Definir grupos de trabajadores de compilación (despliegue de origen)
Organízate con las colecciones
Guarda y clasifica el contenido según tus preferencias.
Cuando despliegas el código fuente en Cloud Run, este se almacena en un segmento de Cloud Storage. A continuación, Cloud Build compila automáticamente el código en una imagen de contenedor y envía esa imagen a un registro de imágenes. Cada compilación se ejecuta en su propio trabajador. Cloud Run importa la imagen creada al hacer el despliegue.
Si quieres personalizar el grupo de trabajadores de compilación que Cloud Build usa en un contexto de compilación protegido por Controles de Servicio de VPC, debes personalizar el grupo de trabajadores. Esta página está dirigida a desarrolladores de plataformas que despliegan servicios o funciones de Cloud Run desde una fuente mediante la CLI de Google Cloud y configuran grupos privados que usa Cloud Build. Las marcas de la CLI de gcloud de los grupos de trabajadores de compilación se admiten en las implementaciones de origen (--source), pero no en las implementaciones de imágenes de contenedor (--image).
Antes de empezar
Habilita las APIs Admin de Cloud Run y Cloud Build:
Una vez que se haya habilitado la API Cloud Run Admin, se creará automáticamente la cuenta de servicio predeterminada de Compute Engine.
Roles obligatorios
Tú o tu administrador debéis conceder los siguientes roles de gestión de identidades y accesos a la cuenta de implementación y a la cuenta de servicio de Cloud Build.
Haz clic para ver los roles necesarios de la cuenta de implementación
Para obtener los permisos que necesitas para compilar e implementar desde la fuente, pide a tu administrador que te conceda los siguientes roles de gestión de identidades y accesos:
Haz clic para ver los roles necesarios de la cuenta de servicio de Cloud Build
Cloud Build usa automáticamente la cuenta de servicio predeterminada de Compute Engine como cuenta de servicio predeterminada de Cloud Build para compilar tu código fuente y tu recurso de Cloud Run, a menos que anules este comportamiento. Para que Cloud Build compile tus fuentes, pide a tu administrador que conceda el rol Compilador de Cloud Run (roles/run.builder) a la cuenta de servicio predeterminada de Compute Engine de tu proyecto:
Sustituye PROJECT_NUMBER por el número de tu proyecto Google Cloud
y PROJECT_ID por el ID de tu proyecto Google Cloud. Para obtener instrucciones detalladas sobre cómo encontrar el ID y el número de tu proyecto, consulta el artículo Crear y gestionar proyectos.
La concesión del rol de compilador de Cloud Run a la cuenta de servicio predeterminada de Compute Engine tarda un par de minutos en propagarse.
De forma predeterminada, Cloud Build tiene acceso ilimitado a Internet durante el proceso de compilación. Si has configurado un perímetro de Controles de Servicio de VPC (VPC SC) y quieres limitar el acceso de la compilación solo a las dependencias almacenadas dentro del perímetro (por ejemplo, paquetes npm), puedes usar la función grupos de trabajadores privados de Cloud Build.
En general, sigue estos pasos para configurar tu grupo privado:
Si tu grupo de trabajadores privado está en un proyecto diferente al de tu servicio de Cloud Run, debes conceder el rol Usuario de WorkerPool de Cloud Build (cloudbuild.workerPoolUser) al agente de servicio (service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com) de Cloud Run para que el servicio de Cloud Build pueda acceder al grupo de trabajadores.
PROJECT_NUMBER con el número del proyecto en el que se ejecuta el servicio.
PRIVATE_POOL_PROJECT_ID por el ID del proyecto en el que se encuentra el grupo de trabajadores. Consulta más información en el artículo sobre cómo ejecutar compilaciones en un grupo privado.
Despliega tu servicio desde el origen para compilarlo con un grupo privado:
gcloud
Para especificar un grupo privado que se va a compilar al implementar desde el código fuente, usa la marca --build-worker-pool:
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-08-21 (UTC)."],[],[],null,["# Set build worker pools (source deploy)\n\nWhen you deploy your source code to Cloud Run, that source\nis stored in a Cloud Storage bucket. Cloud Build then\nautomatically builds your code into a container image and pushes that image to\nan image registry. Each build runs on its own worker. Cloud Run\nimports the built image when deploying.\n\nIf you wanted to customize the build worker pool that Cloud Build\nuses for a VPC Service Controls secured build context, you would customize the\nworker pool. This page is relevant for platform developers who are deploying\nCloud Run [services](/run/docs/deploying-source-code) or\n[functions](/run/docs/deploy-functions) from source using the Google Cloud CLI,\nand configuring private pools that are used by Cloud Build. The build\nworker pools gcloud CLI flags are supported for\n[source deployments](/run/docs/deploying-source-code) (`--source`), and not\nsupported for [container image deployments](/run/docs/deploying) (`--image`).\n\nBefore you begin\n----------------\n\n- Enable the Cloud Run Admin API and the Cloud Build API:\n\n ```bash\n gcloud services enable run.googleapis.com \\\n cloudbuild.googleapis.com\n ```\n\n After the Cloud Run Admin API is enabled, the Compute Engine default service account is\n automatically created.