This tutorial shows how to deploy a containerized application using an authenticated Cloud Run service that receives events using Pub/Sub. Pub/Sub is a fully-managed real-time messaging service that allows you to send and receive messages between independent applications.
Objectives
In this tutorial, you will:
Deploy an event receiver service to Cloud Run that requires authenticated invocations.
Create an Eventarc trigger that connects a Pub/Sub topic to the Cloud Run service.
Publish a message to the Pub/Sub topic to generate an event.
View the event in the Cloud Run logs.
Costs
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
Before you begin
Some of the steps in this document might not work correctly if your organization applies constraints to your Google Cloud environment. In that case, you might not be able to complete tasks like creating public IP addresses or service account keys. If you make a request that returns an error about constraints, see how to Develop applications in a constrained Google Cloud environment.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
-
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
-
-
Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
-
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
-
-
Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.
- Update gcloud components:
gcloud components update
- Log in using your account:
gcloud auth login
- Enable the APIs:
gcloud services enable run.googleapis.com \ eventarc.googleapis.com \ pubsub.googleapis.com \ cloudbuild.googleapis.com
- Set the configuration variables used in this tutorial:
export REGION=us-central1 gcloud config set run/region ${REGION} gcloud config set run/platform managed gcloud config set eventarc/location ${REGION}
-
If you are the project creator, you are granted the basic Owner role (
roles/owner
). By default, this Identity and Access Management (IAM) role includes the permissions necessary for full access to most Google Cloud resources and you can skip this step.If you are not the project creator, required permissions must be granted on the project to the appropriate principal. For example, a principal can be a Google Account (for end users) or a service account (for applications and compute workloads). For more information, see the Roles and permissions page for your event destination.
Required permissions
To get the permissions that you need to complete this tutorial, ask your administrator to grant you the following IAM roles on your project:
-
Cloud Build Editor (
roles/cloudbuild.builds.editor
) -
Cloud Run Admin (
roles/run.admin
) -
Eventarc Admin (
roles/eventarc.admin
) -
Logs View Accessor (
roles/logging.viewAccessor
) -
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
Pub/Sub Publisher (
roles/pubsub.publisher
) -
Service Account Admin (
roles/iam.serviceAccountAdmin
) -
Service Account User (
roles/iam.serviceAccountUser
) -
Service Usage Admin (
roles/serviceusage.serviceUsageAdmin
) -
Storage Admin (
roles/storage.admin
)
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
Cloud Build Editor (
The Compute Engine default service account is automatically created after enabling or using a Google Cloud service that uses Compute Engine.
For test purposes, you can attach this service account to an Eventarc trigger to represent the identity of the trigger. Note the email format to use when creating a trigger:
PROJECT_NUMBER-compute@developer.gserviceaccount.com
Replace
PROJECT_NUMBER
with your Google Cloud project number. You can find your project number on the Dashboard page of the Google Cloud console or by running the following command:gcloud projects describe PROJECT_ID --format='value(projectNumber)'
The Compute Engine service account is automatically granted the basic Editor role (
roles/editor
) on your project. However, if automatic role grants have been disabled, refer to the applicable Roles and permissions instructions on to create a new service account and grant it the required roles.- By default, Cloud Run services are only callable by Project
Owners, Project Editors, and Cloud Run Admins and Invokers.
You can
control
access on a per-service basis; however, for testing purposes, grant the
Cloud Run
Invoker role (
run.invoker
) on the Google Cloud project to the Compute Engine service account. This grants the role on all Cloud Run services and jobs in a project.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --role=roles/run.invoker
Note that if you create a trigger for an authenticated Cloud Run service without granting the Cloud Run Invoker role, the trigger is created successfully and is active. However, the trigger will not work as expected and a message similar to the following appears in the logs:
The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header.
- If you enabled the Cloud Pub/Sub service agent on or before April
8, 2021, to support authenticated Pub/Sub push requests, grant
the Service
Account Token Creator role (
roles/iam.serviceAccountTokenCreator
) to the Google-managed service account. Otherwise, this role is granted by default:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
Deploy an event receiver to Cloud Run
Deploy a Cloud Run service that logs the contents of an event.
