Receive Pub/Sub events using an authenticated Cloud Run service

Stay organized with collections Save and categorize content based on your preferences.

This tutorial shows how to deploy a containerized application using an authenticated Cloud Run service that receives events using Pub/Sub. Pub/Sub is a fully-managed real-time messaging service that allows you to send and receive messages between independent applications.

Objectives

In this tutorial, you will:

  1. Deploy an event receiver service to Cloud Run that requires authenticated invocations.

  2. Create an Eventarc trigger that connects a Pub/Sub topic to the Cloud Run service.

  3. Publish a message to the Pub/Sub topic to generate an event.

  4. View the event in the Cloud Run logs.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

Before you begin

    Some of the steps in this document might not work correctly if your organization applies constraints to your Google Cloud environment. In that case, you might not be able to complete tasks like creating public IP addresses or service account keys. If you make a request that returns an error about constraints, see how to Develop applications in a constrained Google Cloud environment.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install and initialize the Google Cloud CLI.
  3. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  4. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  5. Install and initialize the Google Cloud CLI.
  6. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  7. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  8. Update gcloud components:
    gcloud components update
  9. Log in using your account:
    gcloud auth login
  10. Enable the APIs:
    gcloud services enable run.googleapis.com \
      eventarc.googleapis.com \
      pubsub.googleapis.com \
      cloudbuild.googleapis.com
  11. Set the configuration variables used in this tutorial:
    export REGION=us-central1
    gcloud config set run/region ${REGION}
    gcloud config set run/platform managed
    gcloud config set eventarc/location ${REGION}
    
  12. Create a service account for the project. For example:
    gcloud iam service-accounts create sample-service-account \
      --description="A sample service account" \
      --display-name="Sample service account"
    After you create a service account, it can take up to 7 minutes before you can use the service account. If you try to use a service account immediately after you create it, and you receive an error, wait at least 60 seconds and try again.
  13. Confirm that sample-service-account has been created, run:
    gcloud iam service-accounts list
    The output should be similar to the following:
    DISPLAY NAME                     EMAIL                                                               DISABLED
    Default compute service account  PROJECT_NUMBER-compute@developer.gserviceaccount.com                False
    Sample service account           sample-service-account@PROJECT_ID.iam.gserviceaccount.com           False
  14. Grant the run.invoker role to the service account:
    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
      --role="roles/run.invoker"

    Replace the following:

    • PROJECT_ID: the project ID
    • SERVICE_ACCOUNT_EMAIL: the service account email address returned in the previous step
  15. Grant the eventarc.admin role to the principal:
    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="PRINCIPAL" \
      --role="roles/eventarc.admin"

    Replace the following values:

    • PROJECT_ID: the Google Cloud project ID
    • PRINCIPAL: a valid identity to which you want to grant the role.

        For example:

      • Google account email: user:test-user@gmail.com
      • Google group: group:admins@example.com
      • Service account: serviceAccount:test123@example.domain.com
      • Google Workspace or Cloud Identity domain: domain:example.domain.com
  16. Grant the iam.serviceAccountUser role to the principal:
    gcloud iam service-accounts add-iam-policy-binding \
      SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
      --member="PRINCIPAL" \
      --role="roles/iam.serviceAccountUser"

    Replace the following values:

    • PROJECT_ID: the Google Cloud project ID
    • SERVICE_ACCOUNT_ID: the service account ID; for example, sample-service-account.
    • PRINCIPAL: a valid identity to which you want to grant the role.

        For example:

      • Google account email: user:test-user@gmail.com
      • Google group: group:admins@example.com
      • Service account: serviceAccount:test123@example.domain.com
      • Google Workspace or Cloud Identity domain: domain:example.domain.com

Deploy an event receiver to Cloud Run

Deploy a Cloud Run service that logs the contents of an event.

  1. Clone the repository:

    Node.js

    git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples.git

    Alternatively, you can download the sample as a zip file and extract it.

    Python

    git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git

    Alternatively, you can download the sample as a zip file and extract it.

    Go

    git clone https://github.com/GoogleCloudPlatform/golang-samples.git

    Alternatively, you can download the sample as a zip file and extract it.

    Java

    git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git

    Alternatively, you can download the sample as a zip file and extract it.

    Ruby

    git clone https://github.com/GoogleCloudPlatform/ruby-docs-samples.git

    Alternatively, you can download the sample as a zip file and extract it.

    C#

    git clone https://github.com/GoogleCloudPlatform/dotnet-docs-samples.git

    Alternatively, you can download the sample as a zip file and extract it.

