Deploying container images to Cloud Run

This page describes how to deploy container images to a new Cloud Runservice or to a new revision of an existing Cloud Run service.

The container image is imported by Cloud Run when deployed.Cloud Run keeps this copy of the container image as long as it is usedby a serving revision. Container images are not pulled from their containerrepository when a new Cloud Run instance is started.

For an example walkthrough of deploying a new service, seeDeploy a sample container quickstart.

Before you start

If you are under a domain restriction organization policyrestricting unauthenticated invocations for your project, you will need to access your deployed service as described underTesting private services.

Required roles

To get the permissions that you need to deploy Cloud Run services, ask your administrator to grant you the following IAM roles:

Cloud Run Developer (roles/run.developer) on the Cloud Run service
Service Account User (roles/iam.serviceAccountUser) on the service identity
Artifact Registry Reader (roles/artifactregistry.reader) on the Artifact Registry repository of the deployed container image
If you are using a cross-project service account to deploy a service:Service Account Token Creator (roles/iam.serviceAccountTokenCreator) on the service identity

For a list of IAM roles and permissions that are associated withCloud Run, seeCloud Run IAM rolesandCloud Run IAM permissions.If your Cloud Run service interfaces withGoogle Cloud APIs, such as Cloud Client Libraries, see theservice identity configuration guide.For more information about granting roles, seedeployment permissionsandmanage access.

Supported container registries and images

You can directly use container images stored inArtifact Registry,orDocker Hub.Google recommends the use of Artifact Registry.Docker Hub images arecachedfor up to one hour.

You can use container images from other public or private registries (like JFrogArtifactory, Nexus, or GitHub Container Registry), by setting up anArtifact Registry remote repository.

You should only considerDocker Hub for deploying popular container images such asDocker Official Images orDocker Sponsored OSS images.For higher availability, Google recommends deploying these Docker Hub images using anArtifact Registry remote repository.

Cloud Run does not support container image layers larger than9.9 GBwhen deploying from Docker Hub or an Artifact Registry remote repository with anexternal registry.

Deploying a new service

You can specify a container image with a tag(for example,us-docker.pkg.dev/my-project/container/my-image:latest) or with an exact digest(for example,us-docker.pkg.dev/my-project/container/my-image@sha256:41f34ab970ee...).

Deploying to a service for the first time creates its first revision. Note thatrevisions are immutable. If you deploy from a container image tag, it will beresolved to a digest and the revision will always serve this particular digest.

Click the tab for instructions using the tool of your choice.

Console

To deploy a container image:

In the Google Cloud console, go to the Cloud Run page:
Go to Cloud Run
ClickDeploy container to display theCreate service form.
1. In the form, select the deployment option:
  1. If you want to manually deploy a container, selectDeploy one revision from an existing container image and specifythe container image.
  2. If you want to automate for continuous deployment, selectContinuously deploy new revisions from a source repository andfollow theinstructions for continuous deployments.
2. Enter the needed service name. Service names must be 49 charactersor less and must be unique per region and project. Aservice name cannot be changed later and is publicly visible.
3. Select theregion where you want your service located.The region selector indicatesprice tier,availability ofdomain mappingsand highlights regions with thelowest carbon impact.
4. Setbilling as needed.
5. UnderService scaling, if you use the default Cloud Runautoscaling, optionally specifytheminimum instances.If you usemanual scaling,specify the number of instances for the service.
6. Set theIngress settings in theform as needed.
7. UnderAuthentication, configure the following:
  - If you are creating a public API or website, selectAllow public access. Selecting this assigns theIAM Invoker role to the special identifierallUser. You canuse IAM to edit this settinglater after you create the service.
  - If you want a secure service protected by authentication, selectRequire authentication.
ClickContainer(s), Volumes, Networking, Security to set other optional settings in theappropriate tabs:
When you are finished configuring your service, clickCreate todeploy the image to Cloud Run and wait for the deployment to finish.
Click the displayed URL link to open the unique and stable endpoint of your deployed service.

