Invoking with gRPC

This page shows Cloud Run-specific details for developers who want to use gRPC to connect a Cloud Run service with other services, for example, to provide simple, high performance communication between internal microservices. Note that Cloud Run (fully managed) only supports unary gRPC calls.

gRPC Unary

In a unary RPC call, the client sends a single request to the server and gets a single response back, similar to a normal function call:
rpc SayHello(HelloRequest) returns (HelloResponse);

Possible use cases include:

  • Communication between internal microservices.
  • High loads of data (gRPC uses protocol buffers, which are up to seven times faster than REST calls).
  • Only a simple service definition is needed, you don't want to write a full client library.

To integrate your service with gRPC,

  • Define the request messages and responses in a proto file and compile them.
  • Create a gRPC server to handle requests and return responses: it should listen to the PORT environment variable.
  • Create a client that sends requests and handles responses from the gRPC server.
  • Optionally, add authentication.
  • Build and deploy your service.

Defining and compiling messages in a proto file

There are no extra or Cloud Run specific things to add to your proto definitions. Just as with any other use of gRPC, you use gRPC protocol buffers for service definitions and data serialization.

Creating a gRPC client

There are no extra or Cloud Run specific things to add to a client that uses gRPC: follow the gRPC docs on using service definitions in client code, and the sample clients provided in the language-specific gRPC tutorials.

Listening for gRPC requests in a Cloud Run service

The only special requirement for a gRPC server running in Cloud Run is to listen at the port specified by the PORT environment variable as shown in the code:

Go

func main() {
	log.Printf("grpc-ping: starting server...")

	port := os.Getenv("PORT")
	if port == "" {
		port = "8080"
		log.Printf("Defaulting to port %s", port)
	}

	listener, err := net.Listen("tcp", ":"+port)
	if err != nil {
		log.Fatalf("net.Listen: %v", err)
	}

	grpcServer := grpc.NewServer()
	pb.RegisterPingServiceServer(grpcServer, &pingService{})
	if err = grpcServer.Serve(listener); err != nil {
		log.Fatal(err)
	}
}

Opening a gRPC connection to a service

To open a gRPC connection to a service so you can send gRPC messages, you need to specify the host domain, which is the URL of the Cloud Run service or the custom domain mapped to that service, along with the port 443, which is the port expected to be used by gRPC.

Go


import (
	"crypto/tls"
	"crypto/x509"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
)

// NewConn creates a new gRPC connection.
// host should be of the form domain:port, e.g., example.com:443
func NewConn(host string, insecure bool) (*grpc.ClientConn, error) {
	var opts []grpc.DialOption
	if host != "" {
		opts = append(opts, grpc.WithAuthority(host))
	}

	if insecure {
		opts = append(opts, grpc.WithInsecure())
	} else {
		systemRoots, err := x509.SystemCertPool()
		if err != nil {
			return nil, err
		}
		cred := credentials.NewTLS(&tls.Config{
			RootCAs: systemRoots,
		})
		opts = append(opts, grpc.WithTransportCredentials(cred))
	}

	return grpc.Dial(host, opts...)
}

Sending gRPC requests without authentication

The following sample shows how to send a request without authentication, using a gRPC connection configured as mentioned previously.

Go


import (
	"context"
	"time"

	pb "github.com/GoogleCloudPlatform/golang-samples/run/grpc-ping/pkg/api/v1"
	"google.golang.org/grpc"
)

// pingRequest sends a new gRPC ping request to the server configured in the connection.
func pingRequest(conn *grpc.ClientConn, p *pb.Request) (*pb.Response, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()

	client := pb.NewPingServiceClient(conn)
	return client.Send(ctx, p)
}

Sending gRPC requests with authentication

The following sample shows how to use authentication between services, if the calling service has invoker permission to the receiving service. Notice that this code creates an authorization header that has the proper identity token: this is required. The required permissions and the authorization header are described in detail in service to service authentication.

Go


import (
	"context"
	"fmt"
	"time"

	"google.golang.org/api/idtoken"
	"google.golang.org/grpc"
	grpcMetadata "google.golang.org/grpc/metadata"

	pb "github.com/GoogleCloudPlatform/golang-samples/run/grpc-ping/pkg/api/v1"
)

// pingRequestWithAuth mints a new Identity Token for each request.
// This token has a 1 hour expiry and should be reused.
// audience must be the auto-assigned URL of a Cloud Run service or HTTP Cloud Function without port number.
func pingRequestWithAuth(conn *grpc.ClientConn, p *pb.Request, audience string) (*pb.Response, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()

	// Create an identity token.
	// With a global TokenSource tokens would be reused and auto-refreshed at need.
	// A given TokenSource is specific to the audience.
	tokenSource, err := idtoken.NewTokenSource(ctx, audience)
	if err != nil {
		return nil, fmt.Errorf("idtoken.NewTokenSource: %v", err)
	}
	token, err := tokenSource.Token()
	if err != nil {
		return nil, fmt.Errorf("TokenSource.Token: %v", err)
	}

	// Add token to gRPC Request.
	ctx = grpcMetadata.AppendToOutgoingContext(ctx, "authorization", "Bearer "+token.AccessToken)

	// Send the request.
	client := pb.NewPingServiceClient(conn)
	return client.Send(ctx, p)
}