Deploy a Cloud Run function

This page describes how to deploy and modify aCloud Run function. For an example walkthrough of deploying aHello World function, seeDeploy a sample function.

Cloud Run function deployments automatically useGoogle Cloud's buildpacks and Cloud Build to build container images from yourfunction's source code. You don't need to install Docker on your machine or setup buildpacks or Cloud Build.

Cloud Run function deployments also use Artifact Registry to storeartifacts and manage container images. Artifact Registry automatically creates theArtifact Registry repository calledcloud-run-source-deploy, if your project hasn'talready created one with this name.

If you have existing functions and need to use thegcloud functions deploy command, the Cloud Functions v2 API, or thegoogle_cloudfunctions2_function Terraform configuration for backwardcompatibility, seeDeploy functions with thegcloud functions deploy command.

Before you begin

  1. Make sure you have set up a new project for Cloud Run, as describedin thesetup page.

  2. Enable the Artifact Registry, Cloud Build, Cloud Run Admin API, andCloud Logging APIs:

      gcloud services enable artifactregistry.googleapis.com \      cloudbuild.googleapis.com \      run.googleapis.com \      logging.googleapis.com

    Optionally, enable the Eventarc API to use event triggers:

      gcloud services enable eventarc.googleapis.com

  3. If you are under a domain restriction organization policyrestricting unauthenticated invocations for your project, you will need to access your deployed service as described underTesting private services.

Required roles

To deploy Cloud Run functions, you or your administrator mustgrant the following IAM roles to the deployer account andthe service account:

Click to view required roles for the deployer account

To get the permissions that you need to build and deploy from source, ask your administrator to grant you the following IAM roles:

Click to view required roles for the Cloud Build service account

Cloud Build automatically uses theCompute Engine default service account as the default Cloud Build service account to build your source code and Cloud Run resource, unless you override this behavior. For Cloud Build to build your sources, ask your administrator to grantCloud Run Builder (roles/run.builder) to the Compute Engine default service account on your project:

gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com\--role=roles/run.builder

ReplacePROJECT_NUMBER with your Google Cloud project number, andPROJECT_ID with your Google Cloud project ID. For detailed instructions on how to find your project ID, and project number, seeCreating and managing projects.

Granting the Cloud Run builder role to the Compute Engine default service account takes a couple of minutes topropagate.

Note:

Theiam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint prevents the Editor role from being automatically granted to default service accounts. If you created your organization after May 3, 2024, this constraint is enforced by default.

We strongly recommend that you enforce this constraint to disable the automatic role grant. If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and thengrant these roles yourself.

If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.To safely modify the service account's roles, usePolicy Simulator to see the impact of the change, and thengrant and revoke the appropriate roles.

Click to view required roles for the service account if using Eventarc

Optionally, if you are using Eventarc, grant the following roles to your service account:

For more information about granting specific roles for your Eventarc triggers, seeRoles and permissions for Cloud Run targets.

For a list of IAM roles and permissions that are associated withCloud Run, seeCloud Run IAM rolesandCloud Run IAM permissions.If your Cloud Run service interfaces withGoogle Cloud APIs, such as Cloud Client Libraries, see theservice identity configuration guide.For more information about granting roles, seedeployment permissionsandmanage access.

Create and deploy a function

You can deploy a Cloud Run function using the Google Cloud console,or the gcloud CLI. Click the tab for instructions on using the toolof your choice.

Console

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. ClickWrite a function.

  3. In theService name field, enter a name to describe yourfunction. Service names must only begin with a letter,and contain up to 49 characters or less, including letters, numbers, orhyphens. Service names can't end with hyphens, and must be unique perregion and project.A service name cannot be changed later and is publicly visible.

  4. In theRegion list, use the default value, or selecttheregion where youwant to deploy your function.

  5. In theRuntime list, use the default value, or select aruntime version.

  6. Optionally, in theTrigger section, clickAdd trigger and selectan option.TheEventarc trigger pane opens, where you can modify thefollowing details for the trigger:

    1. In theTrigger name filed, enter a name for the trigger, or usethe default name.

    2. Select aTrigger type from the list to specify one ofthe following trigger types:

      • Google Sources to specify triggers forPub/Sub, Cloud Storage, Firestore,and other Google event providers.