gcloud

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To deploy a container image:
1. Run the following command:
```
gcloud run deploySERVICE --imageIMAGE_URL
```
  Replace the following:
  - SERVICE: the name of the service you want todeploy to. Service names must be 49 charactersor less and must be unique per region and project. If the service doesnot exist yet, this command creates theservice during the deployment. You can omit this parameter entirely,but you will be prompted for the service name if you omit it.
  - IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG. Note that if you don't supply the--imageflag, the deploy command will attempt todeploy from source code.
  If you are creating apublic API or website, allow public access ofyour service using the--allow-unauthenticated flag. Thisassigns theCloud Run Invoker IAM roletoallUsers. You can also specify--no-allow-unauthenticated todisallow public access. If you omit either of theseflags, you are prompted to confirm when thedeploy command runs.
2. Wait for the deployment to finish. Upon successful completion, a successmessage is displayed along with the URL of the deployed service.
Note that to deploy to a different location from the one you set using therun/regiongcloud properties, use:
```
gcloud run deploySERVICE --regionREGION
```

YAML

You can store your service specification in aYAML file and thendeploy it using the gcloud CLI.

Create a newservice.yaml file with the following content:
```
apiVersion:serving.knative.dev/v1kind:Servicemetadata:name:SERVICEspec:template:spec:containers:-image:IMAGE
```
Replace the following:
- SERVICE: the name of your Cloud Run service.Service names must be 49 charactersor less and must be unique per region and project.
- IMAGE: the URL of your container image.
You can also specify more configuration such as environment variables or
Deploy the new service using the following command:
```
gcloud run services replace service.yaml
```
Optionally,make your service publicif you want to allow unauthenticated access to the service.

Terraform

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Add the following to agoogle_cloud_run_v2_service resource in your Terraform configuration:

provider"google"{project="PROJECT-ID"}resource"google_cloud_run_v2_service""default"{name="SERVICE"location="REGION"client="terraform"template{containers{image="IMAGE_URL"}}}resource"google_cloud_run_v2_service_iam_member""noauth"{location=google_cloud_run_v2_service.default.locationname=google_cloud_run_v2_service.default.namerole="roles/run.invoker"member="allUsers"}

Replace the following:

PROJECT-ID: the Google Cloud project ID
REGION: the Google Cloud region
SERVICE: the name of your Cloud Run service. Servicenames must be 49 characters or less and must be unique per regionand project.
IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG

This configuration allows public access (the equivalent of--allow-unauthenticated).To make the service private, remove thegoogle_cloud_run_v2_service_iam_memberstanza.

Compose

Preview — Cloud Run Compose deploy

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

You can store yourCompose Specification inaYAML file and then deploy it as a Cloud Run service using asingle gcloud command.

To deploy acompose.yaml file as a Cloud Run service, followthese steps:

In your project directory, create acompose.yaml file with yourservice definitions.
```
services:web:image:IMAGEports:-"8080:8080"
```
ReplaceIMAGE with the URL of your container image.
You can also specify more configuration options such as environmentvariables, secrets, and volume mounts.
To deploy the services, run thegcloud beta run compose up command:
```
gcloud beta run compose up compose.yaml
```
Respondy to any prompts to install required components or to enableAPIs.
Optional:Make your service publicif you want to allow unauthenticated access to the service.

After deployment, the Cloud Run service URL is displayed. Copythis URL and paste it into your browser to view the running container. You candisable the default authentication from the Google Cloud console.

Client libraries

To deploy a new service from code:

REST API

To deploy a new service, send aPOST HTTP request tothe Cloud Run Admin APIservice endpoint.

