Create a trigger for Workflows

Stay organized with collections Save and categorize content based on your preferences.

An Eventarc trigger declares your interest in a certain event or set of events. You can configure event routing by specifying filters for the trigger, including the event source, and the target workflow.

A new execution of your workflow is triggered by the following events:

Eventarc delivers triggered events from the sources over Cloud Pub/Sub. The delivered events are transformed and passed to Workflows as runtime arguments to execute the workflow. Make sure that the event size does not exceed 256 kilobytes. Events larger than the maximum Workflows arguments size will not trigger workflow executions.

You can create an Eventarc trigger with a deployed workflow as the event receiver by using the Google Cloud CLI.

Prepare to create a trigger

Before creating an Eventarc trigger for a target workflow, complete the following tasks.

Enable the APIs

To support routing events to a target workflow, enable the Eventarc and Workflows APIs for your project.

gcloud services enable eventarc.googleapis.com workflows.googleapis.com workflowexecutions.googleapis.com

Grant the required user role

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=PRINCIPAL \
    --role="roles/eventarc.admin"

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: the principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Create a service account

If you don't already have one, create a user-managed service account, then grant it the roles and permissions necessary so that Eventarc can manage events for a target workflow.

  1. Set the project configuration variable:

    gcloud config set project PROJECT_ID
    

    Replace PROJECT_ID with your Google Cloud project ID. You can find your project ID on the Dashboard page of the Google Cloud console.

  2. Create a service account that is used when creating triggers:

    TRIGGER_SA=MY_SERVICE_ACCOUNT
    gcloud iam service-accounts create ${TRIGGER_SA}

    Replace MY_SERVICE_ACCOUNT with the name of the service account. It must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes. After you create a service account, you cannot change its name.

  3. Grant the following roles to the service account:

    Cloud Audit Logs events

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/workflows.invoker"
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/eventarc.eventReceiver"
    

    Direct events

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/workflows.invoker"
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member "serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/eventarc.eventReceiver"
    

    Pub/Sub messages

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:${TRIGGER_SA}@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/workflows.invoker"
    

    Replace PROJECT_ID with your Google Cloud project ID.

  4. If you are creating a trigger for a direct Cloud Storage event, grant the pubsub.publisher role to the Cloud Storage service account:

    SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"
    
    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:${SERVICE_ACCOUNT}" \
        --role="roles/pubsub.publisher"
    

    For more information about how to control access to Workflows resources, see Use IAM to control access.

Create a trigger using the Google Cloud CLI

You can create a trigger by running a gcloud eventarc triggers create command along with required and optional flags.

Cloud Audit Logs events

gcloud eventarc triggers create TRIGGER \
    --location=LOCATION \
    --destination-workflow=DESTINATION_WORKFLOW \
    --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
    --event-filters="type=google.cloud.audit.log.v1.written" \
    --event-filters="serviceName=SERVICE_NAME" \
    --event-filters="methodName=METHOD_NAME" \
    --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • LOCATION: the location of the Eventarc trigger. Alternatively, you can set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

    Eventarc is available in specific locations and in the global location, but it is not available in dual-region and multi-region locations. To avoid any performance and data residency issues caused by a global trigger, we recommend that the location match that of the Google Cloud service that is generating events.

    If you specify the global location, you will receive events from all locations for which the event filters match. For example, by creating a global Eventarc trigger, you can receive events from resources such as Cloud Storage buckets in the EU and US multi-regions.

  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • SERVICE_NAME: the identifier of the Google Cloud service
  • METHOD_NAME: the identifier of the operation
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • These flags are required:
    • --event-filters="type=google.cloud.audit.log.v1.written"
    • --event-filters="serviceName=VALUE"
    • --event-filters="methodName=VALUE"
  • After a trigger is created, --event-filters="type=google.cloud.audit.log.v1.written" can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email that your Eventarc trigger will use to invoke the workflow executions, and to receive cloud audit logs. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • For a list of the audit log events supported by Eventarc, including serviceName and methodName values, see Events supported by Eventarc.
  • Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported. See Determine event filters for Cloud Audit Logs.
  • Optionally, you can filter events for a specific resource by using the --event-filters="resourceName=VALUE" flag and specifying the complete path to the resource. Omit the flag for dynamically created resources that have identifiers generated at creation time. Or, you can filter events for a set of resources by using the --event-filters-path-pattern="resourceName=VALUE" flag and specifying the resource path pattern.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

