Triggering Cloud Run with Pub/Sub

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

In this lab, we will create a Cloud Run service that renders some 3D text and stores the image in a Cloud Storage bucket. The Cloud Run service will not be publicly available. Instead, we will create a Cloud Pub/Sub topic with an authenticated push subscription to send messages to our rendering service. You should be familiar with the GCP console, Cloud Shell, and service accounts to perform this hands-on lab. Some familiarity with Cloud Pub/Sub would be helpful but is not essential.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Deploy the Rendering Service

The code for the render service can be found at this GitHub repo:

Note: Before you create the container, you will need to create a Cloud Storage bucket to hold rendered images. Then, you will need to update the code of the render service with the name of your bucket (line 35 of

Build the container and push it to Google Container Registry, replacing <YOUR_PROJECT> with your project ID:

gcloud builds submit --tag<YOUR_PROJECT>/render .

The deployed service should not allow unauthenticated invocations.

Configure Pub/Sub
  1. Create a service account with the Cloud Run Invoker role.
  2. Create a Cloud Pub/Sub topic.
  3. Create a subscription for the topic:
    • The subscription should be Push.
    • It should use the endpoint of the render service.
    • It should use the service account you just created.

Note: When you enable authentication for the Push subscription, Pub/Sub will prompt you to add the iam.serviceAccountTokenCreator role and then reset the Add subscription form. This appears to be a normal (if somewhat quirky) behavior of the Cloud Console. Just re-enter the information to create the subscription, and it will work.

Test the Service
  1. Publish some test messages to your Pub/Sub topic.
  2. View the rendered images in the Cloud Storage bucket.

Images may take a minute or two to render before you can see them in the bucket. If you have any problems, check the logs of your Cloud Run service.

Additional Resources

Log in to Google Cloud Platform by right-clicking Open Google Console and selecting the option to open it in a new private browser window. Then, sign in using the credentials provided on the lab page.

The code for the render service can be found at this GitHub repo:

You can build the container image from this code with Cloud Build (be sure to replace <YOUR_PROJECT> with your project ID):

gcloud builds submit --tag<YOUR_PROJECT>/rende​r . In the absence of a cloudbuild.yaml file, Cloud Build will use the Dockerfile it finds in the directory with the code (which is why we add the . at the end to specify the local directory).

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?