Cloud Build can notify you of build updates by sending you notifications to selected channels, such as Slack or your SMTP server. This page explains how to configure notifications using the SMTP notifier.
Before you begin
- 
  
  
    
      Enable the Cloud Build, Compute Engine, Cloud Run, Pub/Sub, and Secret Manager APIs. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- Install the Google Cloud CLI.
Configuring email notifications
To send email notifications, you will need a running SMTP server and access to
an account on that server, including the account's username and password that
will be used to send notifications. You can use any existing SMTP server, but
will need access to the server name and port. For example, the server name for
Gmail is smtp.gmail.com and the port is 587. Make sure that your SMTP
server's delivery quotas can handle the volume of email you expect to generate.
The following section explains how you can manually configure email notifications using the SMTP notifier. If you would like to automate the configuration instead, see Automating configuration for notifications.
To configure email notifications:
- Store the sender's email account password in Secret Manager. Note that for gmail, you will need to use the app password instead of the account sign-in password. - Open the Secret Manager page in the Google Cloud console: 
- Click Create secret. 
- Enter a name for your secret. 
- Under Secret value, add the sender's email account password. 
- To save your secret, click Create secret. 
 
- While your Cloud Run service account may have the Editor role for your project, the Editor role isn't sufficient to access your secret in Secret Manager. To give your Cloud Run service account access to your secret, do the following: - Go to the IAM page in the Google Cloud console: 
- Locate the Compute Engine default service account associated with with your project: - Your Compute Engine default service account will look similar to the following: - project-number-compute@developer.gserviceaccount.com- Take note of your Compute Engine default service account. 
- Open the Secret Manager page in the Google Cloud console: 
- Click the secret name that contains the secret for your sender's email account password. 
- In the Permissions tab, click Add member. 
- Add the Compute Engine default service account associated with your project as a member. 
- Select Secret Manager Secret Accessor permission as the role. 
- Click Save. 
 
- Give your Cloud Run service account permission to read from Cloud Storage buckets: - Go to the IAM page in the Google Cloud console: 
- Locate the Compute Engine default service account associated with with your project: - Your Compute Engine default service account will look similar to the following: - project-number-compute@developer.gserviceaccount.com
- Click the pencil icon in the row containing your Compute Engine default service account. You will see the Edit access tab. 
- Click Add another role. 
- Add the following role: - Storage Object Viewer
 
- Click Save. 
 
- Write a notifier configuration file to configure your SMTP notifier and filter on build events: - In the following example notifier configuration file, the - filterfield uses Common Expression Language with the available variable,- build, to filter build events with a- SUCCESSstatus:- apiVersion: cloud-build-notifiers/v1 kind: SMTPNotifier metadata: name: example-smtp-notifier spec: notification: filter: build.status == Build.Status.SUCCESS params: buildStatus: $(build.status) delivery: server: server-host-name port: "port" sender: sender-email from: from-email recipients: - recipient-email # optional: more emails here password: secretRef: smtp-password template: type: golang uri: gs://bucket_name/smtp.html secrets: - name: smtp-password value: projects/project-id/secrets/secret-name/versions/latest- Where: - buildStatusis a user-defined parameter. This parameter takes on the value of $(build.status), the status of the build.
- bucket-nameis the name of your bucket.
- server-host-nameis the address of your SMTP server.
- portis the port that will handle SMTP requests. This value should be specified as a string.
- sender-emailis the email address of the sender account that is seen by the specified server-host-name.
- from-emailis the email address that is seen by recipients.
- recipient-emailis a list of one or more email addresses to receive messages from the sender.
- smtp-passwordis the configuration variable used in this example to reference the sender's email account password stored in Secret Manager. The variable name you specify here should match the- namefield under- secrets.
- project-idis the ID of your Google Cloud project.
- secret-nameis the name of your secret that contains the password to the sender's email account.
- The - urifield references the- smtp.htmlfile. This files refers to a html template hosted on Cloud Storage and represents your notification email.
 - To view the example, see the notifier configuration file for the SMTP notifier. - For additional fields you can filter by, see the Build resource. For additional filtering examples, see the Using CEL to filter build events. 
- Upload your notifier configuration file to a Cloud Storage bucket: - If you don't have a Cloud Storage bucket, run the following command to create a bucket, where - bucket-nameis the name you want to give your bucket, subject to naming requirements.- gcloud storage buckets create gs://bucket-name/
- Upload the notifier configuration file to your bucket: - gcloud storage cp config-file-name gs://bucket-name/config-file-name- Where: - bucket-nameis the name of your bucket.
- config-file-nameis the name of your configuration file.
 