Clone the repository:
Node.js
git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Python
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Go
git clone https://github.com/GoogleCloudPlatform/golang-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Java
git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Ruby
git clone https://github.com/GoogleCloudPlatform/ruby-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
C#
git clone https://github.com/GoogleCloudPlatform/dotnet-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Change to the directory that contains the Cloud Run sample code:
Node.js
cd nodejs-docs-samples/eventarc/pubsub/
Python
cd python-docs-samples/eventarc/pubsub/
Go
cd golang-samples/eventarc/pubsub/
Java
cd java-docs-samples/eventarc/pubsub/
Ruby
cd ruby-docs-samples/eventarc/pubsub/
C#
cd dotnet-docs-samples/eventarc/pubsub/
Build the container for the Cloud Run service:
export PROJECT_ID=$(gcloud config get-value project) export SERVICE_NAME=trigger-pubsub gcloud builds submit --tag gcr.io/${PROJECT_ID}/${SERVICE_NAME}
Deploy the container image to Cloud Run:
gcloud run deploy ${SERVICE_NAME} \ --image gcr.io/${PROJECT_ID}/${SERVICE_NAME} \ --region=${REGION}
At the Allow unauthenticated invocations to trigger-pubsub (y/N)? prompt, respond
n
for "No".
When you see the Cloud Run service URL, the deployment is complete.
Create an Eventarc trigger
When a message is published to the Pub/Sub topic, the event triggers the Cloud Run service.
Create a trigger to listen for Pub/Sub messages:
New Pub/Sub topic
gcloud eventarc triggers create ${SERVICE_NAME} \ --destination-run-service=${SERVICE_NAME} \ --destination-run-region=${REGION} \ --location=${REGION} \ --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \ --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com
This creates a new Pub/Sub topic and a trigger for it called
trigger-pubsub
.Existing Pub/Sub topic
gcloud eventarc triggers create ${SERVICE_NAME} \ --destination-run-service=${SERVICE_NAME} \ --destination-run-region=${REGION} \ --location=${REGION} \ --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \ --transport-topic=projects/PROJECT_ID/topics/TOPIC_ID \ --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com
Replace the following:
PROJECT_ID
: your Google Cloud project IDTOPIC_ID
: the ID of the existing Pub/Sub topic
This creates a trigger called
trigger-pubsub
for the existing Pub/Sub topic.Note that when creating an Eventarc trigger for the first time in a Google Cloud project, there might be a delay in provisioning the Eventarc service agent. This issue can usually be resolved by attempting to create the trigger again. For more information, see Permission denied errors.
Confirm that the trigger was successfully created. Note that although your trigger is created immediately, it can take up to two minutes for a trigger to be fully functional.
gcloud eventarc triggers list --location=us-central1
The returned trigger status should be
ACTIVE: Yes
.
Generate and view an event
Publish a message to a Pub/Sub topic to generate an event and trigger the Cloud Run service. The Cloud Run service logs the messages on the service logs.
Find and set the Pub/Sub topic as an environment variable:
export TOPIC_ID=$(gcloud eventarc triggers describe ${SERVICE_NAME} \ --format='value(transport.pubsub.topic)')
Send a message to the Pub/Sub topic to generate an event:
gcloud pubsub topics publish $TOPIC_ID --message "Hello there"
The event is sent to the Cloud Run service, which logs the event message.
View the event-related log entries created by your service:
gcloud logging read 'textPayload: "Hello there!"'
The log entry should be similar to the following:
textPayload: 'Hello, Hello there!'
Logs might take a few moments to appear. If you don't see them immediately, check again after a minute.
Clean up
If you created a new project for this tutorial, delete the project. If you used an existing project and wish to keep it without the changes added in this tutorial, delete the resources created for the tutorial.
Delete the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete tutorial resources
Delete the Cloud Run service you deployed in this tutorial:
gcloud run services delete SERVICE_NAME
Where
SERVICE_NAME
is your chosen service name.You can also delete Cloud Run services from the Google Cloud console.
Remove any gcloud CLI default configurations you added during the tutorial setup.
For example:
gcloud config unset run/region
or
gcloud config unset project
Delete other Google Cloud resources created in this tutorial:
- Delete the Eventarc trigger:
gcloud eventarc triggers delete TRIGGER_NAME
ReplaceTRIGGER_NAME
with the name of your trigger.
- Delete the container image
named
gcr.io/PROJECT_ID/trigger-pubsub
from Container Registry.
- Delete the Eventarc trigger: