The gcp:cloudrunv2/service:Service resource, part of the Pulumi GCP provider, defines a Cloud Run service: its container images, networking, scaling behavior, and revision templates. This guide focuses on four capabilities: container deployment with resource limits, VPC networking and private resource access, secrets and database connectivity, and health probes and multi-container patterns.
Cloud Run services reference container images, VPC infrastructure, Cloud SQL instances, Secret Manager secrets, and storage resources that must exist separately. The examples are intentionally small. Combine them with your own networking, IAM roles, and storage infrastructure.
Deploy a container with scaling and ingress controls
Most deployments start with a container image, ingress settings that control who can reach the service, and scaling limits that cap instance count.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
ingress: "INGRESS_TRAFFIC_ALL",
scaling: {
maxInstanceCount: 100,
},
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
}],
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
ingress="INGRESS_TRAFFIC_ALL",
scaling={
"max_instance_count": 100,
},
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Ingress: pulumi.String("INGRESS_TRAFFIC_ALL"),
Scaling: &cloudrunv2.ServiceScalingArgs{
MaxInstanceCount: pulumi.Int(100),
},
Template: &cloudrunv2.ServiceTemplateArgs{
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Ingress = "INGRESS_TRAFFIC_ALL",
Scaling = new Gcp.CloudRunV2.Inputs.ServiceScalingArgs
{
MaxInstanceCount = 100,
},
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceScalingArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.ingress("INGRESS_TRAFFIC_ALL")
.scaling(ServiceScalingArgs.builder()
.maxInstanceCount(100)
.build())
.template(ServiceTemplateArgs.builder()
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
ingress: INGRESS_TRAFFIC_ALL
scaling:
maxInstanceCount: 100
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
The image property points to your container in Artifact Registry or Container Registry. The ingress property controls network access: INGRESS_TRAFFIC_ALL allows public internet access, while INGRESS_TRAFFIC_INTERNAL_ONLY restricts to VPC and internal load balancers. The scaling block sets maxInstanceCount to prevent runaway costs.
Set CPU and memory resource limits
Applications with known resource requirements benefit from explicit CPU and memory limits, which control billing and prevent over-allocation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
ingress: "INGRESS_TRAFFIC_ALL",
template: {
healthCheckDisabled: true,
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
resources: {
limits: {
cpu: "2",
memory: "1024Mi",
},
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
ingress="INGRESS_TRAFFIC_ALL",
template={
"health_check_disabled": True,
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"resources": {
"limits": {
"cpu": "2",
"memory": "1024Mi",
},
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Ingress: pulumi.String("INGRESS_TRAFFIC_ALL"),
Template: &cloudrunv2.ServiceTemplateArgs{
HealthCheckDisabled: pulumi.Bool(true),
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
Resources: &cloudrunv2.ServiceTemplateContainerResourcesArgs{
Limits: pulumi.StringMap{
"cpu": pulumi.String("2"),
"memory": pulumi.String("1024Mi"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Ingress = "INGRESS_TRAFFIC_ALL",
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
HealthCheckDisabled = true,
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
Resources = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerResourcesArgs
{
Limits =
{
{ "cpu", "2" },
{ "memory", "1024Mi" },
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.ingress("INGRESS_TRAFFIC_ALL")
.template(ServiceTemplateArgs.builder()
.healthCheckDisabled(true)
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.resources(ServiceTemplateContainerResourcesArgs.builder()
.limits(Map.ofEntries(
Map.entry("cpu", "2"),
Map.entry("memory", "1024Mi")
))
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
ingress: INGRESS_TRAFFIC_ALL
template:
healthCheckDisabled: true
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
resources:
limits:
cpu: '2'
memory: 1024Mi
The resources.limits block specifies CPU cores and memory per container instance. Cloud Run bills based on allocated resources multiplied by request duration, so right-sizing these values directly affects costs. The healthCheckDisabled property skips default health checks when your application handles its own readiness signaling.
Connect to Cloud SQL with secrets and volumes
Services that need database access mount Cloud SQL instances as volumes and inject connection details via environment variables, often pulling credentials from Secret Manager.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const secret = new gcp.secretmanager.Secret("secret", {
secretId: "secret-1",
replication: {
auto: {},
},
});
const secret_version_data = new gcp.secretmanager.SecretVersion("secret-version-data", {
secret: secret.name,
secretData: "secret-data",
});
const instance = new gcp.sql.DatabaseInstance("instance", {
name: "cloudrun-sql",
region: "us-central1",
databaseVersion: "MYSQL_5_7",
settings: {
tier: "db-f1-micro",
},
deletionProtection: true,
});
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
ingress: "INGRESS_TRAFFIC_ALL",
scaling: {
maxInstanceCount: 2,
},
template: {
volumes: [{
name: "cloudsql",
cloudSqlInstance: {
instances: [instance.connectionName],
},
}],
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
envs: [
{
name: "FOO",
value: "bar",
},
{
name: "SECRET_ENV_VAR",
valueSource: {
secretKeyRef: {
secret: secret.secretId,
version: "1",
},
},
},
],
volumeMounts: [{
name: "cloudsql",
mountPath: "/cloudsql",
}],
}],
},
traffics: [{
type: "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST",
percent: 100,
}],
}, {
dependsOn: [secret_version_data],
});
const project = gcp.organizations.getProject({});
const secret_access = new gcp.secretmanager.SecretIamMember("secret-access", {
secretId: secret.id,
role: "roles/secretmanager.secretAccessor",
member: project.then(project => `serviceAccount:${project.number}-compute@developer.gserviceaccount.com`),
}, {
dependsOn: [secret],
});
import pulumi
import pulumi_gcp as gcp
secret = gcp.secretmanager.Secret("secret",
secret_id="secret-1",
replication={
"auto": {},
})
secret_version_data = gcp.secretmanager.SecretVersion("secret-version-data",
secret=secret.name,
secret_data="secret-data")
instance = gcp.sql.DatabaseInstance("instance",
name="cloudrun-sql",
region="us-central1",
database_version="MYSQL_5_7",
settings={
"tier": "db-f1-micro",
},
deletion_protection=True)
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
ingress="INGRESS_TRAFFIC_ALL",
scaling={
"max_instance_count": 2,
},
template={
"volumes": [{
"name": "cloudsql",
"cloud_sql_instance": {
"instances": [instance.connection_name],
},
}],
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"envs": [
{
"name": "FOO",
"value": "bar",
},
{
"name": "SECRET_ENV_VAR",
"value_source": {
"secret_key_ref": {
"secret": secret.secret_id,
"version": "1",
},
},
},
],
"volume_mounts": [{
"name": "cloudsql",
"mount_path": "/cloudsql",
}],
}],
},
traffics=[{
"type": "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST",
"percent": 100,
}],
opts = pulumi.ResourceOptions(depends_on=[secret_version_data]))
project = gcp.organizations.get_project()
secret_access = gcp.secretmanager.SecretIamMember("secret-access",
secret_id=secret.id,
role="roles/secretmanager.secretAccessor",
member=f"serviceAccount:{project.number}-compute@developer.gserviceaccount.com",
opts = pulumi.ResourceOptions(depends_on=[secret]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/sql"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
secret, err := secretmanager.NewSecret(ctx, "secret", &secretmanager.SecretArgs{
SecretId: pulumi.String("secret-1"),
Replication: &secretmanager.SecretReplicationArgs{
Auto: &secretmanager.SecretReplicationAutoArgs{},
},
})
if err != nil {
return err
}
secret_version_data, err := secretmanager.NewSecretVersion(ctx, "secret-version-data", &secretmanager.SecretVersionArgs{
Secret: secret.Name,
SecretData: pulumi.String("secret-data"),
})
if err != nil {
return err
}
instance, err := sql.NewDatabaseInstance(ctx, "instance", &sql.DatabaseInstanceArgs{
Name: pulumi.String("cloudrun-sql"),
Region: pulumi.String("us-central1"),
DatabaseVersion: pulumi.String("MYSQL_5_7"),
Settings: &sql.DatabaseInstanceSettingsArgs{
Tier: pulumi.String("db-f1-micro"),
},
DeletionProtection: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Ingress: pulumi.String("INGRESS_TRAFFIC_ALL"),
Scaling: &cloudrunv2.ServiceScalingArgs{
MaxInstanceCount: pulumi.Int(2),
},
