Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Saat Anda men-deploy kode sumber ke Cloud Run, sumber tersebut disimpan di bucket Cloud Storage. Cloud Build kemudian secara otomatis membangun kode Anda ke dalam image container dan mengirimkan image tersebut ke registry image. Setiap build berjalan di pekerjanya sendiri. Cloud Run
mengimpor image yang di-build saat men-deploy.
Jika ingin menyesuaikan kumpulan pekerja build yang digunakan Cloud Build untuk konteks build yang diamankan Kontrol Layanan VPC, Anda harus menyesuaikan kumpulan pekerja. Halaman ini relevan bagi developer platform yang men-deploy
layanan atau
fungsi Cloud Run dari sumber menggunakan Google Cloud CLI,
dan mengonfigurasi kumpulan pribadi yang digunakan oleh Cloud Build. Flag gcloud CLI untuk build
worker pool didukung untuk
deployment sumber (--source), dan tidak
didukung untuk deployment image penampung (--image).
Service Account User (roles/iam.serviceAccountUser) di identitas layanan Cloud Run
Klik untuk melihat peran yang diperlukan untuk akun layanan Cloud Build
Cloud Build secara otomatis menggunakan akun layanan default Compute Engine sebagai akun layanan Cloud Build default untuk mem-build kode sumber dan resource Cloud Run, kecuali jika Anda mengganti perilaku ini. Agar
Cloud Build dapat mem-build sumber, minta administrator untuk memberikan
Cloud Run Builder
(roles/run.builder) ke akun layanan default Compute Engine
di project Anda:
Ganti PROJECT_NUMBER dengan nomor project Google Cloud, dan PROJECT_ID dengan project ID Google Cloud. Untuk mengetahui petunjuk mendetail tentang cara menemukan project ID dan nomor project,
lihat Membuat
dan mengelola project.
Pemberian peran builder Cloud Run ke akun layanan default Compute Engine memerlukan waktu beberapa menit untuk disebarkan.
Secara default, Cloud Build memiliki akses internet tak terbatas selama proses build. Jika Anda telah menyiapkan perimeter Kontrol Layanan VPC (VPC SC) dan ingin
membatasi akses build hanya ke dependensi yang disimpan di dalam perimeter (misalnya, paket npm), Anda dapat menggunakan
fitur kumpulan pekerja pribadi Cloud Build.
Secara umum, ikuti langkah-langkah berikut untuk menyiapkan pool pribadi:
Jika pool pekerja pribadi Anda berada dalam project yang berbeda dengan layanan Cloud Run, Anda perlu memberikan peran Cloud Build WorkerPool User (cloudbuild.workerPoolUser) kepada Agen Layanan Cloud Run (service-PROJECT_NUMBER@serverless-robot-prod.) agar layanan Cloud Build dapat mengakses pool pekerja.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[],[],null,["# Set build worker pools (source deploy)\n\nWhen you deploy your source code to Cloud Run, that source\nis stored in a Cloud Storage bucket. Cloud Build then\nautomatically builds your code into a container image and pushes that image to\nan image registry. Each build runs on its own worker. Cloud Run\nimports the built image when deploying.\n\nIf you wanted to customize the build worker pool that Cloud Build\nuses for a VPC Service Controls secured build context, you would customize the\nworker pool. This page is relevant for platform developers who are deploying\nCloud Run [services](/run/docs/deploying-source-code) or\n[functions](/run/docs/deploy-functions) from source using the Google Cloud CLI,\nand configuring private pools that are used by Cloud Build. The build\nworker pools gcloud CLI flags are supported for\n[source deployments](/run/docs/deploying-source-code) (`--source`), and not\nsupported for [container image deployments](/run/docs/deploying) (`--image`).\n\nBefore you begin\n----------------\n\n- Enable the Cloud Run Admin API and the Cloud Build API:\n\n ```bash\n gcloud services enable run.googleapis.com \\\n cloudbuild.googleapis.com\n ```\n\n After the Cloud Run Admin API is enabled, the Compute Engine default service account is\n automatically created.\n\n### Required roles\n\nYou or your administrator must grant the deployer account and the\nCloud Build service account the following IAM roles. \n\n#### Click to view required roles for the deployer account\n\nTo get the permissions that you need to build and deploy from source,\nask your administrator to grant you the following IAM\nroles:\n\n- [Cloud Run Source Developer](/iam/docs/understanding-roles#run.sourceDeveloper) (`roles/run.sourceDeveloper`) on your project\n- [Service Usage Consumer](/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`) on your project\n- [Service Account User](/iam/docs/understanding-roles#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the Cloud Run service identity \n\n#### Click to view required roles for the Cloud Build service account\n\nCloud Build automatically uses the\n[Compute Engine default service\naccount](/build/docs/cloud-build-service-account) as the default Cloud Build service account to build your source code and\nCloud Run resource, unless you override this behavior. For\nCloud Build to build your sources, ask your administrator to grant\n[Cloud Run Builder](/iam/docs/understanding-roles#run.builder)\n(`roles/run.builder`) to the Compute Engine default\nservice account on your project: \n\n```bash\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \\\n --role=roles/run.builder\n \n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with your Google Cloud\nproject number, and \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud\nproject ID. For detailed instructions on how to find your project ID, and project number,\nsee [Creating\nand managing projects](/resource-manager/docs/creating-managing-projects#identifying_projects).