This page shows you how to create an Eventarc trigger so that a Cloud Run service can receive events from another Google Cloud service.
Eventarc is a Google Cloud service that lets you build event-driven architectures without having to implement, customize, or maintain the underlying infrastructure.
You can create an Eventarc trigger by specifying filters for the trigger and configuring the routing of the event, including the event source and the target Cloud Run service. When the specified event or set of events match the filters, this causes your Cloud Run service to be invoked automatically, in response to the events. A service that uses Eventarc triggers is called an event-driven service. Events sent to your Cloud Run service are received in the form of HTTP requests.
The following event types trigger requests to your service:
- An audit log is created that matches the trigger's filter criteria
- Direct events such as an update to a Cloud Storage bucket
- Direct messages published to a Pub/Sub topic
You can also create an Eventarc trigger using the Google Cloud CLI or through the Eventarc console page. For instructions on creating a trigger for a specific provider, event type, and destination, filter the list to learn more about Eventarc's Event providers and destinations.
Trigger location
When you create an Eventarc trigger, you specify a location for it. This should match the location of the Google Cloud resource that you want to monitor for events. In most scenarios, you should also deploy your event-driven Cloud Run service in the same region. For more information, see Understand Eventarc locations.
Trigger identity
Your Eventarc trigger's service account must have permission to invoke your service. You may need to verify that the Default compute service account has the correct permissions to invoke your service. For more information, see Required roles.
Before you begin
Make sure you have set up a new project for Cloud Run as described in the setup page.
Enable the Artifact Registry, Cloud Build, Cloud Run Admin API, and Eventarc APIs:
Required roles
-
If you are the project creator, you are granted the basic Owner role (
roles/owner
). By default, this Identity and Access Management (IAM) role includes the permissions necessary for full access to most Google Cloud resources and you can skip this step.If you are not the project creator, required permissions must be granted on the project to the appropriate principal. For example, a principal can be a Google Account (for end users) or a service account (for applications and compute workloads). For more information, see the Roles and permissions page for your event destination.
Note that by default, Cloud Build permissions include permissions to upload and download Artifact Registry artifacts.
Required permissions
To get the permissions that you need to configure Eventarc triggers, ask your administrator to grant you the following IAM roles on your project:
-
Cloud Build Editor (
roles/cloudbuild.builds.editor
) -
Cloud Run Admin (
roles/run.admin
) -
Eventarc Admin (
roles/eventarc.admin
) -
Logs View Accessor (
roles/logging.viewAccessor
) -
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
Service Account Admin (
roles/iam.serviceAccountAdmin
) -
Service Account User (
roles/iam.serviceAccountUser
) -
Service Usage Admin (
roles/serviceusage.serviceUsageAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
Cloud Build Editor (
Make note of the Compute Engine default service account as you will you attach it to an Eventarc trigger to represent the identity of the trigger for testing purposes. This service account is automatically created after enabling or using a Google Cloud service that uses Compute Engine, and with the following email format:
PROJECT_NUMBER-compute@developer.gserviceaccount.com
Replace
PROJECT_NUMBER
with your Google Cloud project number. You can find your project number on the Welcome page of the Google Cloud console or by running the following command:gcloud projects describe PROJECT_ID --format='value(projectNumber)'
For production environments, we strongly recommend creating a new service account and granting it one or more IAM roles that contain the minimum permissions required and follow the principle of least privilege.
- By default, Cloud Run services are only callable by Project
Owners, Project Editors, and Cloud Run Admins and Invokers.
You can
control
access on a per-service basis; however, for testing purposes, grant the
Cloud Run
Invoker role (
run.invoker
) on the Google Cloud project to the Compute Engine service account. This grants the role on all Cloud Run services and jobs in a project.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --role=roles/run.invoker
Note that if you create a trigger for an authenticated Cloud Run service without granting the Cloud Run Invoker role, the trigger is created successfully and is active. However, the trigger will not work as expected and a message similar to the following appears in the logs:
The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header.