  gcloud eventarc triggers create cal-workflows-trigger \
      --location=us-central1 \
      --destination-workflow=my-workflow \
      --destination-workflow-location=europe-west4 \
      --event-filters="type=google.cloud.audit.log.v1.written" \
      --event-filters="serviceName=bigquery.googleapis.com" \
      --event-filters="methodName=jobservice.jobcompleted" \
      --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This creates a trigger called cal-workflows-trigger for audit logs that are written by bigquery.googleapis.com and for the operation identified as jobservice.jobcompleted.

Direct events

Cloud Storage

gcloud eventarc triggers create TRIGGER \
  --location=LOCATION \
  --destination-workflow=DESTINATION_WORKFLOW  \
  --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
  --event-filters="type=EVENT_FILTER_TYPE" \
  --event-filters="bucket=BUCKET" \
  --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • LOCATION: the location of the Eventarc trigger. Alternatively, you can set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

    Pub/Sub triggers for Eventarc are only available in single-region locations, and you cannot create a global Eventarc trigger.

  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • EVENT_FILTER_TYPE: the identifier of the Cloud Storage event and can be one of the following:
    • google.cloud.storage.object.v1.finalized: Event is sent when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in the bucket
    • google.cloud.storage.object.v1.archived: Event is sent when a live version of an object is archived or deleted. This event is only sent for versioning buckets.
    • google.cloud.storage.object.v1.deleted: Event is sent when an object is permanently deleted. Depending on the object versioning setting for a bucket this means:
      • For versioning buckets, this is only sent when a version is permanently deleted (but not when an object is archived).
      • For non-versioning buckets, this is sent when an object is deleted or overwritten.
    • google.cloud.storage.object.v1.metadataUpdated: Event is sent when the metadata of an existing object changes.
  • BUCKET: the globally unique identifier of the Cloud Storage bucket.
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • These flags are required:
    • --event-filters="type=EVENT_FILTER_TYPE"
    • --event-filters="bucket=BUCKET"
  • After a trigger is created, EVENT_FILTER_TYPE can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • Events are delivered using Pub/Sub notifications from Cloud Storage. Setting up too many notifications registered against the same bucket might exhaust the notification limit for the bucket as indicated by the error Cloud Storage bucket ...: Pub/Sub notification limit reached. The bucket can have up to 10 notification configurations set to trigger for a specific event. See more quotas and limitations in the Cloud Storage quotas and limits page.
  • Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported.
  • The Cloud Storage bucket must reside in the same Google Cloud project and region or multi-region as the Eventarc trigger.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

gcloud eventarc triggers create gcs-workflows-trigger \
    --location=us-central1 \
    --destination-workflow=my-workflow \
    --destination-workflow-location=europe-west4 \
    --event-filters="type=google.cloud.storage.object.v1.finalized" \
    --event-filters="bucket=my-project-bucket" \
    --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This command creates a trigger called gcs-workflows-trigger for the Cloud Storage bucket my-project-bucket and the event identified as google.cloud.storage.object.v1.finalized.