For example, usingcurl:

curl-H"Content-Type: application/json"\-H"Authorization: BearerACCESS_TOKEN"\-XPOST\-d'{template: {containers: [{image: "IMAGE_URL"}]}}'\https://run.googleapis.com/v2/projects/PROJECT_ID/locations/REGION/services?serviceId=SERVICE

Replace the following:

ACCESS_TOKEN: a valid access token for an account thathas theIAM permissions to deploy services.For example, if you are logged into gcloud, you can retrieve anaccess token usinggcloud auth print-access-token.From within a Cloud Run container instance, you can retrievean access token using thecontainer instance metadata server.
IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
SERVICE: the name of the service you want to deploy to.Service names must be 49 characters or less and must be unique per regionand project.
REGION: the Google Cloud region of the service.
PROJECT-ID: the Google Cloud project ID.

Cloud Run locations

Cloud Run is regional, which means the infrastructure thatruns your Cloud Run services is located in a specific region and ismanaged by Google to be redundantly available acrossall the zones within that region.

Meeting your latency, availability, or durability requirements are primaryfactors for selecting the region where your Cloud Run services are run.You can generally select the region nearest to your users but you should considerthe location of theother Google Cloudproducts that are used by your Cloud Run service.Using Google Cloud products together across multiple locations can affectyour service's latency as well as cost.

Cloud Run is available in the following regions:

Subject toTier 1 pricing

asia-east1 (Taiwan)
asia-northeast1 (Tokyo)
asia-northeast2 (Osaka)
asia-south1 (Mumbai, India)
asia-southeast3 (Bangkok)
europe-north1 (Finland)Low CO₂
europe-north2 (Stockholm)Low CO₂
europe-southwest1 (Madrid)Low CO₂
europe-west1 (Belgium)Low CO₂
europe-west4 (Netherlands)Low CO₂
europe-west8 (Milan)
europe-west9 (Paris)Low CO₂
me-west1 (Tel Aviv)
northamerica-south1 (Mexico)
us-central1 (Iowa)Low CO₂
us-east1 (South Carolina)
us-east4 (Northern Virginia)
us-east5 (Columbus)
us-south1 (Dallas)Low CO₂
us-west1 (Oregon)Low CO₂

Subject toTier 2 pricing

africa-south1 (Johannesburg)
asia-east2 (Hong Kong)
asia-northeast3 (Seoul, South Korea)
asia-southeast1 (Singapore)
asia-southeast2 (Jakarta)
asia-south2 (Delhi, India)
australia-southeast1 (Sydney)
australia-southeast2 (Melbourne)
europe-central2 (Warsaw, Poland)
europe-west10 (Berlin)
europe-west12 (Turin)
europe-west2 (London, UK)Low CO₂
europe-west3 (Frankfurt, Germany)
europe-west6 (Zurich, Switzerland)Low CO₂
me-central1 (Doha)
me-central2 (Dammam)
northamerica-northeast1 (Montreal)Low CO₂
northamerica-northeast2 (Toronto)Low CO₂
southamerica-east1 (Sao Paulo, Brazil)Low CO₂
southamerica-west1 (Santiago, Chile)Low CO₂
us-west2 (Los Angeles)
us-west3 (Salt Lake City)
us-west4 (Las Vegas)

If you already created a Cloud Run service, you can view theregion in the Cloud Run dashboard in theGoogle Cloud console.

Deploying a new revision of an existing service

You can deploy a new revision using the Google Cloud console, thegcloudcommand line, or a YAML configuration file.

Note that changing any configuration settings results in the creation of a newrevision, even if there is no change to the container image. Each revisioncreated is immutable.

The container image is imported by Cloud Run when deployed.Cloud Run keeps this copy of the container image as long as it is usedby a serving revision.

Click the tab for instructions using the tool of your choice.

