Defina grupos de trabalhadores de compilação (implementação de origem)
Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Quando implementa o código fonte no Cloud Run, esse código fonte é armazenado num contentor do Cloud Storage. Em seguida, o Cloud Build compila automaticamente o seu código numa imagem de contentor e envia essa imagem para um registo de imagens. Cada compilação é executada no seu próprio trabalhador. O Cloud Run
importa a imagem criada durante a implementação.
Se quiser personalizar o conjunto de trabalhadores de compilação que o Cloud Build usa para um contexto de compilação seguro do VPC Service Controls, personaliza o conjunto de trabalhadores. Esta página é relevante para programadores de plataformas que estão a implementar serviços do Cloud Run ou funções a partir da origem através da CLI Google Cloud e a configurar pools privadas usadas pelo Cloud Build. As flags da CLI gcloud dos pools de trabalhadores de compilação são suportadas para implementações de origem (--source) e não são suportadas para implementações de imagens de contentores (--image).
Depois de ativar a API Cloud Run Admin, a conta de serviço predefinida do Compute Engine é criada automaticamente.
Funções necessárias
O utilizador ou o administrador tem de conceder à conta de implementação e à conta de serviço do Cloud Build as seguintes funções do IAM.
Clique para ver as funções necessárias para a conta do implementador
Para receber as autorizações necessárias para criar e implementar a partir da origem,
peça ao seu administrador para lhe conceder as seguintes funções de IAM:
Clique para ver as funções necessárias para a conta de serviço do Cloud Build
O Cloud Build usa automaticamente a
conta de serviço predefinida do Compute Engine como a conta de serviço predefinida do Cloud Build para compilar o seu código-fonte e o
recurso do Cloud Run, a menos que substitua este comportamento. Para que o Cloud Build compile as suas origens, peça ao administrador para conceder a função
Cloud Run Builder
(roles/run.builder) à conta de serviço predefinida do Compute Engine no seu projeto:
Substitua PROJECT_NUMBER pelo seu Google Cloud
número do projeto e PROJECT_ID pelo seu Google Cloud
ID do projeto. Para ver instruções detalhadas sobre como encontrar o ID e o número do projeto,
consulte o artigo Criar
e gerir projetos.
A concessão da função de criador do Cloud Run à conta de serviço predefinida do Compute Engine
demora alguns minutos a propagar.
Por predefinição, o Cloud Build tem acesso ilimitado à Internet durante o processo de compilação. Se configurou um perímetro do VPC Service Controls (VPC SC) e quer
limitar o acesso da compilação apenas a dependências armazenadas no perímetro (por
exemplo, pacotes npm), pode usar a funcionalidade
Pools de trabalhadores privados do Cloud Build.
Em geral, siga estes passos para configurar o seu conjunto privado:
Se o seu conjunto de trabalhadores privado estiver num projeto diferente do seu serviço do Cloud Run, tem de conceder ao agente de serviço do Cloud Run (service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com) a função Utilizador do conjunto de trabalhadores do Cloud Build (cloudbuild.workerPoolUser) para que o serviço do Cloud Build possa aceder ao conjunto de trabalhadores.
PROJECT_NUMBER com o número do projeto onde o serviço é executado.
PRIVATE_POOL_PROJECT_ID com o ID do projeto no qual o
worker pool está localizado. Consulte o artigo
Executar compilações num conjunto privado
para mais informações.
Implemente o seu serviço a partir da origem para compilar através de um conjunto privado:
gcloud
Para especificar um conjunto privado a criar quando implementar a partir do código fonte, use a flag --build-worker-pool:
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-04 UTC."],[],[],null,["# Set build worker pools (source deploy)\n\nWhen you deploy your source code to Cloud Run, that source\nis stored in a Cloud Storage bucket. Cloud Build then\nautomatically builds your code into a container image and pushes that image to\nan image registry. Each build runs on its own worker. Cloud Run\nimports the built image when deploying.\n\nIf you wanted to customize the build worker pool that Cloud Build\nuses for a VPC Service Controls secured build context, you would customize the\nworker pool. This page is relevant for platform developers who are deploying\nCloud Run [services](/run/docs/deploying-source-code) or\n[functions](/run/docs/deploy-functions) from source using the Google Cloud CLI,\nand configuring private pools that are used by Cloud Build. The build\nworker pools gcloud CLI flags are supported for\n[source deployments](/run/docs/deploying-source-code) (`--source`), and not\nsupported for [container image deployments](/run/docs/deploying) (`--image`).\n\nBefore you begin\n----------------\n\n- Enable the Cloud Run Admin API and the Cloud Build API:\n\n ```bash\n gcloud services enable run.googleapis.com \\\n cloudbuild.googleapis.com\n ```\n\n After the Cloud Run Admin API is enabled, the Compute Engine default service account is\n automatically created.