Firebase Alerts

gcloud eventarc triggers create TRIGGER \
  --location=global \
  --destination-workflow=DESTINATION_WORKFLOW  \
  --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
  --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \
  --event-filters="alerttype=ALERT_TYPE" \
  --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • ALERT_TYPE is the type of Firebase alert and can be one of the following:
    • appDistribution.inAppFeedback: event is sent when a tester submits in-app feedback for a given app
    • appDistribution.newTesterIosDevice: event is sent when a new iOS tester device is registered for a given app
    • billing.planAutomatedUpdate: event is sent when the billing plan for a Firebase project is automatically updated; for example, when a plan is downgraded due to payment issues
    • billing.planUpdate: event is sent when the billing plan for a Firebase project is modified by a user; for example, when a billing account is attached to or detached from a project
    • crashlytics.newAnrIssue: event is sent when an app experiences a new application not responding (ANR) error (not for any subsequent, identical events)
    • crashlytics.newFatalIssue: event is sent when an app experiences a new fatal crash (not for any subsequent, identical events)
    • crashlytics.newNonfatalIssue: event is sent when an app experiences a new non-fatal error (not for any subsequent, identical events)
    • crashlytics.regression: event is sent when an app experiences a crash for an issue marked as closed for a previous app version
    • crashlytics.stabilityDigest: event is sent when there is a notification of the top trending issues in Crashlytics
    • crashlytics.velocity: event is sent when a single issue is responsible for causing a significant number of app sessions to crash
    • performance.threshold: event is sent when the performance of a metric crosses the set threshold
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • The --location flag must be global. For more information, see Eventarc locations.
  • The --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" and --event-filters="alerttype=ALERT_TYPE" flags are required.
  • After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
  • Optionally, you can filter events for a specific Firebase App ID by using the --event-filters="appid=APP_ID" flag and by specifying an exact match.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

gcloud eventarc triggers create firealert-workflows-trigger \
    --location=global \
    --destination-workflow=my-workflow \
    --destination-workflow-location=europe-west4 \
    --event-filters="type=google.firebase.firebasealerts.alerts.v1.published" \
    --event-filters="alerttype=crashlytics.velocity" \
    --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This command creates a trigger called firealert-workflows-trigger for the event identified as google.firebase.firebasealerts.alerts.v1.published, and for a crashlytics.velocity alert type.

Firebase Realtime Database

gcloud eventarc triggers create TRIGGER \
  --location=LOCATION \
  --destination-workflow=DESTINATION_WORKFLOW  \
  --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
  --event-filters="type=EVENT_FILTER_TYPE" \
  --event-filters="instance=INSTANCE" \
  --event-filters-path-pattern="ref=REF" \
  --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • LOCATION: the location of the Eventarc trigger. Alternatively, set the eventarc/location property; for example, gcloud config set eventarc/location us-central1. Firebase Realtime Database triggers for Eventarc are only available in the following locations:

    • us-central1
    • europe-west1
    • asia-southeast1

    Note that the trigger must be in the same location as the Firebase Realtime Database instance. For more information, see Realtime Database locations.

  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • EVENT_FILTER_TYPE: the identifier of the Firebase Realtime Database event and can be one of the following:

    • google.firebase.database.ref.v1.created: event is sent when data is created in the database
    • google.firebase.database.ref.v1.updated: event is sent when data is updated in the database
    • google.firebase.database.ref.v1.deleted: event is sent when data is deleted in the database
    • google.firebase.database.ref.v1.written: event is sent when data is created, updated, or deleted in the database
  • INSTANCE: a single database instance and the operator can be one of the following:

    • Equal; for example, --event-filters="instance=INSTANCE"
    • Path pattern; for example, --event-filters-path-pattern="instance=INSTANCE". For more information, see Understand path patterns.
  • REF: the path within the database instance for which you want to receive events from when data is created, updated, or deleted in that path, or any of its children.

  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • These flags are required:
    • --event-filters="type=EVENT_FILTER_TYPE"
    • --event-filters="instance=INSTANCE" or --event-filters-path-pattern="instance=INSTANCE"
    • --event-filters-path-pattern="ref=REF"
  • After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

gcloud eventarc triggers create rd-workflows-trigger \
    --location=us-central1 \
    --destination-workflow=my-workflow \
    --destination-workflow-location=europe-west4 \
    --event-filters="type=google.firebase.database.ref.v1.created" \
    --event-filters="instance=test-instance" \
    --event-filters-path-pattern="ref=users/*" \
    --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This command creates a trigger called rd-workflows-trigger for the event identified as google.firebase.database.ref.v1.created.