Console

To deploy a new revision of an existing service:

In the Google Cloud console, go to the Cloud RunServices page:
Go to Cloud Run
Locate the service you want to update in the services list, and clickto open the details of that service.
ClickEdit and deploy new revision to display the revision deployment form.
1. If needed, supply the URL to the new container image you want to deploy.
2. Configure the container as needed.
3. Setbilling as needed.
4. Under Capacity, specifymemory limits.andCPU limits.
5. Specifyrequest timeout andconcurrency as needed.
6. Specifyexecution environmentas needed.
7. UnderAutoscaling, specifyminimum andmaximum instances.
8. Use the other tabs as needed to optionally configure:
To send all traffic to the new revision, selectServe this revisionimmediately. To gradually roll out a new revision,clear that checkbox. This results in a deployment where no trafficis sent to the new revision. Follow the instructions forgradual rolloutsafter you deploy.
ClickDeploy and wait for the deployment to finish.

gcloud

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To deploy a container image:
1. Run the command:
```
gcloud run deploySERVICE --imageIMAGE_URL
```
  Replace the following:
  - SERVICE: the name of the service you aredeploying to. You can omit this parameter entirely, but you will beprompted for the service name if you omit it.
  - IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
  The revision suffix is assigned automatically for new revisions. If youwant to supply your own revision suffix, use the gcloud CLIparameter--revision-suffix.
2. Wait for the deployment to finish. Upon successful completion, a successmessage is displayed along with the URL of the deployed service.

YAML

Caution: The following instructions replaces your existing serviceconfiguration with the one specified in the YAML file. So if you use YAML tomake revision changes, you should avoid also using the Google Cloud consoleor gcloud CLI to make configuration changes because those can beoverwritten when you use YAML.

If you need to download or view the configuration of an existing service, usethe following command to save results to a YAML file:

gcloud run services describeSERVICE --format export > service.yaml

From a service configuration YAML file, modify anyspec.template childattributes as needed to update revision settings, then deploy the newrevision:

gcloud run services replace service.yaml

Cloud Code

To deploy a new revision of an existing service with Cloud Code, read theIntelliJ andVisual Studio Code guides.

Terraform

Make sure you have setup Terraform as described in theDeploying a new service example.

Make a change to the configuration file.
Apply the Terraform configuration:
```
terraform apply
```
Confirm you want to apply the actions described by enteringyes.
Note: Unless a configuration change is required, no new revision is created.

Compose

Preview — Cloud Run Compose deploy

You can store yourCompose Specification inaYAML file and then deploy it as a Cloud Run servicerevisionusing a single gcloud command.

To deploy acompose.yaml file as a Cloud Run servicerevision, follow these steps:

In your project directory, create acompose.yaml file with yourservice definitions.
```
services:web:image:IMAGEports:-"8080:8080"
```
ReplaceIMAGE with the URL of your container image.
You can also specify more configuration options such as environmentvariables, secrets, and volume mounts.
To deploy the services, run thegcloud beta run compose up command:
```
gcloud beta run compose up compose.yaml
```
Respondy to any prompts to install required components or to enableAPIs.
Optional:Make your service publicif you want to allow unauthenticated access to the service.

Client libraries

To deploy a new revision from code:

REST API

To deploy a new revision, send aPATCH HTTP request tothe Cloud Run Admin APIservice endpoint.

For example, usingcurl:

curl-H"Content-Type: application/json"\-H"Authorization: BearerACCESS_TOKEN"\-XPATCH\-d'{template: {containers: [{image: "IMAGE_URL"}]}}'\https://run.googleapis.com/v2/projects/PROJECT_ID/locations/REGION/services/SERVICE

Replace the following:

ACCESS_TOKEN: a valid access token for an account thathas theIAM permissions to deploy revisions.For example, if you are logged into gcloud, you can retrieve anaccess token usinggcloud auth print-access-token.From within a Cloud Run container instance, you can retrievean access token using thecontainer instance metadata server.
IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
SERVICE: the name of the service you aredeploying to.
REGION: the Google Cloud region of the service.
PROJECT-ID: the Google Cloud project ID.

