear. If you don't see them immediately, check again after a minute.
Clean up
If you created a new project for this tutorial, delete the project. If you used an existing project and wish to keep it without the changes added in this tutorial, delete the resources created for the tutorial.
Delete the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete tutorial resources
Delete the Cloud Run service you deployed in this tutorial:
gcloud run services delete SERVICE_NAME
Where
SERVICE_NAME
is your chosen service name.You can also delete Cloud Run services from the Google Cloud console.
Remove any gcloud CLI default configurations you added during the tutorial setup.
For example:
gcloud config unset run/region
or
gcloud config unset project
Delete other Google Cloud resources created in this tutorial:
- Delete the Eventarc trigger:
gcloud eventarc triggers delete TRIGGER_NAME
ReplaceTRIGGER_NAME
with the name of your trigger.
- Delete the container image
named
gcr.io/PROJECT_ID/trigger-pubsub
from Container Registry.
- Delete the Eventarc trigger: