This tutorial shows how to write, deploy, and call a Cloud Run service from a Pub/Sub push subscription.
Objectives
- Write, build, and deploy a service to Cloud Run
- Call the service by publishing a message to a Pub/Sub topic.
Costs
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Cloud Build, Pub/Sub and Cloud Run APIs.
- Install and initialize the gcloud CLI.
- Update components:
gcloud components update
Required roles
To get the permissions that you need to complete the tutorial, ask your administrator to grant you the following IAM roles on your project:
-
Cloud Build Editor (
roles/cloudbuild.builds.editor
) -
Cloud Run Admin (
roles/run.admin
) -
Create Service Accounts (
roles/iam.serviceAccountCreator
) -
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
Pub/Sub Editor (
roles/pubsub.editor
) -
Service Account User (
roles/iam.serviceAccountUser
) -
Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
) -
Storage Admin (
roles/storage.admin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Set up gcloud defaults
To configure gcloud with defaults for your Cloud Run service:
Set your default project:
gcloud config set project PROJECT_ID
Replace PROJECT_ID with the name of the project you created for this tutorial.
Configure gcloud for your chosen region:
gcloud config set run/region REGION
Replace REGION with the supported Cloud Run region of your choice.
Cloud Run locations
Cloud Run is regional, which means the infrastructure that
runs your Cloud Run services is located in a specific region and is
managed by Google to be redundantly available across
all the zones within that region.
Meeting your latency, availability, or durability requirements are primary
factors for selecting the region where your Cloud Run services are run.
You can generally select the region nearest to your users but you should consider
the location of the other Google Cloud
products that are used by your Cloud Run service.
Using Google Cloud products together across multiple locations can affect
your service's latency as well as cost.
Cloud Run is available in the following regions:
Subject to Tier 1 pricing
asia-east1
(Taiwan)asia-northeast1
(Tokyo)asia-northeast2
(Osaka)europe-north1
(Finland) Low CO2europe-southwest1
(Madrid) Low CO2europe-west1
(Belgium) Low CO2europe-west4
(Netherlands) Low CO2europe-west8
(Milan)europe-west9
(Paris) Low CO2me-west1
(Tel Aviv)us-central1
(Iowa) Low CO2us-east1
(South Carolina)us-east4
(Northern Virginia)us-east5
(Columbus)us-south1
(Dallas) Low CO2us-west1
(Oregon) Low CO2
Subject to Tier 2 pricing
africa-south1
(Johannesburg)asia-east2
(Hong Kong)asia-northeast3
(Seoul, South Korea)asia-southeast1
(Singapore)asia-southeast2
(Jakarta)asia-south1
(Mumbai, India)asia-south2
(Delhi, India)australia-southeast1
(Sydney)australia-southeast2
(Melbourne)europe-central2
(Warsaw, Poland)europe-west10
(Berlin) Low CO2europe-west12
(Turin)europe-west2
(London, UK) Low CO2europe-west3
(Frankfurt, Germany) Low CO2europe-west6
(Zurich, Switzerland) Low CO2me-central1
(Doha)me-central2
(Dammam)northamerica-northeast1
(Montreal) Low CO2northamerica-northeast2
(Toronto) Low CO2southamerica-east1
(Sao Paulo, Brazil) Low CO2southamerica-west1
(Santiago, Chile) Low CO2us-west2
(Los Angeles)us-west3
(Salt Lake City)us-west4
(Las Vegas)
If you already created a Cloud Run service, you can view the region in the Cloud Run dashboard in the Google Cloud console.
Create an Artifact Registry standard repository
Create an Artifact Registry standard repository to store your container image:
gcloud artifacts repositories create REPOSITORY \ --repository-format=docker \ --location=REGION
Replace:
- REPOSITORY with a unique name for the repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
Create a Pub/Sub topic
The sample service is triggered by messages published to a Pub/Sub topic, so you'll need to create a topic in Pub/Sub.
gcloud
To create a new Pub/Sub topic, use the command:
gcloud pubsub topics create myRunTopic
You can use myRunTopic or replace with a topic name unique within your Google Cloud project.
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
To create a Pub/Sub topic, add the following to your existing main.tf
file:
You can use a topic name unique within your Cloud project.
Retrieve the code sample
To retrieve the code sample for use:
Clone the sample app repository to your local machine:
Node.js
git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Python
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Go
git clone https://github.com/GoogleCloudPlatform/golang-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Java
git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
C#
git clone https://github.com/GoogleCloudPlatform/dotnet-docs-samples.git
Alternatively, you can download the sample as a zip file and extract it.
