Configure a Cloud Run service in Application Design Center

Cloud Run is a fully managed application platform that lets you run containers directly on top of Google's scalable infrastructure. For more information, see Cloud Run overview.

This document describes the connections and parameters you can configure when using App Design Center to create a Cloud Run service. The configuration parameters are based on the terraform-google-cloud-run Terraform module.

Component connections

The following table includes the components that you can connect to a Cloud Run service, and the resulting updates to your application and its generated Terraform code.

Connected component

Application updates

Background information
Secret Manager
  • The Cloud Run service can reference the secret data.
  • The Secret Manager Secret Data field is referenced by the Cloud Run env_secret_vars field.
  • The roles/secretmanager.secretAccessor role is added to the Cloud Run service account.
 Configure secrets for services

Service account
  • The Cloud Run service uses the service account as a service identity.
  • The roles/run.invoker role is added to the service account.
  • The service account email and IAM information are added to the Cloud Run environment variables.
 Authenticating service-to-service
AlloyDB for PostgreSQL
  • The Cloud Run service can connect to the AlloyDB for PostgreSQL instance.
  • The AlloyDB for PostgreSQL resource metadata is added to the Cloud Run environment variables.
  • The AlloyDB for PostgreSQL roles/alloydb.admin role is added to the Cloud Run service account.
 Connect from Cloud Run
BigQuery
  • The Cloud Run service can interact with the BigQuery dataset.
  • The BigQuery resource metadata is added to the Cloud Run environment variables.
  • The BigQuery roles/bigquery.dataEditor role is added to the Cloud Run service account.
 BigQuery overview

Bigtable
  • The Cloud Run service can perform administrative functions on the Bigtable instance.
  • The Bigtable resource metadata information is added to the Cloud Run environment variables.
  • The roles/bigtable.admin role is added to the Cloud Run service account.
 Bigtable overview

Another Cloud Run service
  • The source Cloud Run service can send traffic to the destination Cloud Run service.
  • The source Cloud Run service contains the destination Cloud Run service URI in its environment variables.
 What is Cloud Run

Cloud SQL (MySQL)
  • The Cloud Run service can read and write data to the Cloud SQL (MySQL) instance.
  • The Cloud SQL connection metadata is added to the Cloud Run service.
  • The roles/cloudsql.instanceUser and roles/cloudsql.client roles are added to the Cloud Run service account.
  • The Cloud Run service account is added as an IAM user to the Cloud SQL instance.
 Connect from Cloud Run

Cloud SQL (PostgreSQL)
  • The Cloud Run service can read and write data to the Cloud SQL (PostgreSQL) instance.
  • The Cloud SQL connection metadata is added to the Cloud Run service.
  • The roles/cloudsql.instanceUser and roles/cloudsql.client roles are added to the Cloud Run service account.
  • The Cloud Run service account is added as an IAM user to the Cloud SQL instance.
 Connect from Cloud Run

Cloud Storage
  • The Cloud Run service can manage objects in the Cloud Storage bucket.
  • The Cloud Run service account IAM information is added to the Cloud Storage bucket.
  • The roles/storage.objectAdmin role is assigned to the Cloud Run service account.
 Connect to Google Cloud services

Global Cloud Load Balancing backend
  • The load balancer can distribute incoming traffic to the Cloud Run service.
  • The Cloud Run service is added as a backend endpoint in the Cloud Load Balancing serverless NEG backends configuration.
 Set up a global external Application Load Balancer with Cloud Run

Memorystore for Redis
  • The Cloud Run service can cache data in the Memorystore for Redis instance.
  • The Memorystore for Redis connection information is added to the Cloud Run environment variables.
  • The roles/redis.editor role is added to the Cloud Run service account.
 Connecting to a Redis instance from a Cloud Run service

Pub/Sub
  • The Cloud Run service can receive messages or publish to the Pub/Sub topic.
  • The Pub/Sub topic ID is added to the Cloud Run environment variables.
  • The roles/pubsub.publisher and roles/pubsub.subscriber roles are added to the Cloud Run service account.
  • The Cloud Run service is added to the Pub/Sub push and pull subscription fields.
 Use Pub/Sub with Cloud Run tutorial

Regional Cloud Load Balancing backend
  • The load balancer can distribute incoming traffic to the Cloud Run service.
  • The Cloud Run service is added as a backend endpoint in the Cloud Load Balancing serverless NEG backends configuration.
 Set up a regional external Application Load Balancer with Cloud Run

Regional Cloud Load Balancing frontend
  • The HTTP and HTTPS IP addresses of the load balancer are available to the application running in the Cloud Run container.
  • The Cloud Load Balancing address metadata is added to the Cloud Run environment variables.
 Forwarding rules overview

Spanner
  • The Cloud Run service can manage the Spanner instance.
  • The Spanner connection details are added to the Cloud Run environment variables.
  • The roles/spanner.databaseAdmin role is added to the Cloud Run service account.
  • The Cloud Run service account IAM information is added to the Spanner instance.
 Connect to Google Cloud services

Vertex AI
  • The Cloud Run service can interact with Vertex AI services.
  • The roles/aiplatform.user role is added to the Cloud Run service account.
 Host AI apps and agents on Cloud Run

Required configuration parameters

If your template includes a Cloud Run component, you must configure the following parameters before you deploy.

Parameter name

Description and constraints

Background information

Project ID

The project where you want to deploy the Cloud Run resource.

