Optimizing with Recommender

Recommender is a service that automatically provides recommendations and insights for using resources on Google Cloud, based on heuristic methods, machine learning, and current resource usage. Each recommendation includes a link you can click to put the recommendation into effect for your service.

This topic shows how to use Recommender to optimize Cloud Run services for security and costs.

Optimize cost

Recommender optimizes costs for

  • CPU allocation
  • Committed use discounts

Optimize CPU allocation

Recommender automatically looks at traffic received by your Cloud Run service over the past month, and will recommend switching from CPU allocated during requests to CPU always allocated, if this is cheaper. For more details, see CPU allocation.

Optimize committed use discounts

The committed use discount (CUD) recommender helps you optimize your Cloud Run costs of the projects in your Cloud Billing account by generating recommendations automatically based on historical Cloud Run usage gathered by Cloud Billing. You can use these recommendations to purchase additional commitments and further optimize your Cloud Run costs.

You can view available committed use discounts (CUDs) recommendations in the Cloud Run UI or the Recommender UI.

Optimize security

Recommender increases security by optimizing:

  • Service accounts for a Cloud Run service so the service account has the minimal set of required permissions.
  • Security of the following items in environment variables:

    • Passwords
    • API keys
    • Google Application Credentials

Google does not examine the values contained in those environment variables. Rather, the variable key names are checked, as shown in the following patterns:

  • The environment variable key in capital letters is API_KEY or APIKEY
  • The environment variable in capital letters ends with PASSWORD
  • The environment variable is GOOGLE_APPLICATION_CREDENTIALS

Security issues addressed by Recommender

The following table shows what Recommender detects and helps you address:

Recommendation Actions
Service account might have more permissions than are required. Recommender leads you to configure a new service account that has the minimal set of required permissions.
Environment variable might contain a password. Recommender leads you to move the password to Secret Manager.
Environment variable might contain an API key. Recommender leads you to move the API key to Secret Manager.
Environment variable might contain Google Application Credentials. Recommender leads you to replace this with service identity instead.

Recommendation availability after deployment

Recommender automatically provides recommendations for a service after it has been deployed, after a period of time has elapsed, typically one day. After this period of time, recommendations for the service are displayed with the service in the Cloud Run service list in the Google Cloud console and in the Recommendation Hub.

Alternate ways of using recommendations

In addition to the use of recommendations covered on this page inside the Cloud Run UI, recommendations are also available through the following:

View and accept recommendations for Cloud Run

To view and accept a recommendation in the Cloud Run user interface:

  1. Go to Cloud Run

  2. Locate services in the list that have something in the Recommendations column.

  3. Click the Security icon for your service under the column heading Recommendations, to display the recommendation pane for your service.

  4. In the pane, read the insight about your service and the recommendation.

  5. If you accept the recommendation, click the button at the bottom of the pane to make the changes suggested by the recommendation.

  6. Follow the instructions and documentation to change your Cloud Run service as needed.

View recommendations in Recommendation Hub

To view recommendations in Recommendation Hub:

Go to Recommendation Hub

For more information, see the Recommendation Hub Getting started page.