 
- Deploy your notifier to Cloud Run: - gcloud run deploy service-name \ --image=us-east1-docker.pkg.dev/gcb-release/cloud-build-notifiers/smtp:latest \ --no-allow-unauthenticated \ --update-env-vars=CONFIG_PATH=config-path,PROJECT_ID=project-id- Where: - service-nameis the name of the Cloud Run service to which you're deploying the image.
- config-pathis the path to the notifier config file for your SMTP notifier,- gs://bucket-name/config-file-name.
- project-idis the ID of your Google Cloud project.
 - The - gcloud run deploycommand pulls the latest version of the hosted image from the Cloud Build-owned Artifact Registry. Cloud Build supports notifier images for nine months. After nine months, Cloud Build deletes the image version. If you would like to use a prior image version, you will need to specify the full semantic version of the image tag in the- imageattribute of your- gcloud run deploycommand. Previous image versions and tags can be found in Artifact Registry.
- Grant Pub/Sub permissions to create authentication tokens in your Google Cloud project: - gcloud projects add-iam-policy-binding project-id \ --member=serviceAccount:service-project-number@gcp-sa-pubsub.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator- Where: - project-idis the ID of your Google Cloud project.
- project-numberis your Google Cloud project number.
 
- Create a service account to represent your Pub/Sub subscription identity: - gcloud iam service-accounts create cloud-run-pubsub-invoker \ --display-name "Cloud Run Pub/Sub Invoker"- You can use - cloud-run-pubsub-invokeror use a name unique within your Google Cloud project.
- Give the - cloud-run-pubsub-invokerservice account the Cloud Run- Invokerpermission:- gcloud run services add-iam-policy-binding service-name \ --member=serviceAccount:cloud-run-pubsub-invoker@project-id.iam.gserviceaccount.com \ --role=roles/run.invoker- Where: - service-nameis the name of the Cloud Run service to which you're deploying the image.
- project-idis the ID of your Google Cloud project.
 
- Create the - cloud-buildstopic to receive build update messages for your notifier:- gcloud pubsub topics create cloud-builds- You can also define a custom topic name in your build config file so that messages are sent to the custom topic instead. In this case, you would create a topic with the same custom topic name: - gcloud pubsub topics create topic-name- For more information, see Pub/Sub topics for build notifications. 
- Create a Pub/Sub push subscriber for your notifier: - gcloud pubsub subscriptions create subscriber-id \ --topic=cloud-builds \ --push-endpoint=service-url \ --push-auth-service-account=cloud-run-pubsub-invoker@project-id.iam.gserviceaccount.com- Where: - subscriber-idis the name you want to give your subscription.
- service-urlis the Cloud Run-generated URL for your new service.
- project-idis the ID of your Google Cloud project.
 