Cloud Run locations

Cloud Run is available in the following regions:

Subject toTier 1 pricing

asia-east1 (Taiwan)
asia-northeast1 (Tokyo)
asia-northeast2 (Osaka)
asia-south1 (Mumbai, India)
asia-southeast3 (Bangkok)
europe-north1 (Finland)Low CO₂
europe-north2 (Stockholm)Low CO₂
europe-southwest1 (Madrid)Low CO₂
europe-west1 (Belgium)Low CO₂
europe-west4 (Netherlands)Low CO₂
europe-west8 (Milan)
europe-west9 (Paris)Low CO₂
me-west1 (Tel Aviv)
northamerica-south1 (Mexico)
us-central1 (Iowa)Low CO₂
us-east1 (South Carolina)
us-east4 (Northern Virginia)
us-east5 (Columbus)
us-south1 (Dallas)Low CO₂
us-west1 (Oregon)Low CO₂

Subject toTier 2 pricing

africa-south1 (Johannesburg)
asia-east2 (Hong Kong)
asia-northeast3 (Seoul, South Korea)
asia-southeast1 (Singapore)
asia-southeast2 (Jakarta)
asia-south2 (Delhi, India)
australia-southeast1 (Sydney)
australia-southeast2 (Melbourne)
europe-central2 (Warsaw, Poland)
europe-west10 (Berlin)
europe-west12 (Turin)
europe-west2 (London, UK)Low CO₂
europe-west3 (Frankfurt, Germany)
europe-west6 (Zurich, Switzerland)Low CO₂
me-central1 (Doha)
me-central2 (Dammam)
northamerica-northeast1 (Montreal)Low CO₂
northamerica-northeast2 (Toronto)Low CO₂
southamerica-east1 (Sao Paulo, Brazil)Low CO₂
southamerica-west1 (Santiago, Chile)Low CO₂
us-west2 (Los Angeles)
us-west3 (Salt Lake City)
us-west4 (Las Vegas)

If you already created a Cloud Run service, you can view theregion in the Cloud Run dashboard in theGoogle Cloud console.

Deploying images from other Google Cloud projects

To deploy images from other Google Cloud projects, you or youradministrator must grant the deployer account and the Cloud Runservice agent the required IAM roles.

For the required roles for the deployer account, seerequired roles.

To grant the Cloud Run service agent the required roles, see thefollowing instructions:

In the Google Cloud console, open the project for yourCloud Run service.
Go to the IAM page
SelectInclude Google-provided role grants.
Copy the email of the Cloud Runservice agent.It has the suffix@serverless-robot-prod.iam.gserviceaccount.com
Open the project that owns the container registry you want to use.
Go to the IAM page
ClickAdd to add a new principal.
In theNew principals field, paste in the email of the service accountthat you copied earlier.
In theSelect a role menu, clickArtifact Registry -> Artifact Registry Reader.
Deploy the container image to the project thatcontains your Cloud Run service.
Note: For stronger security,grant access to the Artifact Registry repository that contains your container images.

Deploying images from other registries

To deploy public or private container images that are not stored in Artifact Registryor Docker Hub,set upan Artifact Registryremote repository.

Artifact Registry remote repositories allow you to:

Deploy any public container image—for example, GitHub Container Registry (ghcr.io).
Deploy container images from private repositories that require authentication—for example,JFrog Artifactory or Nexus.

Alternatively, if using an Artifact Registry remote repository is not an option,you can temporarily pull and push container images toArtifact Registryusingdocker push in order to deploy them to Cloud Run.The container image is imported by Cloud Run whendeployed, so after the deployment, you candelete the image from Artifact Registry.

Deploying multiple containers to a service (sidecars)

In a Cloud Run deployment with sidecars, there is oneingress container that handlesall incoming HTTPS requests at the container PORT you specify, and there are oneor moresidecar containers. The sidecars cannot listen for the incoming HTTPrequests at the ingress container port, but they can communicate with each otherand with the ingress container using a localhost port. The localhost port usedvaries depending on the containers you are using.

In the following diagram, the ingress container is communicating with the sidecar usinglocalhost:5000.