      • Custom to produce and consume events from yourapplication code. Follow the prompts in theEventarc trigger paneto create achannel.A channel is a resource used as a pipeline to deliver customevents from producers to consumers. Custom events are published to achannel, and an Eventarc trigger subscribes to thoseevents.

      • Third-party to integrate with non-Google providersthat offer an Eventarc source. For more information,seeThird-party events in Eventarc.

    3. Select anEvent provider from the list, to select a productthat provides the type of event for triggering your function. Forthe list of event providers, seeEvent providers and destinations.

    4. Select anEvent type from the list. Yourtrigger configuration varies depending on the supported event type.For more information, seeEvent types.

    5. In theRegion field, select alocationfor the Eventarctrigger. In general, the location of an Eventarctrigger should match the location of the Google Cloud resource thatyou want to monitor for events. In most scenarios, you should alsodeploy your function in the same region. SeeUnderstand Eventarc locationsfor more details about Eventarc trigger locations.

    6. In theService account field, select a service account.Eventarc triggers are linked to service accounts touse as an identity when invoking your function. YourEventarc trigger's service account must have the permissionto invoke your function. By default, Cloud Runuses theCompute Engine default service account.

    7. Optionally, specify theService URL path to send the incomingrequest to. This is the relative path on the destination service towhich the events for the trigger should be sent. For example:/,/route,route, androute/subroute.

    8. Once you've completed the required fields, clickSave trigger.

  7. UnderAuthentication, configure the following:

    • If you are creating a public HTTP function, for example a webhook, selectAllow unauthenticated invocations. Selecting this assigns theIAM Invoker role to the special identifierallUser. You canuse IAM to edit this settinglater after you create the service. If you don't have permissions(Cloud Run Admin role) to select this, the service will deployand require authentication.

    • If you are creating an event-triggered function, selectRequire authentication.

  8. Optionally, update the following additional configurations for your functions:

    1. SetBilling as needed.

    2. UnderService scaling, if you use the default Cloud Runautoscaling, optionally specifytheminimum instances.If you usemanual scaling,specify the number of instances for the service.

    3. Set theIngress control settings as needed.

    4. Expand theContainer(s), Volumes, Networking, Security section, to setother optional settings in the appropriate tabs:

  9. ClickCreate, and wait for Cloud Run to create the serviceusing a placeholder revision.

  10. The console will redirect you to theSourcetab where you can see the source code of your function. ClickSave and redeploy.

  11. In theSource tab, you can optionally clickShow Payload to seean example payload of incoming events.

  12. After deployment, test the created function by clicking theTest button.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Updategcloud components to the latest version:

    gcloudcomponentsupdate

  3. Run the following command in the directory thatcontains the sample code:

    gcloud run deployFUNCTION \       --source . \       --functionFUNCTION_ENTRYPOINT \       --base-imageBASE_IMAGE \       --regionREGION

    Replace:

    • FUNCTION with the name of the function you aredeploying. You can omit this parameter entirely,but you will be prompted for the name if you omit it.

    • FUNCTION_ENTRYPOINT with the entry point to your function inyour source code. This is the code Cloud Run executes when yourfunction runs. The value of this flag must be a function name orfully-qualified class name that exists in your source code.

    • BASE_IMAGE with the base image environment for yourfunction, likenodejs22,python313,go123,java21,dotnet8,ruby34, orphp84.For more details about base images and the packages included in eachimage, seeRuntimes base images.

    • REGION with the Google Cloudregion where you want to deployyour function. For example,europe-west1.

    Optional:

    • If you are creating a public HTTP function, for example a webhook,specify the--allow-unauthenticated flag. This flag assigns theCloud Run IAM Invoker role to the special identifierallUser. You canuse IAM to edit this settinglater after you create the service. If you are creating anevent-triggered function or authenticated service, you can omit thisflag.

Optionally, after deploying your function, you can add Eventarctriggers to your function. To add a trigger, run the following command:

  gcloud eventarc triggers createEVENTARC_TRIGGER_NAME \      --location=EVENTARC_TRIGGER_LOCATION \      --destination-run-service=FUNCTION \      --destination-run-region=REGION \      --event-filters="type=EVENTARC_FILTER_TYPE" \      --event-filters="EVENTARC_EVENT_FILTER" \      --service-account=EVENTARC_TRIGGER_SERVICE_ACCOUNT

Replace:

  • EVENTARC_TRIGGER_NAME with the name of the Eventarctrigger.