\n\n### Required roles\n\nYou or your administrator must grant the deployer account and the\nCloud Build service account the following IAM roles. \n\n#### Click to view required roles for the deployer account\n\nTo get the permissions that you need to build and deploy from source,\nask your administrator to grant you the following IAM\nroles:\n\n- [Cloud Run Source Developer](/iam/docs/understanding-roles#run.sourceDeveloper) (`roles/run.sourceDeveloper`) on your project\n- [Service Usage Consumer](/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`) on your project\n- [Service Account User](/iam/docs/understanding-roles#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the Cloud Run service identity \n\n#### Click to view required roles for the Cloud Build service account\n\nCloud Build automatically uses the\n[Compute Engine default service\naccount](/build/docs/cloud-build-service-account) as the default Cloud Build service account to build your source code and\nCloud Run resource, unless you override this behavior. For\nCloud Build to build your sources, ask your administrator to grant\n[Cloud Run Builder](/iam/docs/understanding-roles#run.builder)\n(`roles/run.builder`) to the Compute Engine default\nservice account on your project: \n\n```bash\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \\\n --role=roles/run.builder\n \n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with your Google Cloud\nproject number, and \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud\nproject ID. For detailed instructions on how to find your project ID, and project number,\nsee [Creating\nand managing projects](/resource-manager/docs/creating-managing-projects#identifying_projects).\n\nGranting the Cloud Run builder role to the Compute Engine default service account\ntakes a couple of minutes to [propagate](/iam/docs/access-change-propagation).\n| **Note:**\n|\n|\n| The [`iam.automaticIamGrantsForDefaultServiceAccounts` organization policy constraint](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants)\n| prevents the Editor role from being automatically granted to default service accounts. If you\n| created your organization after May 3, 2024, this constraint is enforced by\n| default.\n|\n|\n| We strongly recommend that you enforce this constraint to disable the automatic role grant. If you\n| disable the automatic role grant, you must decide which roles to grant to the default service\n| accounts, and then [grant these roles](/iam/docs/granting-changing-revoking-access)\n| yourself.\n|\n|\n| If the default service account already has the Editor role, we recommend that you replace the\n| Editor role with less permissive roles.To safely modify the service account's roles, use [Policy Simulator](/policy-intelligence/docs/simulate-iam-policies) to see the impact of\n| the change, and then [grant and revoke the\n| appropriate roles](/iam/docs/granting-changing-revoking-access).\n\nFor a list of IAM roles and permissions that are associated with\nCloud Run, see\n[Cloud Run IAM roles](/run/docs/reference/iam/roles)\nand [Cloud Run IAM permissions](/run/docs/reference/iam/permissions).\nIf your Cloud Run service interfaces with\nGoogle Cloud APIs, such as Cloud Client Libraries, see the\n[service identity configuration guide](/run/docs/configuring/services/service-identity).\nFor more information about granting roles, see\n[deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nand [manage access](/iam/docs/granting-changing-revoking-access).\n\nSecure your build with private pools\n------------------------------------\n\nBy default, Cloud Build has unlimited internet access during the build\nprocess. If you have set up a VPC Service Controls (VPC SC) perimeter and want to\nlimit the build's access only to dependencies stored inside the perimeter (for\nexample, npm packages), you can use the\n[Cloud Build private worker pools](/build/docs/private-pools/private-pools-overview)\nfeature.\n\nIn general, follow these steps to set up your private pool:\n\n1. Create your private worker pool. See [Creating and managing private pools](/build/docs/private-pools/create-manage-private-pools).\n2. Configure your VPC Service Controls perimeter. See\n [Using VPC Service Controls](/build/docs/private-pools/using-vpc-service-controls).\n\n3. If your private worker pool is in a different project than your\n Cloud Run service, you need to grant the Cloud Run\n [Service Agent](/iam/docs/service-agents)\n (`service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@serverless-robot-prod.iam.gserviceaccount.com`)\n the [Cloud Build WorkerPool User](/iam/docs/understanding-roles#cloudbuild.workerPoolUser)\n (`cloudbuild.workerPoolUser`) role so that the Cloud Build service can\n access the worker pool.\n\n ```bash\n gcloud projects add-iam-policy-binding PRIVATE_POOL_PROJECT_ID \\\n --member serviceAccount:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com \\\n --role roles/cloudbuild.workerPoolUser\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with the project number where the service runs.\n - \u003cvar translate=\"no\"\u003ePRIVATE_POOL_PROJECT_ID\u003c/var\u003e with the *ID* of the project in which the worker pool is located. See [Running builds in a private pool](/build/docs/private-pools/run-builds-in-private-pool#permissions) for more information.\n4. Deploy your service from source to build using a private pool:\n\n ### gcloud\n\n To specify a private pool to build when deploying from source\n code, use the `--build-worker-pool` flag: \n\n ```bash\n gcloud run deploy SERVICE \\\n --source . \\\n --build-worker-pool WORKER_POOL\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your service.\n - \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with the name of the private pool.\n\n If you are deploying a function, add the `--function` flag with the\n function entry point from your source code.\n\nDelete build worker pools\n-------------------------\n\nYou can delete build worker pools for existing services. \n\n### gcloud\n\nTo clear the Cloud Build worker pool for source deployments, use\nthe `--clear-build-worker-pool` flag: \n\n```bash\ngcloud run deploy SERVICE \\\n --source . \\\n --clear-build-worker-pool WORKER_POOL\n```\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your service.\n- \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with the name of the private pool you would like to delete.\n\nIf you are deploying a function, add the `--function` flag with the\nfunction entry point from your source code."]]