- Grant the
Eventarc
Event Receiver role (
roles/eventarc.eventReceiver
) on the project to the Compute Engine default service account so that the Eventarc trigger can receive events from event providers.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --role=roles/eventarc.eventReceiver
- If you enabled the Cloud Pub/Sub service agent on or before April
8, 2021, to support authenticated Pub/Sub push requests, grant
the Service
Account Token Creator role (
roles/iam.serviceAccountTokenCreator
) to the service agent. Otherwise, this role is granted by default:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
Create a trigger for services
You can specify a trigger after you deploy a service.
Click the tab for instructions using the tool of your choice.
Console
Deploy your Cloud Run service using containers or from source.
In the Google Cloud console, go to Cloud Run:
From the list of services, click an existing service.
On the Service details page, navigate to the Triggers tab.
Click Add trigger, and select an option.
In the Eventarc trigger pane, modify the trigger details as follows:
In the Trigger name filed, enter a name for the trigger, or use the default name.
Select a Trigger type from the list to specify one of the following trigger types:
Google Sources to specify triggers for Pub/Sub, Cloud Storage, Firestore, and other Google event providers.
Third-party to integrate with non-Google providers that offer an Eventarc source. For more information, see Third-party events in Eventarc.
Select an event provider from the Event provider list, to select a product that provides the type of event for triggering your service. For the list of event providers, see Event providers and destinations.
Select an event type from the Event type list. Your trigger configuration varies depending on the supported event type. For more information, see Event types.
If the Region field is enabled, select a location for the Eventarc trigger. In general, the location of an Eventarc trigger should match the location of the Google Cloud resource that you want to monitor for events. In most scenarios, you should also deploy your service in the same region. See Understand Eventarc locations for more details about Eventarc trigger locations.
In the Service account field, select a service account. Eventarc triggers are linked to service accounts to use as an identity when invoking your service. Your Eventarc trigger's service account must have the permission to invoke your service. By default, Cloud Run uses the Compute Engine default service account.
Optionally, specify the Service URL path to send the incoming request to. This is the relative path on the destination service to which the events for the trigger should be sent. For example:
/
,/route
,route
, androute/subroute
.Once you've completed the required fields, click Save trigger.
After creating the trigger, verify its health by ensuring that there is a checkmark check_circle on the Triggers tab.
gcloud
Deploy your Cloud Run service using containers or from source.
Run the following command to create a trigger that filters events:
gcloud eventarc triggers create TRIGGER_NAME \ --location=REGION \ --destination-run-service=SERVICE \ --destination-run-region=REGION \ --event-filters="EVENT_FILTER" \ --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com
Replace:
TRIGGER_NAME with the name for your trigger.
EVENTARC_TRIGGER_LOCATION with the location for the Eventarc trigger. In general, the location of an Eventarc trigger should match the location of the Google Cloud resource that you want to monitor for events. In most scenarios, you should also deploy your service in the same region. For more information, see Eventarc locations.
SERVICE with the name of the service you are deploying.
REGION with the Cloud Run region of the service.
PROJECT_NUMBER with your Google Cloud project number. Eventarc triggers are linked to service accounts to use as an identity when invoking your service. Your Eventarc trigger's service account must have the permission to invoke your service. By default, Cloud Run uses the Default compute service account.
The
event-filters
flag specifies the event filters that the trigger monitors. An event that matches all theevent-filters
, filters triggers calls to your service. Each trigger must have a supported event type. You can't change the event filter type after creation. To change the event filter type, you must create a new trigger and delete the old one. Optionally, you can repeat the--event-filters
flag with a supported filter in the formATTRIBUTE=VALUE
to add more filters.
Create a trigger for functions
Click the tab for instructions using the tool of your choice.
Console
When you use the Google Cloud console to create a function, you can also add a trigger to your function. Follow these steps to create a trigger for your function:
In the Google Cloud console, go to Cloud Run:
Click Write a function, and enter the function details. For more information about configuring functions during deployment, see Deploy functions.