  • EVENTARC_TRIGGER_LOCATION with the location for theEventarc trigger. In general, the location of an Eventarctrigger should match the location of the Google Cloud resource thatyou want to monitor for events. In most scenarios, you should alsodeploy your function in the same region. SeeUnderstand Eventarc locationsfor more details about Eventarc trigger locations.

  • FUNCTION with the name of your deployed function.

  • REGION with the Cloud Runregionof the function.

  • EVENTARC_FILTER_TYPE with the event filters that the triggermonitors. An event that matches all the--event-filters filterstriggers calls to your function. Each trigger must have a supportedevent type in the form--event-filters="type=EVENTARC_FILTER_TYPE".This event type can't be changed after creation. To changeEVENT_FILTER_TYPE, create a new trigger and delete the old one.Optionally, you can repeat the--event-filters flag with a supportedfilter in the formATTRIBUTE=VALUE to add more filters.

  • EVENTARC_TRIGGER_SERVICE_ACCOUNT with a service account.Eventarc triggers are linked to service accounts touse as an identity when invoking your function. YourEventarc trigger's service account must have the permissionto invoke your function. By default, Cloud Runuses theDefault compute service account.

Terraform

To manage functions usingTerraform,you must build your function code into a container image, then define yourCloud Run service in a Terraform configuration using thegoogle_cloud_run_v2_serviceresource from theGoogle Cloud Platform Provider.

  1. Follow the instructions forbuilding a function on scratchto create a container image that is compatible withautomatic security updates.Copy the full path of the container image for theIMAGE_URLvariable used in the next step.

  2. Create a newmain.tf file with this content:

    provider"google"{project="PROJECT-ID"}resource"google_cloud_run_v2_service""default"{name="SERVICE"location="REGION"client="terraform"template{containers{name="SERVICE"image="IMAGE_URL" # Container image built from your function in the previous step.base_image_uri="BASE_IMAGE"}}build_config{function_target="FUNCTION_TARGET"image_uri="IMAGE_URL"base_image="BASE_IMAGE"enable_automatic_updates=true}}resource"google_cloud_run_v2_service_iam_member""noauth"{location=google_cloud_run_v2_service.default.locationname=google_cloud_run_v2_service.default.namerole="roles/run.invoker"member="allUsers"}

    Replace:

    • PROJECT-ID with the Google Cloud project ID.
    • REGION with the Google Cloud region. For example,europe-west1.
    • SERVICE with the name of your Cloud Run service.Service names must be 49 characters or less and must be unique per region and project.
    • IMAGE_URL with a reference to thecontainer image containing only your built function
    • BASE_IMAGE with the base image environment for yourfunction, likenodejs22,python313,go123,java21,dotnet8,ruby34, orphp84.For more details about base images and the packages included in eachimage, seeRuntimes base images.
    • FUNCTION_TARGET with the function name you want to use as theentrypoint.

    This configuration allows public access (the equivalent of--allow-unauthenticated).To make the service private, remove thegoogle_cloud_run_v2_service_iam_member stanza.

  3. Initialize Terraform:

    terraform init

  4. Apply the Terraform configuration:

    terraform apply

    Confirm you want to apply the actions described by enteringyes.

Cloud Run locations

Cloud Run is regional, which means the infrastructure thatruns your Cloud Run services is located in a specific region and ismanaged by Google to be redundantly available acrossall the zones within that region.

Meeting your latency, availability, or durability requirements are primaryfactors for selecting the region where your Cloud Run services are run.You can generally select the region nearest to your users but you should considerthe location of theother Google Cloudproducts that are used by your Cloud Run service.Using Google Cloud products together across multiple locations can affectyour service's latency as well as cost.

