Continuous deployment from git using Cloud Build

You can use Cloud Build to automate builds and deployments to Cloud Run.

You can accomplish this using a Cloud Build trigger to automatically build and deploy your code whenever new commits are pushed to a given branch of a git repository. This includes Cloud Source Repositories, GitHub, or any other repository supported by Cloud Build.

The build trigger does the following:

  • Builds the Docker Image
  • Pushes the image to the Container Registry
  • Deploys a new revision to the Cloud Run service

Setting up continuous deployment with Cloud Build

To automate deployment with Cloud Build:

  1. In your repository root, add a file named cloudbuild.yaml that has these entries:

    Fully Managed

     steps:
     # build the container image
     - name: 'gcr.io/cloud-builders/docker'
       args: ['build', '-t', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA', '.']
     # push the container image to Container Registry
     - name: 'gcr.io/cloud-builders/docker'
       args: ['push', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA']
     # Deploy container image to Cloud Run
     - name: 'gcr.io/cloud-builders/gcloud'
       args:
       - 'run'
       - 'deploy'
       - '[SERVICE-NAME]'
       - '--image'
       - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'
       - '--region'
       - '[REGION]'
       - '--platform'
       - 'managed'
     images:
     - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'
    

    Replace

    • [SERVICE-NAME] with the name of the Cloud Run service.
    • [REGION] with the region of the Cloud Run service you are deploying.

    Anthos on Google Cloud

     steps:
     # build the container image
     - name: 'gcr.io/cloud-builders/docker'
       args: ['build', '-t', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA', '.']
     # push the container image to Container Registry
     - name: 'gcr.io/cloud-builders/docker'
       args: ['push', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA']
     # Deploy container image to Cloud Run
     - name: 'gcr.io/cloud-builders/gcloud'
       args:
       - 'run'
       - 'deploy'
       - '[SERVICE-NAME]'
       - '--image'
       - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'
       - '--cluster'
       - '[CLUSTER]'
       - '--cluster-location'
       - '[CLUSTER_LOCATION]'
       - '--platform'
       - 'gke'
     images:
     - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'
    

    Replace

    • [SERVICE-NAME] with the name of the Cloud Run service.
    • [CLUSTER] with the name of your Cloud Run for Anthos on Google Cloud cluster.
    • [CLUSTER_LOCATION] with the location of your Cloud Run for Anthos on Google Cloud cluster.

    The use of the $COMMIT_SHA substitution variable is populated by Cloud Build when triggered from a git repository. To test this configuration manually override the variable:

    gcloud builds submit --substitutions COMMIT_SHA=manual
    
  2. Grant access for the Cloud Build service account to deploy the service:

    Fully Managed

    Grant the Cloud Run Admin and Service Account User roles to the Cloud Build service account:

    1. Open the Cloud Build settings page in the Cloud Console:

      Visit the Cloud Build settings page

    2. In the Service account permissions panel, set the status of the Cloud Run Admin role to Enable:

      Screenshot of the Service account permissions page

    3. Select GRANT ACCESS TO ALL SERVICE ACCOUNTS to grant the Service Account User role on all service accounts in the project on your page.

    Anthos on Google Cloud

    Grant the Kubernetes Engine Developer role to the Cloud Build service account:

    1. Open the Cloud Build settings page in the Cloud Console:

      Visit the Cloud Build settings page

    2. In the Service account permissions panel, set the status of the Kubernetes Engine Developer role to Enable:

      Screenshot of the Service account permissions page

  3. Click Triggers in the left navigation panel to open the Triggers page:

    Visit the Triggers page

    1. Click Create Trigger.
    2. In the Name field, enter a name for your trigger.
    3. Under Event, select the repository event to start your trigger.
    4. Under Source, select your repository and the branch or tag name that will start your trigger. For more information on specifying which branches to autobuild, see Creating a build trigger.
    5. Under Build configuration, select Cloud Build configuration file.
    6. In the Cloud Build configuration file location field, type cloudbuild.yaml after the /.
    7. Click Create to save your build trigger.
  4. You are finished! From now on, whenever you push to your repository, a build and a deployment to your Cloud Run service is automatically invoked.

Continuous deployment with minimal IAM permissions

When a container is deployed to a Cloud Run (fully managed) service, it runs with the identity of the Runtime Service Account of this Cloud Run (fully managed) service. Because Cloud Build can deploy new containers automatically, Cloud Build needs to be able to act as the Runtime Service Account of your Cloud Run service.

To grant limited access to Cloud Build to deploy to a Cloud Run service running as the default compute identity:

Console UI

  1. Go to the Service accounts page of the Google Cloud Console:

    Go to Service accounts

  2. Select the Runtime Service Account (PROJECT_NUMBER-compute@developer.gserviceaccount.com) from the table.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Click the Add member button.

  5. Enter the Cloud Build Service Account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com)

  6. In the Select a role dropdown, select the Service Accounts > Service Account User role.

  7. Click Save.

GCloud

Use the gcloud iam service-accounts add-iam-policy-binding command:

gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
  --role="roles/iam.serviceAccountUser"

Replace PROJECT_NUMBER with the numeric ID of your project.

If using Cloud Run (fully managed) using a customized compute identity, replace PROJECT_NUMBER-compute@developer.gserviceaccount.com with your service account address.

See Deployment permissions for more information.

What's Next