Dockerfile
at its root.
To automate deployment from Git with Cloud Build:
Construct a Cloud Build configuration that:
- Builds the container image
- Pushes the image to the Container Registry (Deprecated)
- Deploys a new revision to the Cloud Run service
To do this, add a file named
cloudbuild.yamlat the root of your repository with this content:steps: # build the container image - name: 'gcr.io/cloud-builders/docker' args: ['build', '-t', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA', '.'] # push the container image to Container Registry - name: 'gcr.io/cloud-builders/docker' args: ['push', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'] # Deploy container image to Cloud Run - name: 'gcr.io/cloud-builders/gcloud' args: - 'run' - 'deploy' - '[SERVICE-NAME]' - '--image' - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA' - '--region' - '[REGION]' images: - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'Replace
- [SERVICE-NAME] with the name of the Cloud Run service.
- [REGION] with the region of the Cloud Run service you are deploying.
The use of the
$COMMIT_SHAsubstitution variable is populated by Cloud Build when triggered from a Git repository.Grant the Cloud Run Admin and Service Account User roles to the Cloud Build service account:
Open the Cloud Build settings page in the Google Cloud console:
In the Service account permissions panel, set the status of the Cloud Run Admin role to Enable:
Select GRANT ACCESS TO ALL SERVICE ACCOUNTS to grant the Service Account User role on all service accounts in the project on your page.
Click Triggers in the left navigation panel to open the Triggers page:
- Click Create Trigger.
- In the Name field, enter a name for your trigger.
- Under Event, select the repository event to start your trigger.
- Under Source, select your repository and the branch or tag name that will start your trigger. For more information on specifying which branches to autobuild, see Creating a build trigger.
- Under Cloud Build configuration file (yaml or json), select Cloud Build configuration file.
- In the Cloud Build configuration file location field,
type
cloudbuild.yamlafter the/. - Click Create to save your build trigger.
You are finished! From now on, whenever you push to your repository, a build and a deployment to your Cloud Run service is automatically invoked.
Continuous deployment with minimal IAM permissions
When a container is deployed to a Cloud Run service, it runs with the identity of the Runtime Service Account of this Cloud Run service. Because Cloud Build can deploy new containers automatically, Cloud Build needs to be able to act as the Runtime Service Account of your Cloud Run service.
To grant limited access to Cloud Build to deploy to a Cloud Run service:
Console UI
Go to the Service accounts page of the Google Cloud console:
Click the email address of your Cloud Run service's Runtime Service Account of your Cloud Run (by default, it is
PROJECT_NUMBER-compute@developer.gserviceaccount.com).Click the Permissions tab.
Click Grant access.
Enter the Cloud Build Service Account (
PROJECT_NUMBER@cloudbuild.gserviceaccount.com)In the Select a role dropdown, select the Service Accounts > Service Account User role.
Click Save.
gcloud
Use the gcloud iam service-accounts add-iam-policy-binding command:
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser"
Replace PROJECT_NUMBER with the numeric ID of your project.
If using Cloud Run using a customized service identity,
replace PROJECT_NUMBER-compute@developer.gserviceaccount.com with your service
account address.
See Deployment permissions for more information.
What's Next
- Learn how deploy or publish a container image to a private registry in another project in Setting service account permissions