 Configure components

Region

The Cloud Run service deployment location.

 Cloud Run locations

Service Name

 name Cloud Run service

Optional configuration parameters

The following parameters are optional. To display advanced parameters, in the Configuration area, select Show advanced fields.

Feature

Subfeature

Parameter name

Description and constraint information

Background information
Containers

Container Name

 name Building containers

Container Image

 image Deploying container images to Cloud Run

Working Dir

The container's working directory. If not specified, the container runtime's default is used, which might be configured in the container image.

 workingDir

Depends on Container

 dependsOn[] Configure container start order for sidecar deployments

Container Args

 args[] Configure containers for services

Container Command

 command Configure containers for services
Env Vars

Key

 name Environment variables for services

Value

 value Environment variables for services
Env Secret Vars

Key

 EnvVarSource Manage secrets

Secret

 secret Manage secrets

Version

 version Manage secrets
Volume Mounts

Name

 name Connect from Cloud Run

Mount Path

 mountPath Connect from Cloud Run
Ports

Name

 name Use HTTP/2 for services

Container Port

 containerPort Use HTTP/2 for services
Resources

CPU

 limits Configure CPU limits for services

Memory

 limits Configure memory limits for services

CPU Idle

Whether CPU is only allocated during requests.

 cpuIdle

Startup CPU Boost

 startupCPUBoost Set startup CPU boost
Startup Probe

Failure Threshold

 failureThreshold Configure container health checks for services

Initial Delay Seconds

 initialDelaySeconds Configure probes

Timeout Seconds

 timeoutSeconds Configure probes

Period Seconds

 periodSeconds Configure probes

HTTP Get Path

 path Configure probes

HTTP Get Port

 port Configure probes

HTTP Headers Name

 name Configure probes

HTTP Headers Value

 value Configure probes

TCP Socket Port

 port The default TCP startup probe

GRPC Port

 port Configure probes

GRPC Service

 service Configure probes

Liveness Probe

 livenessProbe Use cases

Description

 description Set service descriptions

Create Service Account

Create a new service account for the Cloud Run service.

 Configure service identity for jobs

Service Account Project Roles

Roles to grant to the newly created service account. Enable Create Service Account and don't provide input for Service Account.

 Configure service identity for jobs

Ingress

 IngressTraffic Restrict network ingress for Cloud Run

Members

Users and service accounts that can invoke the service. For public access, enter allUsers. For access by logged-in Google users, enter allAuthenticatedUsers, or enter a list of specific users and service accounts. For more information, see members.

 Configure service identity for jobs

VPC Access

Connector

 connector VPC with connectors

Egress egress Control egress service traffic

Network Interfaces

 Network network Deploy a service
Subnetwork subnetwork Deploy a service
Tags tags Deploy a service

Cloud Run Deletion Protection

Prevents Terraform from destroying or recreating Cloud Run jobs and services.

 deletion_protection

Enable Prometheus Sidecar

Enable Promethus sidecar in the Cloud Run instance.

 Write Prometheus metrics by using the Prometheus sidecar

Volumes

Name

 name Configure an in-memory volume
Secret Secret secret Make a secret accessible to Cloud Run
Default Mode defaultMode
Path path Make a secret available to Cloud Run
Version version Make a secret available to Cloud Run
Mode mode Make a secret available to Cloud Run
Cloud SQL Instance Instances instances[] Connect from Cloud Run
Empty Dir Medium medium Configure in-memory volume mounts for services
Size Limit sizeLimit Configure in-memory volume mounts for services
GCS Bucket bucket Configure Cloud Storage volume mounts for services
Read Only readOnly Configure Cloud Storage volume mounts for services
NFS Server server Configure NFS volume mounts for services
Path path Configure NFS volume mounts for services
Read Only readOnly Configure NFS volume mounts for services

Service Scaling

Min Instance Count

 minInstanceCount Set minimum instances for services

Revision

 revision Cloud Run service revisions

Template Scaling

Min Instance Count

 minInstanceCount Set minimum instances for services
Max Instance Count maxInstanceCount About maximum instances

Encryption Key

 encryptionKey Using customer managed encryption keys

Max Instance Request Concurrency

 maxInstanceRequestConcurrency Maximum concurrent requests for services

Session Affinity

 sessionAffinity Set session affinity for services

Execution Environment

 executionEnvironment About service execution environments

Traffic

Type

 type Rollbacks, gradual rollouts, and traffic migration
Percent percent Rollbacks, gradual rollouts, and traffic migration
Revision revision Rollbacks, gradual rollouts, and traffic migration
Tag tag Rollbacks, gradual rollouts, and traffic migration

Service Labels

Key

 labels Configure labels for services
Value labels Configure labels for services

Service Annotations

Key

 annotations annotations
Value annotations annotations

Client

Name

Arbitrary identifier for the API client.

 client
Version

Arbitrary identifier for the version identifier.

 clientVersion

Launch Stage

 LaunchStage Product launch stages

Custom Audiences

 customAudience Set custom audiences for services

Binary Authorization

Breakglass Justification

 breakglassJustification Use breakglass
Use Default useDefault Use Binary Authorization

Template Labels

Key

 labels Configuring labels for services
Value labels Configuring labels for services

Template Annotations

Key

 annotations annotations
Value annotations annotations

Timeout

 timeout Set request timeout for services

Service Account

 serviceAccount Configure service identity for services