  2. Change to the directory that contains the Cloud Run sample code:

    Node.js

    cd nodejs-docs-samples/eventarc/pubsub/

    Python

    cd python-docs-samples/eventarc/pubsub/

    Go

    cd golang-samples/eventarc/pubsub/

    Java

    cd java-docs-samples/eventarc/pubsub/

    Ruby

    cd ruby-docs-samples/eventarc/pubsub/

    C#

    cd dotnet-docs-samples/eventarc/pubsub/
  3. Build the container for the Cloud Run service:

    export PROJECT_ID=$(gcloud config get-value project)
    export SERVICE_NAME=trigger-pubsub
    gcloud builds submit --tag gcr.io/${PROJECT_ID}/${SERVICE_NAME}
    
  4. Deploy the container image to Cloud Run:

    gcloud run deploy ${SERVICE_NAME} \
      --image gcr.io/${PROJECT_ID}/${SERVICE_NAME} \
      --region=${REGION}
    
  5. At the Allow unauthenticated invocations to trigger-pubsub (y/N)? prompt, respond n for "No".

When you see the Cloud Run service URL, the deployment is complete.

Create an Eventarc trigger

When a message is published to the Pub/Sub topic, the event triggers the Cloud Run service. The service requires authentication, and the event should be triggered by a caller that has a service account with the required IAM roles and permissions to use the resource.

  1. Create a trigger to listen for Pub/Sub messages:

    New Pub/Sub topic

      gcloud eventarc triggers create ${SERVICE_NAME} \
        --destination-run-service=${SERVICE_NAME} \
        --destination-run-region=${REGION} \
        --location=${REGION} \
        --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
        --service-account=SERVICE_ACCOUNT_EMAIL
    

    Replace SERVICE_ACCOUNT_EMAIL with the email address for the service account.
    This creates a new Pub/Sub topic and a trigger for it called trigger-pubsub.

    Existing Pub/Sub topic

      gcloud eventarc triggers create ${SERVICE_NAME} \
        --destination-run-service=${SERVICE_NAME} \
        --destination-run-region=${REGION} \
        --location=${REGION} \
        --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
        --transport-topic=projects/PROJECT_ID/topics/TOPIC_ID \
        --service-account=SERVICE_ACCOUNT_EMAIL
    

    Replace the following:

    • PROJECT_ID: your Google Cloud project ID
    • TOPIC_ID: the ID of the existing Pub/Sub topic
    • SERVICE_ACCOUNT_EMAIL: the email address for the service account

      This creates a trigger called trigger-pubsub for the existing Pub/Sub topic.

  2. Confirm that the trigger was successfully created. Note that although your trigger is created immediately, it can take up to two minutes for a trigger to be fully functional.

      gcloud eventarc triggers list --location=us-central1
    

    The returned trigger status should be ACTIVE: Yes.

Generate and view an event

Publish a message to a Pub/Sub topic to generate an event and trigger the Cloud Run service. The Cloud Run service logs the messages on the service logs.

  1. Find and set the Pub/Sub topic as an environment variable:

    export TOPIC_ID=$(basename $(gcloud eventarc triggers describe ${SERVICE_NAME} \
      --format='value(transport.pubsub.topic)'))
    
  2. Send a message to the Pub/Sub topic to generate an event:

    gcloud pubsub topics publish $TOPIC_ID --message "Hello there"
    

    The event is sent to the Cloud Run service, which logs the event message.

  3. View the event-related log entries created by your service:

    gcloud logging read 'textPayload: "Hello there!"'

    The log entry should be similar to the following:

    textPayload: 'Hello, Hello there!'

Logs might take a few moments to appear. If you don't see them immediately, check again after a minute.

Clean up

If you created a new project for this tutorial, delete the project. If you used an existing project and wish to keep it without the changes added in this tutorial, delete the resources created for the tutorial.

Delete the project

The easiest way to eliminate billing is to delete the project that you created for the tutorial.

To delete the project:

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete tutorial resources

  1. Delete the Cloud Run service you deployed in this tutorial:

    gcloud run services delete SERVICE_NAME

    Where SERVICE_NAME is your chosen service name.

    You can also delete Cloud Run services from the Google Cloud console.

  2. Remove any gcloud CLI default configurations you added during the tutorial setup.

    For example:

    gcloud config unset run/region

    or

    gcloud config unset project

  3. Delete other Google Cloud resources created in this tutorial:

    • Delete the Eventarc trigger:
      gcloud eventarc triggers delete TRIGGER_NAME
      
      Replace TRIGGER_NAME with the name of your trigger.

What's next