Cloud Run is available in the following regions:

Subject toTier 1 pricing

  • asia-east1 (Taiwan)
  • asia-northeast1 (Tokyo)
  • asia-northeast2 (Osaka)
  • asia-south1 (Mumbai, India)
  • europe-north1 (Finland)leaf iconLow CO2
  • europe-north2 (Stockholm)leaf iconLow CO2
  • europe-southwest1 (Madrid)leaf iconLow CO2
  • europe-west1 (Belgium)leaf iconLow CO2
  • europe-west4 (Netherlands)leaf iconLow CO2
  • europe-west8 (Milan)
  • europe-west9 (Paris)leaf iconLow CO2
  • me-west1 (Tel Aviv)
  • northamerica-south1 (Mexico)
  • us-central1 (Iowa)leaf iconLow CO2
  • us-east1 (South Carolina)
  • us-east4 (Northern Virginia)
  • us-east5 (Columbus)
  • us-south1 (Dallas)leaf iconLow CO2
  • us-west1 (Oregon)leaf iconLow CO2

Subject toTier 2 pricing

  • africa-south1 (Johannesburg)
  • asia-east2 (Hong Kong)
  • asia-northeast3 (Seoul, South Korea)
  • asia-southeast1 (Singapore)
  • asia-southeast2 (Jakarta)
  • asia-south2 (Delhi, India)
  • australia-southeast1 (Sydney)
  • australia-southeast2 (Melbourne)
  • europe-central2 (Warsaw, Poland)
  • europe-west10 (Berlin)leaf iconLow CO2
  • europe-west12 (Turin)
  • europe-west2 (London, UK)leaf iconLow CO2
  • europe-west3 (Frankfurt, Germany)leaf iconLow CO2
  • europe-west6 (Zurich, Switzerland)leaf iconLow CO2
  • me-central1 (Doha)
  • me-central2 (Dammam)
  • northamerica-northeast1 (Montreal)leaf iconLow CO2
  • northamerica-northeast2 (Toronto)leaf iconLow CO2
  • southamerica-east1 (Sao Paulo, Brazil)leaf iconLow CO2
  • southamerica-west1 (Santiago, Chile)leaf iconLow CO2
  • us-west2 (Los Angeles)
  • us-west3 (Salt Lake City)
  • us-west4 (Las Vegas)

If you already created a Cloud Run service, you can view theregion in the Cloud Run dashboard in theGoogle Cloud console.

Enable event retries

Eventarc uses Pub/Sub as its transport layer and has adefault retry policy that might not work well for your function.

After creating an Eventarc trigger, we strongly recommendupdating theretry policy inEventarc and configuringdead-letter topic inPub/Sub.

Specify an image repository

Cloud Run function deployments use Artifact Registry to store artifactsand manage container images. Artifact Registry automatically creates the Artifact RegistryrepositoryREGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deployif your project hasn't already created one with this name.

To specify a self-created Artifact Registry repository, use the following command:

gcloud

gcloudrundeployFUNCTION\--source.\--functionFUNCTION_ENTRYPOINT\--base-imageBASE_IMAGE\--regionREGION\--imageIMAGE_URL

Replace the following:

  • FUNCTION with the name of the function you aredeploying. You can omit this parameter entirely,but you will be prompted for the name if you omit it.

  • FUNCTION_ENTRYPOINT with the entry point to your function inyour source code. This is the code Cloud Run executes when yourfunction runs. The value of this flag must be a function name orfully-qualified class name that exists in your source code.

  • BASE_IMAGE with the base image environment for yourfunction, likenodejs22,python313,go123,java21,dotnet8,ruby34, orphp84.For more details about base images and the packages included in eachimage, seeRuntimes base images.

  • REGION with the Google Cloudregion where you want to deployyour function. For example,europe-west1.

  • IMAGE_URL with a reference to the image path using the Artifact Registryimage repository of your choice, for exampleprojects/PROJECT_NAME/locations/LOCATION/repositories/REPOSITORY_NAME/FUNCTION.The image name must match the name of the function you care creating. Ifonly the repository path is provided, the image will be created using thefunction nameFUNCTION.

When specifying an Artifact Registry repository located in a differentproject or region, you must consider the following:

IAM configurations:

  • Ensure that you have configured IAM permissions to deployimages fromother Google Cloud projects
  • Additionally, ensure that the build service account has authorized accessto read and write to theREPOSITORY.

