The following stages occur in an automated deployment:
- Build the Docker Image
- Push the image to the Container Registry
- Deploy a new revision to the Cloud Run service
Setting up continuous deployment with Cloud Build
You can automate a deployment to Cloud Run using Cloud Build when new commits are pushed to a given branch of a git repository. This includes Cloud Source Repositories, GitHub, or any other repository supported by Cloud Build. For more information, see Automating Builds using Build Triggers.
To automate deployment with Cloud Build:
In your repository root, add a file named
cloudbuild.yamlthat has these entries:
steps: # build the container image - name: 'gcr.io/cloud-builders/docker' args: ['build', '-t', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]', '.'] # push the container image to Container Registry - name: 'gcr.io/cloud-builders/docker' args: ['push', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]'] # Deploy container image to Cloud Run - name: 'gcr.io/cloud-builders/gcloud' args: ['beta', 'run', 'deploy', '[SERVICE-NAME]', '--image', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]', '--region', '[REGION]','--platform', '[PLATFORM]'] images: - gcr.io/$PROJECT_ID/[SERVICE-NAME]
- [PLATFORM] with
managedif deploying to fully managed Cloud Run, or with
gkeif deploying to Cloud Run on GKE.
- [SERVICE-NAME] with the of the Cloud Run service
- [REGION] with the region of the Cloud Run service
you are deploying to. If you are using Cloud Run on GKE, use
--cluster-locationinstead of the
- [PLATFORM] with
Grant the "Cloud Run Admin" and "Service Account User" roles to the Cloud Build service account:
Visit the IAM and Admin page in the GCP Console.
Select the service account that has the suffix
Click the service account's edit icon and add to it the following roles:
Cloud Run > Cloud Run Admin to allow Cloud Build to manipulate Cloud Run resources.
Service Accounts > Service Account User to allow Cloud Build to act as other service accounts, which include your Cloud Run services.
Click Save to save your changes.
Create a build trigger in the Cloud Build triggers page.
- Click Create Trigger.
- From the displayed repository list, select your repository and click Continue. For more information on specifying which branches to autobuild, see Creating a build trigger
cloudbuild.yamlin Build Configuration.
- Click Create.
You are finished! From this point on, anytime you push to your repository, you automatically trigger a build and a deployment to your Cloud Run service.
Continuous deployment with minimal IAM permissions
When a container is deployed to a Cloud Run service, it runs with the identity of the Runtime Service Account of this Cloud Run service. Because Cloud Build can deploy new containers automatically, Cloud Build needs to be able to act as the Runtime Service Account of your Cloud Run service.
Instead of allowing Cloud Build to act as any service account, you can allow it to only "act as" your Cloud Run Runtime Service account. Follow the instructions to deploy artifacts to Cloud Build to set up least-privilege deployment.