\n\n### Required roles\n\nYou or your administrator must grant the deployer account and the\nCloud Build service account the following IAM roles. \n\n#### Click to view required roles for the deployer account\n\nTo get the permissions that you need to build and deploy from source,\nask your administrator to grant you the following IAM\nroles:\n\n- [Cloud Run Source Developer](/iam/docs/understanding-roles#run.sourceDeveloper) (`roles/run.sourceDeveloper`) on your project\n- [Service Usage Consumer](/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`) on your project\n- [Service Account User](/iam/docs/understanding-roles#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the Cloud Run service identity \n\n#### Click to view required roles for the Cloud Build service account\n\nCloud Build automatically uses the\n[Compute Engine default service\naccount](/build/docs/cloud-build-service-account) as the default Cloud Build service account to build your source code and\nCloud Run resource, unless you override this behavior. For\nCloud Build to build your sources, ask your administrator to grant\n[Cloud Run Builder](/iam/docs/understanding-roles#run.builder)\n(`roles/run.builder`) to the Compute Engine default\nservice account on your project: \n\n```bash\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \\\n --role=roles/run.builder\n \n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with your Google Cloud\nproject number, and \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud\nproject ID. For detailed instructions on how to find your project ID, and project number,\nsee [Creating\nand managing projects](/resource-manager/docs/creating-managing-projects#identifying_projects).\n\nGranting the Cloud Run builder role to the Compute Engine default service account\ntakes a couple of minutes to [propagate](/iam/docs/access-change-propagation).\n| **Note:**\n|\n|\n| The [`iam.automaticIamGrantsForDefaultServiceAccounts` organization policy constraint](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants)\n| prevents the Editor role from being automatically granted to default service accounts. If you\n| created your organization after May 3, 2024, this constraint is enforced by\n| default.\n|\n|\n| We strongly recommend that you enforce this constraint to disable the automatic role grant. If you\n| disable the automatic role grant, you must decide which roles to grant to the default service\n| accounts, and then [grant these roles](/iam/docs/granting-changing-revoking-access)\n| yourself.\n|\n|\n| If the default service account already has the Editor role, we recommend that you replace the\n| Editor role with less permissive roles.To safely modify the service account's roles, use [Policy Simulator](/policy-intelligence/docs/simulate-iam-policies) to see the impact of\n| the change, and then [grant and revoke the\n| appropriate roles](/iam/docs/granting-changing-revoking-access).\n\nFor a list of IAM roles and permissions that are associated with\nCloud Run, see\n[Cloud Run IAM roles](/run/docs/reference/iam/roles)\nand [Cloud Run IAM permissions](/run/docs/reference/iam/permissions).\nIf your Cloud Run service interfaces with\nGoogle Cloud APIs, such as Cloud Client Libraries, see the\n[service identity configuration guide](/run/docs/configuring/services/service-identity).\nFor more information about granting roles, see\n[deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nand [manage access](/iam/docs/granting-changing-revoking-access).\n\nSecure your build with private pools\n------------------------------------\n\nBy default, Cloud Build has unlimited internet access during the build\nprocess. If you have set up a VPC Service Controls (VPC SC) perimeter and want to\nlimit the build's access only to dependencies stored inside the perimeter (for\nexample, npm packages), you can use the\n[Cloud Build private worker pools](/build/docs/private-pools/private-pools-overview)\nfeature.\n\nIn general, follow these steps to set up your private pool:\n\n1. Create your private worker pool. See [Creating and managing private pools](/build/docs/private-pools/create-manage-private-pools).\n2. Configure your VPC Service Controls perimeter. See\n [Using VPC Service Controls](/build/docs/private-pools/using-vpc-service-controls).\n\n3. If your private worker pool is in a different project than your\n Cloud Run service, you need to grant the Cloud Run\n [Service Agent](/iam/docs/service-agents)\n (`service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@serverless-robot-prod.iam.gserviceaccount.com`)\n the [Cloud Build WorkerPool User](/iam/docs/understanding-roles#cloudbuild.workerPoolUser)\n (`cloudbuild.workerPoolUser`) role so that the Cloud Build service can\n access the worker pool.\n\n ```bash\n gcloud projects add-iam-policy-binding PRIVATE_POOL_PROJECT_ID \\\n --member serviceAccount:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com \\\n --role roles/cloudbuild.workerPoolUser\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with the project number where the service runs.\n - \u003cvar translate=\"no\"\u003ePRIVATE_POOL_PROJECT_ID\u003c/var\u003e with the *ID* of the project in which the worker pool is located. See [Running builds in a private pool](/build/docs/private-pools/run-builds-in-private-pool#permissions) for more information.\n4. Deploy your service from source to build using a private pool:\n\n ### gcloud\n\n To specify a private pool to build when deploying from source\n code, use the `--build-worker-pool` flag: \n\n ```bash\n gcloud run deploy SERVICE \\\n --source . \\\n --build-worker-pool WORKER_POOL\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your service.\n - \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with the name of the private pool.\n\n If you are deploying a function, add the `--function` flag with the\n function entry point from your source code.\n\nDelete build worker pools\n-------------------------\n\nYou can delete build worker pools for existing services. \n\n### gcloud\n\nTo clear the Cloud Build worker pool for source deployments, use\nthe `--clear-build-worker-pool` flag: \n\n```bash\ngcloud run deploy SERVICE \\\n --source . \\\n --clear-build-worker-pool WORKER_POOL\n```\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your service.\n- \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with the name of the private pool you would like to delete.\n\nIf you are deploying a function, add the `--function` flag with the\nfunction entry point from your source code."]]