Change to the directory that contains the Cloud Run sample code:
Node.js
cd nodejs-docs-samples/run/pubsub/
Python
cd python-docs-samples/run/pubsub/
Go
cd golang-samples/run/pubsub/
Java
cd java-docs-samples/run/pubsub/
C#
cd dotnet-docs-samples/run/Run.Samples.Pubsub.MinimalApi/
Review the code
The code for this tutorial consists of the following:
A server that handles incoming requests.
Node.js
To keep the Node.js service easy to test, the server configuration is separate from the server startup.
The Node.js web server is set up in
app.js
.The web server is started in
index.js
:Python
Go
Java
C#
A handler that processes the Pub/Sub message and logs a greeting.
Node.js
Python
Go
Java
C#
You must code the service to return an accurate HTTP response code. Success codes, such as HTTP
200
or204
, acknowledge complete processing of the Pub/Sub message. Error codes, such as HTTP400
or500
, indicate the message will be retried, as described in Receiving messages using Push guide.A
Dockerfile
that defines the operating environment for the service. The contents of theDockerfile
vary by language.Node.js
Python
Go
Java
This sample uses Jib to build Docker images using common Java tools. Jib optimizes container builds without the need for a Dockerfile or having Docker installed. Learn more about building Java containers with Jib.
C#
For details on how to authenticate the origin of Pub/Sub requests, see Integrate with Pub/Sub.
Ship the code
Shipping code consists of three steps: building a container image with Cloud Build, uploading the container image to Artifact Registry, and deploying the container image to Cloud Run.
To ship your code:
-
Build your container and publish on Artifact Registry:
Node.js
Replace:gcloud builds submit --tag REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
- PROJECT_ID with your Google Cloud project ID.
- REPOSITORY with the name of the Artifact Registry repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
pubsub
is the image name.Upon success, you should see a SUCCESS message containing the ID, creation time, and image name. The image is stored in Artifact Registry and can be re-used if required.
Python
Replace:gcloud builds submit --tag REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
- PROJECT_ID with your Google Cloud project ID.
- REPOSITORY with the name of the Artifact Registry repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
pubsub
is the image name.Upon success, you should see a SUCCESS message containing the ID, creation time, and image name. The image is stored in Artifact Registry and can be re-used if required.
Go
Replace:gcloud builds submit --tag REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
- PROJECT_ID with your Google Cloud project ID.
- REPOSITORY with the name of the Artifact Registry repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
pubsub
is the image name.Upon success, you should see a SUCCESS message containing the ID, creation time, and image name. The image is stored in Artifact Registry and can be re-used if required.
Java
-
Use the gcloud CLI credential helper
to authorize Docker to push to your Artifact Registry.
gcloud auth configure-docker
-
Use the Jib Maven Plugin to build and push the container to Artifact Registry.
Replace:mvn compile jib:build -D image=REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
- PROJECT_ID with your Google Cloud project ID.
- REPOSITORY with the name of the Artifact Registry repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
pubsub
is the image name.Upon success, you should see a BUILD SUCCESS message. The image is stored in Artifact Registry and can be re-used if required.
C#
Replace:gcloud builds submit --tag REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
- PROJECT_ID with your Google Cloud project ID.
- REPOSITORY with the name of the Artifact Registry repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
pubsub
is the image name.Upon success, you should see a SUCCESS message containing the ID, creation time, and image name. The image is stored in Artifact Registry and can be re-used if required.
-
Deploy your application:
Command line
-
Run the following command to deploy your app:
Replace:gcloud run deploy pubsub-tutorial --image REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub --no-allow-unauthenticated
- PROJECT_ID with your Google Cloud project ID.
- REPOSITORY with the name of the Artifact Registry repository.
- REGION with the Google Cloud region to be used for the Artifact Registry repository.
pubsub
is the image name andpubsub-tutorial
is the name of the service. Notice that the container image is deployed to the service and region that you configured previously under Setting up gcloudThe
--no-allow-unauthenticated
flag restricts unauthenticated access to the service. By keeping the service private you can rely on Cloud Run's automatic Pub/Sub integration to authenticate requests. See Integrate with Pub/Sub for more details on how this is configured. For more details about authentication that is based on Identity and Access Management (IAM), see Managing access using IAM.Wait until the deployment is complete: this can take about half a minute. On success, the command line displays the service URL. This URL is used to configure a Pub/Sub subscription.