\n\nGranting the Cloud Run builder role to the Compute Engine default service account\ntakes a couple of minutes to [propagate](/iam/docs/access-change-propagation).\n| **Note:**\n|\n|\n| The [`iam.automaticIamGrantsForDefaultServiceAccounts` organization policy constraint](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants)\n| prevents the Editor role from being automatically granted to default service accounts. If you\n| created your organization after May 3, 2024, this constraint is enforced by\n| default.\n|\n|\n| We strongly recommend that you enforce this constraint to disable the automatic role grant. If you\n| disable the automatic role grant, you must decide which roles to grant to the default service\n| accounts, and then [grant these roles](/iam/docs/granting-changing-revoking-access)\n| yourself.\n|\n|\n| If the default service account already has the Editor role, we recommend that you replace the\n| Editor role with less permissive roles.To safely modify the service account's roles, use [Policy Simulator](/policy-intelligence/docs/simulate-iam-policies) to see the impact of\n| the change, and then [grant and revoke the\n| appropriate roles](/iam/docs/granting-changing-revoking-access).\n\nFor a list of IAM roles and permissions that are associated with\nCloud Run, see\n[Cloud Run IAM roles](/run/docs/reference/iam/roles)\nand [Cloud Run IAM permissions](/run/docs/reference/iam/permissions).\nIf your Cloud Run service interfaces with\nGoogle Cloud APIs, such as Cloud Client Libraries, see the\n[service identity configuration guide](/run/docs/configuring/services/service-identity).\nFor more information about granting roles, see\n[deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nand [manage access](/iam/docs/granting-changing-revoking-access).\n\nSecure your build with private pools\n------------------------------------\n\nBy default, Cloud Build has unlimited internet access during the build\nprocess. If you have set up a VPC Service Controls (VPC SC) perimeter and want to\nlimit the build's access only to dependencies stored inside the perimeter (for\nexample, npm packages), you can use the\n[Cloud Build private worker pools](/build/docs/private-pools/private-pools-overview)\nfeature.\n\nIn general, follow these steps to set up your private pool:\n\n1. Create your private worker pool. See [Creating and managing private pools](/build/docs/private-pools/create-manage-private-pools).\n2. Configure your VPC Service Controls perimeter. See\n [Using VPC Service Controls](/build/docs/private-pools/using-vpc-service-controls).\n\n3. If your private worker pool is in a different project than your\n Cloud Run service, you need to grant the Cloud Run\n [Service Agent](/iam/docs/service-agents)\n (`service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@serverless-robot-prod.iam.gserviceaccount.com`)\n the [Cloud Build WorkerPool User](/iam/docs/understanding-roles#cloudbuild.workerPoolUser)\n (`cloudbuild.workerPoolUser`) role so that the Cloud Build service can\n access the worker pool.\n\n ```bash\n gcloud projects add-iam-policy-binding PRIVATE_POOL_PROJECT_ID \\\n --member serviceAccount:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com \\\n --role roles/cloudbuild.workerPoolUser\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with the project number where the service runs.\n - \u003cvar translate=\"no\"\u003ePRIVATE_POOL_PROJECT_ID\u003c/var\u003e with the *ID* of the project in which the worker pool is located. See [Running builds in a private pool](/build/docs/private-pools/run-builds-in-private-pool#permissions) for more information.\n4. Deploy your service from source to build using a private pool:\n\n ### gcloud\n\n To specify a private pool to build when deploying from source\n code, use the `--build-worker-pool` flag: \n\n ```bash\n gcloud run deploy SERVICE \\\n --source . \\\n --build-worker-pool WORKER_POOL\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your service.\n - \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with the name of the private pool.\n\n If you are deploying a function, add the `--function` flag with the\n function entry point from your source code.\n\nDelete build worker pools\n-------------------------\n\nYou can delete build worker pools for existing services. \n\n### gcloud\n\nTo clear the Cloud Build worker pool for source deployments, use\nthe `--clear-build-worker-pool` flag: \n\n```bash\ngcloud run deploy SERVICE \\\n --source . \\\n --clear-build-worker-pool WORKER_POOL\n```\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your service.\n- \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with the name of the private pool you would like to delete.\n\nIf you are deploying a function, add the `--function` flag with the\nfunction entry point from your source code."]]