Firebase Remote Config

gcloud eventarc triggers create TRIGGER \
  --location=global \
  --destination-workflow=DESTINATION_WORKFLOW  \
  --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
  --event-filters="type=google.firebase.remoteconfig.remoteConfig.v1.updated" \
  --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • The --location flag must be global. For more information, see Eventarc locations.
  • The --event-filters flag is required and the type must be google.firebase.remoteconfig.remoteConfig.v1.updated. An event is sent when a Remote Config template is updated.
  • After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

gcloud eventarc triggers create rc-workflows-trigger \
    --location=global \
    --destination-workflow=my-workflow \
    --destination-workflow-location=europe-west4 \
    --event-filters="type=google.firebase.remoteconfig.remoteConfig.v1.updated" \
    --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This command creates a trigger called rc-workflows-trigger for the event identified as google.firebase.remoteconfig.remoteConfig.v1.updated.

Firebase Test Lab

gcloud eventarc triggers create TRIGGER \
  --location=global \
  --destination-workflow=DESTINATION_WORKFLOW  \
  --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
  --event-filters="type=google.firebase.testlab.testMatrix.v1.completed" \
  --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • The --location flag must be global. For more information, see Eventarc locations.
  • The --event-filters flag is required and the type must be google.firebase.testlab.testMatrix.v1.completed. An event is sent when a TestMatrix has completed.
  • After a trigger is created, the event filter type can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

gcloud eventarc triggers create tl-workflows-trigger \
    --location=global \
    --destination-workflow=my-workflow \
    --destination-workflow-location=europe-west4 \
    --event-filters="type=google.firebase.testlab.testMatrix.v1.completed" \
    --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This command creates a trigger called tl-workflows-trigger for the event identified as google.firebase.testlab.testMatrix.v1.completed.

Cloud IoT

gcloud eventarc triggers create TRIGGER \
  --location=LOCATION \
  --destination-workflow=DESTINATION_WORKFLOW  \
  --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
  --event-filters="type=EVENT_FILTER_TYPE" \
  --event-filters="COLLECTION_ID=RESOURCE_ID" \
  --event-filters-path-pattern="COLLECTION_ID=PATH_PATTERN" \
  --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • LOCATION: the location of the Eventarc trigger. Alternatively, you can set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.
  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • EVENT_FILTER_TYPE: the identifier of the event. An event is emitted when an API call for the method succeeds. For long-running operations, the event is only emitted at the end of the operation, and only if the action is performed successfully. For example, for the type, google.cloud.iot.v1.DeviceManager.CreateDeviceRegistry, an event is emitted when a registry is created through the version v1 in Cloud IoT. For more information on event types, see Event types supported by Eventarc.
  • COLLECTION_ID (optional): the identifier of the event type. For example, for a Cloud IoT event, the COLLECTION_ID can be one of the following:
    • device
    • registry
  • RESOURCE_ID: the identifier of the resource for the associated collection. For more information, see Resource ID.
  • PATH_PATTERN: the path pattern to apply when filtering for the resource.
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID.

Notes:

  • The --event-filters="type=EVENT_FILTER_TYPE" flag is required. If no other event filter is set, events for all resources are matched.
  • EVENT_FILTER_TYPE cannot be changed after creation. To change EVENT_FILTER_TYPE, create a new trigger and delete the old one.
  • Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported; however, when using the --event-filters-path-pattern flag, you can define a resource path pattern.
  • The following are some path pattern examples:
    • --event-filters-path-pattern="registry=my-registry-*" (matches events for registries whose name starts with my-registry-)
    • --event-filters-path-pattern="device=my-device-*" and --event-filters-path-pattern="registry=my-registry" (matches events for all devices whose name starts with "my-device-" in a registry named my-registry)
    • --event-filters-path-pattern="device=my-device-*" (matches events for all devices in any registry whose name starts with my-device-)
  • The --service-account flag is used to specify the Identity and Access Management (IAM) service account email associated with the trigger.

Example:

gcloud eventarc triggers create iot-workflows-trigger \
    --location=us-central1 \
    --destination-workflow=my-workflow \
    --destination-workflow-location=us-central1 \
    --event-filters="type=google.cloud.iot.v1.DeviceManager.CreateDeviceRegistry" \
    --event-filters-path-pattern="registry=my-registry-*" \
    --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This command creates a trigger called iot-workflows-trigger for the event identified as google.cloud.iot.v1.DeviceManager.CreateDeviceRegistry and matches events for registry names starting with my-registry-.