Cloud Run multi-container

You can deploy up to 10 containers per instance including the ingress container.All containers within an instance share the same network namespace and can alsoshare files using an in-memory shared volume, as shown in the diagram.

You can deploy multiple containers in either thefirst or second generationexecution environment.

If you userequest-based billing(the Cloud Run default), sidecars are allocated CPU in only thesescenarios:

The instance is processing at least one request.
The ingress container is starting up.

If your sidecar must use CPU outside ofrequest processing (for example, for metrics collection), configure your billingsetting to instance-based billing for your service. For more information seeBilling settings (services).

If you use request-based billing, configure astartup probeto ensure your sidecar is not CPU throttled on startup.

You can require all deployments to use a specific sidecar by creatingcustom organization policies.

Use cases

Use cases for sidecars in a Cloud Run service include:

Application monitoring, logging and tracing
UsingNginx, Envoy or Apache2 as aproxy in front of your application container
Adding authentication and authorization filters (for example, Open Policy Agent)
Running outbound connection proxies such as the Alloy DB Auth proxy

Deploying a service with sidecar containers

You can deploy multiple sidecars to a Cloud Run service using theGoogle Cloud console, the Google Cloud CLI, YAML, or Terraform.

Click the tab for instructions using the tool of your choice.

Console

In the Google Cloud console, go to the Cloud RunServices page:
Go to Cloud Run
- To deploy to an existing service, locate it in the services list, and clickto open, then clickEdit and deploy a new revision to display the revision deploymentform.
- To deploy a new service, clickDeploy container to display theCreate service form.
For a new service,
1. Supply the service name and the URL to the ingress container imageyou want to deploy.
2. ClickContainer(s), Volumes, Networking, Security
In theEdit container card, configure the ingress container as needed.
ClickAdd container and configure a sidecar container you want toadd alongside the ingress container. If the sidecar depends on anothercontainer in the service, indicate this in theContainer start-up ordermenu. Repeat this step for each sidecar container you are deploying.
To send all traffic to the new revision, selectServe this revisionimmediately. For a gradual rollout, clear that checkbox. This results in adeployment where no traffic is sent to the new revision. Follow theinstructions forgradual rolloutsafter you deploy.
ClickCreate for a new service orDeploy for an existing service,then wait for the deployment to finish.

gcloud

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To deploy multiple containers to a service, run the following command:
```
gcloudrundeploySERVICE\--containerINGRESS_CONTAINER_NAME\--image='INGRESS_IMAGE'\--port='CONTAINER_PORT'\--containerSIDECAR_CONTAINER_NAME\--image='SIDECAR_IMAGE'
```
Replace the following:
- SERVICE: the name of the service you aredeploying to. You can omit this parameter entirely, but you will beprompted for the service name if you omit it.
- INGRESS_CONTAINER_NAME: a name for the containerreceiving requests—for exampleapp.
- INGRESS_IMAGE: a reference to the container image thatshould receive requests—for example,us-docker.pkg.dev/cloudrun/container/hello:latest.
- CONTAINER_PORT: the port where the ingress containerlistens for incoming requests. Unlike a single-container service, for aservice containing sidecars, there is no default port for the ingresscontainer. You must explicitly configure the container port for theingress container and only one container can have the port exposed.
- SIDECAR_CONTAINER_NAME: a name for the sidecarcontainer—for examplesidecar.
- SIDECAR_IMAGE: a reference to the sidecar container image
If you want to configure each container in the deploy command, supply eachcontainer's configuration after thecontainer parameters, for example:
```
gcloudrundeploySERVICE\--containerCONTAINER_1_NAME\--image='INGRESS_IMAGE'\--set-env-vars=KEY=VALUE\--port='CONTAINER_PORT'\--containerSIDECAR_CONTAINER_NAME\--image='SIDECAR_IMAGE'\--set-env-vars=KEY_N=VALUE_N
```
Important: When you use the--container flag, you must specify all non-container-level flags before the container-level flags, otherwise the deploy command fails with an error message to that effect. For example, in the command "gcloud run services deploy service --execution-environment=gen2 --container app --memory=1G", the--execution-environment flag must be passed before--container flag.
Wait for the deployment to finish. Upon successful completion, a success message is displayed along with the URL of the deployed service.

