Recommender is a service that automatically provides recommendations and insights for using resources on Google Cloud, based on heuristic methods, machine learning, and current resource usage. Each recommendation includes a link you can click to put the recommendation into effect for your service.
This guide shows how to use Recommender to optimize Cloud Run services for security and costs.
Optimize cost
Recommender optimizes costs for CPU allocation.
Optimize CPU allocation
Recommender automatically looks at traffic received by your Cloud Run service over the past month, and will recommend switching from CPU allocated during requests to CPU always allocated, if this is cheaper. For more details, see CPU allocation.
Optimize security
Recommender increases security by optimizing:
- Service accounts for a Cloud Run service so the service account has the minimal set of required permissions.
Security of the following items in environment variables:
- Passwords
- API keys
- Google Application Credentials
Google does not examine the values contained in those environment variables. Rather, we do a case insensitive check on the variable key names, as shown in the following patterns:
- The environment variable key is a case insensitive variant of
API KEY
, such asAPI_KEY
,api_key
,APIKEY
, orapikey
- The environment variable ends in a case insensitive variant of
PASSWORD
, such asPASSWORD
orpassword
- The environment variable is
GOOGLE_APPLICATION_CREDENTIALS
Security issues addressed by Recommender
The following table shows what Recommender detects and helps you address:
Recommendation | Actions |
---|---|
Service account might have more permissions than are required. | Recommender leads you to configure a new service account that has the minimal set of required permissions. |
Environment variable might contain a password. | Recommender leads you to move the password to Secret Manager. |
Environment variable might contain an API key. | Recommender leads you to move the API key to Secret Manager. |
Environment variable might contain Google Application Credentials. | Recommender leads you to replace this with service identity instead. |
Recommendation availability after deployment
Recommender automatically provides recommendations for a service after it has been deployed, after a period of time has elapsed, typically one day. After this period of time, recommendations for the service are displayed with the service in the Cloud Run service list in the Google Cloud console and in the Recommendation Hub.
Alternate ways of using recommendations
In addition to the use of recommendations covered on this page inside the Cloud Run UI, recommendations are also available through the following:
View and accept recommendations for Cloud Run
To view and accept a recommendation in the Cloud Run user interface:
Locate services in the list that have something in the Recommendations column.
Click the Security icon for your service under the column heading Recommendations, to display the recommendation pane for your service.
In the pane, read the insight about your service and the recommendation.
If you accept the recommendation, click the button at the bottom of the pane to make the changes suggested by the recommendation.
Follow the instructions and documentation to change your Cloud Run service as needed.
View recommendations in Recommendation Hub
To view recommendations in Recommendation Hub:
For more information, see the Recommendation Hub
Getting started page.