Under Event, select the repository event to start your trigger.
Under Source, select your repository and the branch or tag name
that will start your trigger.
For more information on specifying which branches to autobuild, see
Creating a build trigger.
Under Cloud Build configuration file (yaml or json), select Cloud Build
configuration file.
In the Cloud Build configuration file location field,
type cloudbuild.yaml after the /.
Click Create to save your build trigger.
You are finished! From now on, whenever you push to your repository, a build
and a deployment to your Cloud Run service is automatically invoked.
Continuous deployment with minimal IAM permissions
When a container is deployed to a Cloud Run service, it runs with the
identity of the Runtime Service Account of this Cloud Run service.
Because Cloud Build can deploy new containers automatically, Cloud Build
needs to be able to act as the Runtime Service Account of your
Cloud Run service.
To grant limited access to Cloud Build to deploy to a Cloud Run service:
Console UI
Go to the Service accounts page of the Google Cloud console:
Click the email address of your Cloud Run service's Runtime
Service Account of your Cloud Run (by default, it is
PROJECT_NUMBER-compute@developer.gserviceaccount.com).
Click the Permissions tab.
Click person_addGrant access.
Enter the Cloud Build Service Account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com)
In the Select a role dropdown, select the Service
Accounts>Service Account User role.
Click Save.
gcloud
Use the gcloud iam service-accounts add-iam-policy-binding command:
Replace PROJECT_NUMBER with the numeric ID of your project.
If using Cloud Run using a customized service identity,
replace PROJECT_NUMBER-compute@developer.gserviceaccount.com with your service
account address.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Manual setup continuous deployment using Cloud Build\n\nThe following instructions assume you have a git repository with a `Dockerfile` at its root.\n\n\u003cbr /\u003e\n\nTo automate deployment from Git with Cloud Build:\n\n1. Construct a Cloud Build configuration that:\n\n - Builds the container image\n - Pushes the image to the Container Registry [(Deprecated)](/container-registry/docs/deprecations/container-registry-deprecation)\n - Deploys a new revision to the Cloud Run service\n\n To do this, add a file named `cloudbuild.yaml` *at the root of your repository*\n with this content: \n\n steps:\n # build the container image\n - name: 'gcr.io/cloud-builders/docker'\n args: ['build', '-t', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA', '.']\n # push the container image to Container Registry\n - name: 'gcr.io/cloud-builders/docker'\n args: ['push', 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA']\n # Deploy container image to Cloud Run\n - name: 'gcr.io/cloud-builders/gcloud'\n args:\n - 'run'\n - 'deploy'\n - '[SERVICE-NAME]'\n - '--image'\n - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'\n - '--region'\n - '[REGION]'\n images:\n - 'gcr.io/$PROJECT_ID/[SERVICE-NAME]:$COMMIT_SHA'\n\n Replace\n - \u003cvar translate=\"no\"\u003e[SERVICE-NAME]\u003c/var\u003e with the name of the Cloud Run service.\n - \u003cvar translate=\"no\"\u003e[REGION]\u003c/var\u003e with the region of the Cloud Run service you are deploying.\n\n The use of the `$COMMIT_SHA` substitution variable is populated by Cloud Build\n when triggered from a Git repository.\n2. Grant the *Cloud Run Admin* and *Service Account User* roles to the\n Cloud Build service account:\n\n 1. Open the Cloud Build settings page in the Google Cloud console:\n\n [Visit the Cloud Build settings page](https://console.cloud.google.com/cloud-build/settings)\n 2. In the Service account permissions panel, set the status of the\n *Cloud Run Admin* role to **Enable**:\n\n 3. Select **GRANT ACCESS TO ALL SERVICE ACCOUNTS** to grant the\n **Service Account User** role on all service accounts in the project on\n your page.\n\n | **Note:** For stronger security, only allow Cloud Build to [act as a specific Cloud Run service](#continuous-iam).\n3. Click **Triggers** in the left navigation panel to open the *Triggers* page:\n\n [Visit the Triggers page](https://console.cloud.google.com/cloud-build/triggers)\n 1. Click **Create Trigger**.\n 2. In the **Name** field, enter a name for your trigger.\n 3. Under **Event**, select the repository event to start your trigger.\n 4. Under **Source** , select your repository and the branch or tag name that will start your trigger. For more information on specifying which branches to autobuild, see [Creating a build trigger](/build/docs/running-builds/automate-builds#build_trigger).\n 5. Under **Cloud Build configuration file (yaml or json)** , select **Cloud Build\n configuration file**.\n 6. In the **Cloud Build configuration file location** field, type `cloudbuild.yaml` after the `/`.\n 7. Click **Create** to save your build trigger.\n4. You are finished! From now on, whenever you push to your repository, a build\n and a deployment to your Cloud Run service is automatically invoked.\n\n| **Note:** To make the deployed service public, make a one-time change to the [service IAM settings](/run/docs/securing/managing-access#making_a_service_public).\n\nContinuous deployment with minimal IAM permissions\n--------------------------------------------------\n\nWhen a container is deployed to a Cloud Run service, it runs with the\nidentity of the Runtime Service Account of this Cloud Run service.\nBecause Cloud Build can deploy new containers automatically, Cloud Build\nneeds to be able to *act as* the [Runtime Service Account of your\nCloud Run service](/run/docs/securing/service-identity).\n\nTo grant limited access to Cloud Build to deploy to a Cloud Run service: \n\n### Console UI\n\n1. Go to the **Service accounts** page of the Google Cloud console:\n\n [Go to Service accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)\n\n \u003cbr /\u003e\n\n2. Click the email address of your Cloud Run service's Runtime\n Service Account of your Cloud Run (by default, it is\n \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`-compute@developer.gserviceaccount.com`).\n\n3. Click the **Permissions** tab.\n\n4. Click person_add **Grant access**.\n\n5. Enter the Cloud Build Service Account (\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@cloudbuild.gserviceaccount.com`)\n\n6. In the **Select a role** dropdown, select the **Service\n Accounts** \\\u003e **Service Account User** role.\n\n7. Click **Save**.\n\n### gcloud\n\nUse the `gcloud iam service-accounts add-iam-policy-binding` command: \n\n```bash\ngcloud iam service-accounts add-iam-policy-binding \\\n PROJECT_NUMBER-compute@developer.gserviceaccount.com \\\n --member=\"serviceAccount:\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e@cloudbuild.gserviceaccount.com\" \\\n --role=\"roles/iam.serviceAccountUser\"\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with the numeric ID of your project.\n\nIf using Cloud Run using a [customized service identity](/run/docs/securing/service-identity#per-service-identity),\nreplace `PROJECT_NUMBER-compute@developer.gserviceaccount.com` with your service\naccount address.\n\nSee [Deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nfor more information.\n\nWhat's Next\n-----------\n\n- Learn how deploy or publish a container image to a private registry in another project in [Setting service account permissions](/build/docs/securing-builds/set-service-account-permissions)"]]