YAML

These instructions show a basic YAML file for your Cloud Runservice with sidecars. Create a file namedservice.yaml and add thefollowing to it:

apiVersion:serving.knative.dev/v1kind:Servicemetadata:annotations:name:SERVICEspec:template:spec:containers:-image:INGRESS_IMAGEports:-containerPort:CONTAINER_PORT-image:SIDECAR_IMAGE

Replace the following:

SERVICE: the name of your Cloud Run service.Service names must be 49 characters or less.
CONTAINER_PORT: the port where the ingress containerlistens for incoming requests. Unlike a single-container service, for aservice containing sidecars, there is no default port for the ingresscontainer. You must explicitly configure the container port for theingress container and only one container can have the port exposed.
INGRESS_IMAGE: a reference to the container image thatshould receive requests—for example,us-docker.pkg.dev/cloudrun/container/hello:latest.
SIDECAR_IMAGE: a reference to the sidecar container image. You can specify multiple sidecars by adding moreelements to thecontainers array in the YAML.

After you update the YAML to include the ingress and sidecar containers,deploy to Cloud Run using the command:

gcloud run services replace service.yaml

Terraform

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Add the following to agoogle_cloud_run_v2_service resource in your Terraform configuration:

resource"google_cloud_run_v2_service""default"{name="SERVICE"location="REGION"ingress="INGRESS_TRAFFIC_ALL"template{containers{name="INGRESS_CONTAINER_NAME"ports{container_port=CONTAINER_PORT}image="INGRESS_IMAGE"depends_on=["SIDECAR_CONTAINER_NAME"]}containers{name="SIDECAR_CONTAINER_NAME"image="SIDECAR_IMAGE"}}}

TheCONTAINER_PORT represents the port where the ingresscontainer listens for incoming requests. Unlike a single-container service,for a service containing sidecars, there is no default port for the ingresscontainer. You must explicitly configure the container port for theingress container and only one container can have the port exposed.

Notable features available to deployments with sidecars

Start up order

You can specify thecontainer start up orderwithin a deployment with multiple containers, if you have dependencies that requiresome containers to start up before other containers in the deployment.

If you have containers that depend on other containers, you must usehealthchecksin your deployment. If you use healthchecks, Cloud Run follows thecontainer startup order and inspects the health of each container, making sureeach passes successfully before Cloud Run starts up the next containerin the order. If you don't use healthchecks, healthy containers will start upeven if the containers they depend on are not running.

Exchanging file data between sidecars

Multiple containers within a single instance can access a sharedin-memory volume, which is accessibleto each container using mount points that you create.This is commonly used to share files between containers, for example a telemetrysidecar container can collect logs from an application container.

Communicating between sidecars

Two containers of the same instance can communicate with each other on thelocal network.

Consider this example service:

apiVersion:serving.knative.dev/v1kind:Servicemetadata:name:examplespec:template:spec:containers:-name:ingressimage:...ports:-containerPort:8080-name:sidecarimage:...

Each instance of this service will run two containers: one namedingress andanother namedsidecar.

Requests reaching the service are sent to theingress container on port8080.In a service with multiple containers, only one container can be configured asthe ingress container that handles all incoming requests, and this must be thecontainer for which acontainerPort is configured.

Containersingress andsidecar can communicate with each other onhttp://localhost. For example, if the containersidecar listens forrequests on port5000, then the containeringress can communicate with itonhttp://localhost:5000.

Because the containers are named, the containers can even communicate witheach other using the name of the container. For example, if the containersidecar listens for requests on port5000, then the containeringress cancommunicate withsidecar using onhttp://sidecar:5000.