Network configurations:

  • Ensure that the targetREPOSITORY is reachable from the currentproject configuration.

VPC Service Controls configurations:

  • Ensure that the build service account can reach the targetREPOSITORY within the VPC-SC perimeter.

Data residency constraints:

  • Note that specifying aREPOSITORY in a different region fromwhere your function is located will lead to data transfer across regions.

Modify an existing function

You can either modify the configuration or the code of your function:

Modify configuration

To modify configuration parameters, such as billing options, memory, and VPCconnectivity, follow the instructions in the appropriate tab:

Console

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. Locate the service you want to update in the services list, and clickto open the details of that service.

  3. ClickEdit and deploy new revision to display the revision deployment form.

  4. Modify any configuration setting.

  5. ClickDeploy and wait for the deployment to finish.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To update one or more service configuration setting, use thegcloud run services updateSERVICEcommand with the command line flags of the configuration you want toupdate. ReplaceSERVICE with the name of the service.

Re-deploy new source code

You can modify your function's base image, runtime, and source code using eitherthe Google Cloud console or the gcloud CLI.

Click the tab for instructions using the tool of your choice.

Console

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. Locate the function you want to update in theServices list, andclick to open the details of that function.

  3. Navigate to theSource tab, and clickEdit Source.

  4. ClickEdit runtime and security updatesnext toBase image, and select a differentRuntime orEnvironment from the list as needed, and clickSave.

  5. Modify theFunction entry point as needed.

  6. In theFiles section, selectAdd file to create a new file,Rename file to rename a file,orDelete file to delete a file.

  7. In theCode section, modify your source code as needed.

  8. ClickSave and Redeploy, and wait for the deployment to finish.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Run the following command in the directory thatcontains the function's source code:

    gcloud run deployFUNCTION \       --source . \       --functionFUNCTION_ENTRYPOINT \       --base-imageBASE_IMAGE \       --regionREGION

    Replace:

    • FUNCTION with the name of the function you want to modify.

    • FUNCTION_ENTRYPOINT with the entry point to your functionin your source code.

    • BASE_IMAGE with the base image environment for yourfunction, likenodejs22,python313,go123,java21,dotnet8,ruby34, orphp84.

      Alternatively, if you want to use a specific system package in thestack or specify the region where the base image is downloaded from,you can specify one of the following:

      • The full base image path, such asus-central1-docker.pkg.dev/serverless-runtimes/google-22-full/runtimes/nodejs22.This option lets you specify the base image, a specific systempackage in the stack, and the region where the base image isdownloaded from.
      • The alias of the full base image path, such asgoogle-22/nodejs22orgoogle-22-full/nodejs22. This shorter alias option lets youspecify the base image and a specific system package in the stack.

      For more details about base images and the packages includedin each image, seeRuntime base images.

    • REGION with the Google Cloudregion where you want to deployyour function. For example,europe-west1.

    Optional flags

    You can configure the following optional flags while modifying yourfunction:

    • Build environment variablesflags for specifying environment variablesduring the build step, such as for configuring build-time specificcertificates, or parameters.

    • Worker pool flagsfor specifying which worker pool to use in VPC Service Controlssecured build context.

    • Custom build service accountsflags for specifying an alternative to thedefault build service account for increased security.

    • Automatic base image updatesflag to disable automatic updates. By default, functions have automaticsecurity updates enabled.

Source bucket

Your source code must be accessible to the build process and theGoogle Cloud console source editor. This is accomplished by uploading your sourcecode to aCloud Storage bucket.

When you deploy using the gcloud CLI or the Google Cloud console, aCloud Storage bucket is automatically provisioned, and your source code isuploaded for you. By default, your code is stored in a bucket namedrun-sources-PROJECT_ID-REGION. You areresponsible for managing theAccess Control Lists (ACLs) and sourceobjects within this bucket.

If you need to use a specific bucket, such as to useCustomer-managed encryption keys (CMEK),you must first package your local source files into an archive (such as a ZIPfile). Then, upload this archive to your bucket. To deploy from this customlocation, use the gcloud CLI with the flag--source=gs://BUCKET_NAME/OBJECT_PATH.

What's next

After you deploy a new Cloud Run function, you can do thefollowing:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-16 UTC.