-
If you want to deploy a code update to the service, repeat the previous steps. Each deployment to a service creates a new revision and automatically starts serving traffic when ready.
Terraform
To create a Cloud Run service, add the following to your existing
.tf
file.Replace the value for
image
with your image URL:REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
. -
Integrate with Pub/Sub
To integrate the service with Pub/Sub:
gcloud
Create or select a service account to represent the Pub/Sub subscription identity.
gcloud iam service-accounts create cloud-run-pubsub-invoker \ --display-name "Cloud Run Pub/Sub Invoker"
You can use
cloud-run-pubsub-invoker
or replace with a name unique within your Google Cloud project.Create a Pub/Sub subscription with the service account:
Give the invoker service account permission to invoke your
pubsub-tutorial
service:gcloud run services add-iam-policy-binding pubsub-tutorial \ --member=serviceAccount:cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/run.invoker
It can take several minutes for the IAM changes to propagate. In the meantime, you might see
HTTP 403
errors in the service logs.Allow Pub/Sub to create authentication tokens in your project:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
Replace:
- PROJECT_ID with your Google Cloud project ID.
- PROJECT_NUMBER with your Google Cloud project number.
Project ID and project number are listed in the Project info panel in the Google Cloud console for your project.
Create a Pub/Sub subscription with the service account:
gcloud pubsub subscriptions create myRunSubscription --topic myRunTopic \ --ack-deadline=600 \ --push-endpoint=SERVICE-URL/ \ --push-auth-service-account=cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com
Replace:
- myRunTopic with the topic you previously created.
- SERVICE-URL with the HTTPS URL provided on deploying the service. This URL works even if you have also added a domain mapping.
- PROJECT_ID with your Google Cloud project ID.
The
--push-auth-service-account
flag activates the Pub/Sub push functionality for Authentication and authorization.Your Cloud Run service domain is automatically registered for use with Pub/Sub subscriptions.
For Cloud Run only, there is a built-in authentication check that the token is valid and an authorization check that the service account has permission to invoke the Cloud Run service.
Your service is now fully integrated with Pub/Sub.
Terraform
Create or select a service account to represent the Pub/Sub subscription identity.
Create a Pub/Sub subscription with the service account:
Give the invoker service account permission to invoke your
pubsub-tutorial
service:Allow Pub/Sub to create authentication tokens in your project:
Create a Pub/Sub subscription with the service account:
Your service is now fully integrated with Pub/Sub.
Try it out
To test the end-to-end solution:
Send a Pub/Sub message to the topic:
gcloud pubsub topics publish myRunTopic --message "Runner"
You can also publish messages programmatically instead of using the command-line as shown in this tutorial. For more information, see Publishing messages.
Navigate to the service logs:
- Navigate to the Google Cloud console
- Click the
pubsub-tutorial
service. Select the Logs tab.
Logs might take a few moments to appear. If you don't see them immediately, check again after a few moments.
Look for the "Hello Runner!" message.
Clean up
To walk through a more in-depth use case of using Cloud Run with Pub/Sub, skip cleanup for now and continue with the Image Processing with Cloud Run tutorial.
If you created a new project for this tutorial, delete the project. If you used an existing project and wish to keep it without the changes added in this tutorial, delete resources created for the tutorial.
Deleting the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Deleting tutorial resources
Delete the Cloud Run service you deployed in this tutorial:
gcloud run services delete SERVICE-NAME
Where SERVICE-NAME is your chosen service name.
You can also delete Cloud Run services from the Google Cloud console.
Remove the gcloud default region configuration you added during tutorial setup:
gcloud config unset run/region
Remove the project configuration:
gcloud config unset project
Delete other Google Cloud resources created in this tutorial:
- Delete the Pub/Sub topic
myRunTopic
- Delete the Pub/Sub subscription
myRunSubscription
- Delete your container image named
REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/pubsub
from Artifact Registry. - Delete the invoker service account
cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com
- Delete the Pub/Sub topic
What's next
- See Restricting ingress for information on increasing production security by using internal ingress controls to limit ingress.
- Expand the sample service deployed in this tutorial to add image processing functionality that modifies images uploaded to Cloud Storage.
- Learn more about how topics fit into Pub/Sub architecture and how to manage topics
- Learn more about Pub/Sub subscriptions in managing subscriptions.
- Explore reference architectures, diagrams, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.