Adapt your containers for Cloud Run

Most containers you will build or find will be compatible with the Cloud Runcontainer runtime contract. However, you mightneed to alter some containers built to ease local development or expect fullmachine control to make them compatible with Cloud Runexecution environments.

Move mounts to your Cloud Run configuration

Your container's initialization scripts must assume that mounts are alreadycomplete before calling your container. You must move any mount operations intoyourCloud Run resource configuration.

Switch to a non-root user when possible

Prefer containers that don't use or rely on the root user. Thispractice reduces your Cloud Run service's vulnerability risk,decreases the container's attack surface, limits attacker access to your filesystems, and adheres to the principle of least privilege.

Use theUSER instruction in your Dockerfile to switch to a less privilegedidentity, as the default is to run as root. Cloud Run uses theuser specified in your Dockerfile to run your container.

Audit for use of`setuid` binaries

Execution ofsetuid binaries will fail when run from your containers in Cloud Run.

If you're using Docker or Podman locally, use the--cap-drop=setuid argument.Alternatively, validate that the binaries you depend on don't have thesetuidbit set.

Verify that root containers are compatible with user namespaces

Test your changes locally or in a VM by evaluating your code when running underuser namespaces, such as when usingDocker'suserns-remapfeature, running your container inrootless Podman,or deploying those changes to VMs running the Container-Optimized OS from Googlewith the--userns-remap=default argument in thedocker run command.

Disabling the deployment health check

By default, Cloud Run checks that your deployment is healthy bystarting an instance and waiting for its startup probe to pass.If the health check fails, the revision will be marked as unhealthy andthe traffic won't be routed to it.

If it is not needed or to increase deployment speed, the deployment health checkcan be disabled:

gcloud

To disable the deployment health check, use the--no-deploy-health-check flag:

gcloudrundeploy--imageIMAGE_URL--no-deploy-health-check

Replace the following:

IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.

Use--deploy-health-check to re-enable the deployment health check if itwas previous disabled.

YAML

To disable the deployment health check, add therun.googleapis.com/health-check-disabled annotation with value'true'tospec.template.metadata.annotations.

apiVersion:serving.knative.dev/v1kind:Servicemetadata:name:SERVICEspec:template:metadata:annotations:run.googleapis.com/health-check-disabled:'true'

Terraform

To disable the deployment health check, set thehealth_check_disabledargument totrue in thetemplate block.

resource"google_cloud_run_v2_service""default"{name="SERVICE"...template{health_check_disabled=true...}}

What's next

After you deploy a new service, you can do the following:

You can automate the builds and deployments of your Cloud Run servicesusing Cloud Build Triggers:

Set up Continuous Deployment

You can also use Cloud Deploy to set up a continuous-delivery pipeline todeploy Cloud Run services to multiple environments:

Deploy an app to Cloud Run using Cloud Deploy

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換

Deploying container images to Cloud Run Stay organized with collections Save and categorize content based on your preferences.

Before you start

Required roles

Supported container registries and images

Deploying a new service

Console

gcloud

YAML

Terraform

Compose

Client libraries

REST API

Cloud Run locations

Subject toTier 1 pricing

Subject toTier 2 pricing

Deploying a new revision of an existing service

Console

gcloud

YAML

Cloud Code

Terraform

Compose

Client libraries

REST API

Cloud Run locations

Subject toTier 1 pricing

Subject toTier 2 pricing

Deploying images from other Google Cloud projects

Deploying images from other registries

Deploying multiple containers to a service (sidecars)

Use cases

Deploying a service with sidecar containers

Console

gcloud

YAML

Terraform

Notable features available to deployments with sidecars

Start up order

Exchanging file data between sidecars

Communicating between sidecars

Adapt your containers for Cloud Run

Move mounts to your Cloud Run configuration

Switch to a non-root user when possible

Audit for use ofsetuid binaries

Verify that root containers are compatible with user namespaces

Disabling the deployment health check

gcloud

YAML

Terraform

What's next

Deploying container images to Cloud Run

Audit for use of`setuid` binaries