Set build worker pools (source deploy)

When you deploy your source code to Cloud Run, that source is stored in a Cloud Storage bucket. Cloud Build then automatically builds your code into a container image and pushes that image to an image registry. Each build runs on its own worker. Cloud Run imports the built image when deploying.

If you wanted to customize the build worker pool that Cloud Build uses for a VPC Service Controls secured build context, you would customize the worker pool. This page is relevant for platform developers who are deploying from source to Cloud Run, including when deploying a function, and configuring private pools that are used by Cloud Build.

Before you begin

Enable the Cloud Build API:

gcloud services enable cloudbuild.googleapis.com

Required roles

To get the permissions that you need to deploy from source, ask your administrator to grant you the following IAM roles on your project:

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Secure your build with private pools

By default, Cloud Build has unlimited internet access during the build process. If you have set up a VPC Service Controls (VPC SC) perimeter and want to limit the build's access only to dependencies stored inside the perimeter (for example, npm packages), you can use the Cloud Build private worker pools feature.

In general, follow these steps to set up your private pool:

  1. Create your private worker pool. See Creating and managing private pools.
  2. Configure your VPC Service Controls perimeter. See Using VPC Service Controls.

  3. If your private worker pool is in a different project than your Cloud Run service, you need to grant the Cloud Run Service Agent (service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com) the Cloud Build WorkerPool User (cloudbuild.workerPoolUser) role so that the Cloud Build service can access the worker pool.

    gcloud projects add-iam-policy-binding PRIVATE_POOL_PROJECT_ID \
        --member serviceAccount:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com \
        --role roles/cloudbuild.workerPoolUser
    

    Replace:

    • PROJECT_NUMBER with the project number where the service runs.
    • PRIVATE_POOL_PROJECT_ID with the ID of the project in which the worker pool is located. See Running builds in a private pool for more information.
  4. Deploy your service from source to build using a private pool:

gcloud

To specify a private pool to build when deploying from source code:

gcloud beta run deploy SERVICE \
  --source . \
  --build-worker-pool WORKER_POOL

Replace:

  • SERVICE with name of your service.
  • WORKER_POOL with the name of the private pool.

If you are deploying a function, add the --function flag with the entry point to your function from your source code.

Delete build worker pools

You can delete build worker pools for existing services.

gcloud

To clear the Cloud Build worker pool for source deployments:

gcloud beta run deploy SERVICE \
  --source . \
  --clear-build-worker-pool WORKER_POOL

Replace:

  • SERVICE with name of your service.
  • WORKER_POOL with the name of the private pool you would like to delete.