Notifications for your Cloud Build project are now set up. The next
time you invoke a build, specified recipients will receive an email with a
notification if the build matches the filter you've configured.
Using CEL to filter build events
Cloud Build uses CEL with the variable, build, on fields
listed in the Build
resource to access fields associated with your build event such as
your trigger ID, image list, or substitution values. You can use the filter
string to filter build events in your build config file using
any field listed in the Build
resource. To find the exact syntax associated with your field, see the
cloudbuild.proto 
file.
Filtering by trigger ID
To filter by trigger ID, specify the value of your trigger ID in the filter
field using build.build_trigger_id, where trigger-id is
your trigger ID as a string:
filter: build.build_trigger_id == trigger-id
Filtering by status
To filter by status, specify the build status you want to filter on
in the filter field using build.status.
The following example shows how to filter build events with a SUCCESS
status using the filter field:
filter: build.status == Build.Status.SUCCESS
You can also filter builds with varying statuses. The following example shows
how to filter build events that have a SUCCESS, FAILURE, or
TIMEOUT status using the filter field:
filter: build.status in [Build.Status.SUCCESS, Build.Status.FAILURE, Build.Status.TIMEOUT]
To see additional status values you can filter by, see Status under the Build resource reference.
Filtering by tag
To filter by tag, specify the value of your tag in the filter
field using build.tags, where tag-name is
the name of your tag:
filter: tag-name in build.tags
You can filter based on the number of tags specified in your build event
using size. In the following example, the filter field filters
build events that have exactly two tags specified with one tag specified as
v1:
filter: size(build.tags) == 2 && "v1" in build.tags
Filtering by images
To filter by images, specify the value of your image in the filter field
using build.images, where image-name is the full name
of your image as listed in Artifact Registry such as
us-east1-docker.pkg.dev/my-project/docker-repo/image-one:
filter: image-name in build.images
In the following example, the filter filters on build events that have
either us-east1-docker.pkg.dev/my-project/docker-repo/image-one or
us-east1-docker.pkg.dev/my-project/docker-repo/image-two specified as
image names:
filter: "us-east1-docker.pkg.dev/my-project/docker-repo/image-one" in build.images || "us-east1-docker.pkg.dev/my-project/docker-repo/image-one" in build.images
Filtering by time
You can filter build events based on a build's create time, start time, or
finish time by specifying one of the following options in your filter
field: build.create_time, build.start_time, or build.finish_time.
In the following example, the filter field uses timestamp to filter
build events with a request time to create the build at July 20, 2020 at 6:00 AM:
filter: build.create_time == timestamp("2020-07-20:T06:00:00Z")
You can also filter on build events by time comparisons. In the following example,
the filter field uses timestamp to filter build events with a start time
between July 20, 2020 at 6:00 AM and July 30, 2020 at 6:00 AM.
filter: timestamp("2020-07-20:T06:00:00Z") >= build.start_time && build.start_time <= timestamp("2020-07-30:T06:00:00Z")
To learn more about how timezones are expressed in CEL, see the language definition for timezones.
To filter by duration of a build, you can use duration to compare timestamps.
In the following example, the filter field uses duration to filter
build events with a builds that run for at least five minutes:
filter: build.finish_time - build.start_time >= duration("5m")
Filtering by substitution
You can filter by substitution by specifying the substitution variable
in the filter field using build.substitutions. In the following example,
the filter field lists builds that contain the substitution variable
substitution-variable and checks if the substitution-variable matches the specified substitution-value:
filter: build.substitutions[substitution-variable] == substitution-value
Where:
- substitution-variableis the name of your substitution variable.
- substitution-valueis the name of your substitution value.
You can also filter by default substitution variable values. In the following
example, the filter field lists builds that have the branch name master
and builds that have the repository name github.com/user/my-example-repo. The
default substitution variables BRANCH_NAME and REPO_NAME are passed in
as keys to the build.substitutions:
filter: build.substitutions["BRANCH_NAME"] ==&& "master"  build.substitutions["REPO_NAME"] == "github.com/user/my-example-repo"
If you want to filter on strings using regular expressions, you can use the
built-in matches function. In the example below, the filter field filters
for builds with a status of FAILURE or TIMEOUT and that also have a build
substitution variable TAG_NAME with a value that matches the regular expression
v{DIGIT}.{DIGIT}.{3 DIGITS}).
filter: build.status in [Build.Status.FAILURE, Build.Status.TIMEOUT] && build.substitutions["TAG_NAME"].matches("^v\\d{1}\\.\\d{1}\\.\\d{3}$")
To see a list of default substitution values, see Using default substitutions.
What's next
- Learn about Cloud Build notifiers.
- Learn how to subscribe to build notifications.
- Learn how to write a Cloud Build build configuration file.