Optimizing with Recommender

Recommender is a service that automatically provides recommendations and insights for using resources on Google Cloud, based on heuristic methods, machine learning, and current resource usage. Each recommendation includes a link you can click to put the recommendation into effect for your service.

This guide shows how to use Recommender to optimize Cloud Run services for security and costs.

Optimize cost

Recommender optimizes costs for CPU allocation.

Optimize CPU allocation

Recommender automatically looks at traffic received by your Cloud Run service over the past month, and will recommend switching from CPU allocated during requests to CPU always allocated, if this is cheaper. For more details, see CPU allocation.

Optimize security

Recommender increases security by optimizing:

  • Service accounts for a Cloud Run service so the service account has the minimal set of required permissions.
  • Security of the following items in environment variables:

    • Passwords
    • API keys
    • Google Application Credentials

Google does not examine the values contained in those environment variables. Rather, we do a case insensitive check on the variable key names, as shown in the following patterns:

  • The environment variable key is a case insensitive variant of API KEY, such as API_KEY, api_key, APIKEY, or apikey
  • The environment variable ends in a case insensitive variant of PASSWORD, such as PASSWORD or password
  • The environment variable is GOOGLE_APPLICATION_CREDENTIALS

Security issues addressed by Recommender

The following table shows what Recommender detects and helps you address:

Recommendation Actions
Service account might have more permissions than are required. Recommender leads you to configure a new service account that has the minimal set of required permissions.
Environment variable might contain a password. Recommender leads you to move the password to Secret Manager.
Environment variable might contain an API key. Recommender leads you to move the API key to Secret Manager.
Environment variable might contain Google Application Credentials. Recommender leads you to replace this with service identity instead.

Recommendation availability after deployment

Recommender automatically provides recommendations for a service after it has been deployed, after a period of time has elapsed, typically one day. After this period of time, recommendations for the service are displayed with the service in the Cloud Run service list in the Google Cloud console and in the Recommendation Hub.

Alternate ways of using recommendations

In addition to the use of recommendations covered on this page inside the Cloud Run UI, recommendations are also available through the following:

View and accept recommendations for Cloud Run

To view and accept a recommendation in the Cloud Run user interface:

  1. Go to Cloud Run

  2. Locate services in the list that have something in the Recommendations column.

  3. Click the Security icon for your service under the column heading Recommendations, to display the recommendation pane for your service.

  4. In the pane, read the insight about your service and the recommendation.

  5. If you accept the recommendation, click the button at the bottom of the pane to make the changes suggested by the recommendation.

  6. Follow the instructions and documentation to change your Cloud Run service as needed.

View recommendations in Recommendation Hub

To view recommendations in Recommendation Hub:

Go to Recommendation Hub

For more information, see the Recommendation Hub Getting started page.

Dismissing a recommendation

Click Dismiss if you want to dismiss the recommendation without applying it. This prevents the recommendation for that function from appearing again for 30 days.