Pub/Sub messages (existing topic)

gcloud eventarc triggers create TRIGGER \
    --location=LOCATION \
    --destination-workflow=DESTINATION_WORKFLOW  \
    --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
    --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
    --transport-topic=TOPIC_ID \
    --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • LOCATION: the location of the Eventarc trigger. Alternatively, you can set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

    Pub/Sub triggers for Eventarc are only available in single-region locations, and you cannot create a global Eventarc trigger.

  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • TOPIC_ID: the ID of the existing Pub/Sub topic. The topic must be in the same project as the trigger.
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • The --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" flag is required and can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported.
  • The --transport-topic flag is used to specify the ID of the existing Pub/Sub topic or its fully qualified identifier.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

  gcloud eventarc triggers create pubsub-workflows-trigger-existing \
      --location=us-central1 \
      --destination-workflow=my-workflow \
      --destination-workflow-location=europe-west4 \
      --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
      --transport-topic=${TOPIC_ID} \
      --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This creates a trigger called pubsub-workflows-trigger-existing for the Pub/Sub topic identified by ${TOPIC_ID}.

Pub/Sub messages (new topic)

gcloud eventarc triggers create TRIGGER \
    --location=LOCATION \
    --destination-workflow=DESTINATION_WORKFLOW  \
    --destination-workflow-location=DESTINATION_WORKFLOW_LOCATION \
    --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
    --service-account="MY_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"

Replace the following:

  • TRIGGER: the ID of the trigger or a fully qualified identifier.
  • LOCATION: the location of the Eventarc trigger. Alternatively, you can set the eventarc/location property; for example, gcloud config set eventarc/location us-central1.

    Pub/Sub triggers for Eventarc are only available in single-region locations, and you cannot create a global Eventarc trigger.

  • DESTINATION_WORKFLOW: the ID of the deployed workflow that receives the events from the trigger. The workflow can be in any of the Workflows supported locations and does not need to be in the same location as the trigger. However, the workflow must be in the same project as the trigger.
  • DESTINATION_WORKFLOW_LOCATION (optional): the location in which the destination workflow is deployed. If not specified, it is assumed that the workflow is in the same location as the trigger.
  • MY_SERVICE_ACCOUNT: the name of the IAM service account you created to which you granted specific roles required by Workflows.
  • PROJECT_ID: your Google Cloud project ID

Notes:

  • The --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" flag is required and can't be changed. For a different event type, you must create a new trigger.
  • --service-account: The IAM service account email your Eventarc trigger will use to invoke the workflow executions. We strongly recommend using a service account with the least privileges necessary to access the required resources. To learn more about service accounts, see Create and manage service accounts.
  • Each trigger can have multiple event filters, comma delimited in one --event-filters=[ATTRIBUTE=VALUE,...] flag, or you can repeat the flag to add more filters. Only events that match all the filters are sent to the destination. Wildcards and regular expressions are not supported.
  • By default, Pub/Sub subscriptions created for Eventarc persist regardless of activity and do not expire. To change the inactivity duration, see Manage subscriptions.

Example:

  gcloud eventarc triggers create pubsub-workflows-trigger-new \
      --location=us-central1 \
      --destination-workflow=my-workflow \
      --destination-workflow-location=europe-west4 \
      --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished" \
      --service-account="${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

This creates a new Pub/Sub topic and a trigger for it called pubsub-workflows-trigger-new.

As a best practice, we recommend that you do not reuse the Pub/Sub topic created by a trigger because deleting an Eventarc trigger also deletes any Pub/Sub topics that were created by the trigger.

Create a trigger using the Google Cloud console

You can create a trigger through the Google Cloud console. For details, see Create an Eventarc trigger through the Google Cloud console.

Create a trigger using Terraform

You can create a trigger for a workflow using Terraform. For details, see Trigger a workflow using Eventarc and Terraform.

List a trigger using the gcloud CLI

You can confirm the creation of a trigger by listing Eventarc triggers:

gcloud eventarc triggers list --location=LOCATION

Replace LOCATION with the ID or fully qualified identifier of the Eventarc trigger location; for example, us-central1.

For more information on managing Eventarc triggers, see Manage triggers.

What's next