Continuous Deployment from git

The following stages occur in an automated deployment:

  • Build the Docker Image
  • Push the image to the Container Registry
  • Deploy a new revision to the Cloud Run service

Setting up continuous deployment with Cloud Build

You can automate a deployment to Cloud Run using Cloud Build when new commits are pushed to a given branch of a git repository. This includes Cloud Source Repositories, GitHub, or any other repository supported by Cloud Build. For more information, see Automating Builds using Build Triggers.

To automate deployment with Cloud Build:

  1. In your repository root, add a file named cloudbuild.yaml that has these entries:

    steps:
      # build the container image
    - name: 'gcr.io/cloud-builders/docker'
      args: ['build', '-t', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]', '.']
      # push the container image to Container Registry
    - name: 'gcr.io/cloud-builders/docker'
      args: ['push', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]']
      # Deploy container image to Cloud Run
    - name: 'gcr.io/cloud-builders/gcloud'
      args: ['beta', 'run', 'deploy', '[SERVICE-NAME]', '--image', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]', '--region', '[REGION]']
    images:
    - gcr.io/$PROJECT_ID/[SERVICE-NAME]
    

    Replace [SERVICE-NAME] and [REGION] with the name and region of the Cloud Run service you are deploying to.

    If you are using Cloud Run on GKE, use --cluster and --cluster-location instead of the --region parameter.

  2. Grant the "Cloud Run Admin" and "Service Account User" roles to the Cloud Build service account:

    1. Visit the IAM and Admin page in the GCP Console.

    2. Select the service account that has the suffix @cloudbuild.gserviceaccount.com.

    3. Click the service account's edit icon and add to it the following roles:

      1. Cloud Run > Cloud Run Admin to allow Cloud Build to manipulate Cloud Run resources.

      2. Service Accounts > Service Account User to allow Cloud Build to act as other service accounts, which include your Cloud Run services.

    4. Click Save to save your changes.

  3. Create a build trigger in the Cloud Build triggers page.

    1. Click Create Trigger.
    2. From the displayed repository list, select your repository and click Continue. For more information on specifying which branches to autobuild, see Creating a build trigger
    3. Select cloudbuild.yaml in Build Configuration.
    4. Click Create.
  4. You are finished! From this point on, anytime you push to your repository, you automatically trigger a build and a deployment to your Cloud Run service.

Continuous deployment with minimal IAM permissions

When a container is deployed to a Cloud Run service, it runs with the identity of the Runtime Service Account of this Cloud Run service. Because Cloud Build can deploy new containers automatically, Cloud Build needs to be able to act as the Runtime Service Account of your Cloud Run service.

Instead of allowing Cloud Build to act as any service account, you can allow it to only "act as" your Cloud Run Runtime Service account:

  1. Follow the instructions above but do not grant the Service Accounts > Service Account User role.

  2. Allow the Cloud Build service account to act as your Cloud Run service:

    1. Visit the IAM and Admin page in the GCP Console.

    2. Copy the email of the service account that has the suffix @cloudbuild.gserviceaccount.com.

    3. Visit the Service accounts page in the GCP Console.

    4. In the table, select the Runtime Service Account of your Cloud Run service. Its default name is PROJECT_NUMBER-compute@developer.gserviceaccount.com.

    5. Click Show Info Panel in the top right corner to show the Permissions tab.

    6. Click the Add member button.

    7. Paste the email of the Cloud Build service account (@cloudbuild.gserviceaccount.com)

    8. In the Select a role dropdown, select the Service Accounts > Service Account User role.

    9. Click Save.

Was this page helpful? Let us know how we did:

Send feedback about...