In the Trigger section, click Add trigger.
Select an option.
In the Eventarc trigger pane, modify the trigger details as follows:
Enter a name for the trigger in the Trigger name field, or use the default name.
Select a Trigger type from the list to specify one of the following trigger types:
Google Sources to specify triggers for Pub/Sub, Cloud Storage, Firestore, and other Google event providers.
Third-party to integrate with non-Google providers that offer an Eventarc source. For more information, see Third-party events in Eventarc.
Select an event provider from the Event provider list, to select a product that provides the type of event for triggering your function. For the list of event providers, see Event providers and destinations.
Select an event type from the Event type list. Your trigger configuration varies depending on the supported event type. For more information, see Event types.
If the Region field is enabled, select a location for the Eventarc trigger. In general, the location of an Eventarc trigger should match the location of the Google Cloud resource that you want to monitor for events. In most scenarios, you should also deploy your function in the same region. See Understand Eventarc locations for more details about Eventarc trigger locations.
In the Service account field, select a service account. Eventarc triggers are linked to service accounts to use as an identity when invoking your function. Your Eventarc trigger's service account must have the permission to invoke your function. By default, Cloud Run uses the Compute Engine default service account.
Optionally, specify the Service URL path to send the incoming request to. This is the relative path on the destination service to which the events for the trigger should be sent. For example:
/
,/route
,route
, androute/subroute
.
Once you've completed the required fields, click Save trigger.
gcloud
When you create a function using the gcloud CLI, you must first deploy your function, and then create a trigger. Follow these steps to create a trigger for your function:
Run the following command in the directory that contains the sample code to deploy your function:
gcloud beta run deploy FUNCTION \ --source . \ --function FUNCTION_ENTRYPOINT \ --base-image BASE_IMAGE_ID \ --region REGION
Replace:
FUNCTION with the name of the function you are deploying. You can omit this parameter entirely, but you will be prompted for the name if you omit it.
FUNCTION_ENTRYPOINT with the entry point to your function in your source code. This is the code Cloud Run executes when your function runs. The value of this flag must be a function name or fully-qualified class name that exists in your source code.
BASE_IMAGE_ID with the base image environment for your function. For more details about base images and the packages included in each image, see Runtimes base images.
REGION with the Google Cloud region where you want to deploy your function. For example,
us-central1
.
Run the following command to create a trigger that filters events:
gcloud eventarc triggers create TRIGGER_NAME \ --location=REGION \ --destination-run-service=FUNCTION \ --destination-run-region=REGION \ --event-filters="EVENT_FILTER" \ --service-account=PROJECT_NUMBER-compute@developer.gserviceaccount.com
Replace:
TRIGGER_NAME with the name for your trigger.
EVENTARC_TRIGGER_LOCATION with the location for the Eventarc trigger. In general, the location of an Eventarc trigger should match the location of the Google Cloud resource that you want to monitor for events. In most scenarios, you should also deploy your function in the same region. For more information, see Eventarc locations.
FUNCTION with the name of the function you are deploying.
REGION with the Cloud Run region of the function.
PROJECT_NUMBER with your Google Cloud project number. Eventarc triggers are linked to service accounts to use as an identity when invoking your function. Your Eventarc trigger's service account must have the permission to invoke your function. By default, Cloud Run uses the Default compute service account.
The
event-filters
flag specifies the event filters that the trigger monitors. An event that matches all theevent-filters
, filters triggers calls to your function. Each trigger must have a supported event type. You can't change the event filter type after creation. To change the event filter type, you must create a new trigger and delete the old one. Optionally, you can repeat the--event-filters
flag with a supported filter in the formATTRIBUTE=VALUE
to add more filters.
What's next
- Learn more about Eventarc
- Understand the billable components of Eventarc
- Create triggers for functions deployed in Cloud Run
- Google event types supported by Eventarc.
- Enable event retries in Eventarc