Template: &cloudrunv2.ServiceTemplateArgs{
Volumes: cloudrunv2.ServiceTemplateVolumeArray{
&cloudrunv2.ServiceTemplateVolumeArgs{
Name: pulumi.String("cloudsql"),
CloudSqlInstance: &cloudrunv2.ServiceTemplateVolumeCloudSqlInstanceArgs{
Instances: pulumi.StringArray{
instance.ConnectionName,
},
},
},
},
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
Envs: cloudrunv2.ServiceTemplateContainerEnvArray{
&cloudrunv2.ServiceTemplateContainerEnvArgs{
Name: pulumi.String("FOO"),
Value: pulumi.String("bar"),
},
&cloudrunv2.ServiceTemplateContainerEnvArgs{
Name: pulumi.String("SECRET_ENV_VAR"),
ValueSource: &cloudrunv2.ServiceTemplateContainerEnvValueSourceArgs{
SecretKeyRef: &cloudrunv2.ServiceTemplateContainerEnvValueSourceSecretKeyRefArgs{
Secret: secret.SecretId,
Version: pulumi.String("1"),
},
},
},
},
VolumeMounts: cloudrunv2.ServiceTemplateContainerVolumeMountArray{
&cloudrunv2.ServiceTemplateContainerVolumeMountArgs{
Name: pulumi.String("cloudsql"),
MountPath: pulumi.String("/cloudsql"),
},
},
},
},
},
Traffics: cloudrunv2.ServiceTrafficArray{
&cloudrunv2.ServiceTrafficArgs{
Type: pulumi.String("TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"),
Percent: pulumi.Int(100),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
secret_version_data,
}))
if err != nil {
return err
}
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = secretmanager.NewSecretIamMember(ctx, "secret-access", &secretmanager.SecretIamMemberArgs{
SecretId: secret.ID(),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.Sprintf("serviceAccount:%v-compute@developer.gserviceaccount.com", project.Number),
}, pulumi.DependsOn([]pulumi.Resource{
secret,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var secret = new Gcp.SecretManager.Secret("secret", new()
{
SecretId = "secret-1",
Replication = new Gcp.SecretManager.Inputs.SecretReplicationArgs
{
Auto = null,
},
});
var secret_version_data = new Gcp.SecretManager.SecretVersion("secret-version-data", new()
{
Secret = secret.Name,
SecretData = "secret-data",
});
var instance = new Gcp.Sql.DatabaseInstance("instance", new()
{
Name = "cloudrun-sql",
Region = "us-central1",
DatabaseVersion = "MYSQL_5_7",
Settings = new Gcp.Sql.Inputs.DatabaseInstanceSettingsArgs
{
Tier = "db-f1-micro",
},
DeletionProtection = true,
});
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Ingress = "INGRESS_TRAFFIC_ALL",
Scaling = new Gcp.CloudRunV2.Inputs.ServiceScalingArgs
{
MaxInstanceCount = 2,
},
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeArgs
{
Name = "cloudsql",
CloudSqlInstance = new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeCloudSqlInstanceArgs
{
Instances = new[]
{
instance.ConnectionName,
},
},
},
},
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
Envs = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerEnvArgs
{
Name = "FOO",
Value = "bar",
},
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerEnvArgs
{
Name = "SECRET_ENV_VAR",
ValueSource = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerEnvValueSourceArgs
{
SecretKeyRef = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerEnvValueSourceSecretKeyRefArgs
{
Secret = secret.SecretId,
Version = "1",
},
},
},
},
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerVolumeMountArgs
{
Name = "cloudsql",
MountPath = "/cloudsql",
},
},
},
},
},
Traffics = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTrafficArgs
{
Type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST",
Percent = 100,
},
},
}, new CustomResourceOptions
{
DependsOn =
{
secret_version_data,
},
});
var project = Gcp.Organizations.GetProject.Invoke();
var secret_access = new Gcp.SecretManager.SecretIamMember("secret-access", new()
{
SecretId = secret.Id,
Role = "roles/secretmanager.secretAccessor",
Member = $"serviceAccount:{project.Apply(getProjectResult => getProjectResult.Number)}-compute@developer.gserviceaccount.com",
}, new CustomResourceOptions
{
DependsOn =
{
secret,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.Secret;
import com.pulumi.gcp.secretmanager.SecretArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationAutoArgs;
import com.pulumi.gcp.secretmanager.SecretVersion;
import com.pulumi.gcp.secretmanager.SecretVersionArgs;
import com.pulumi.gcp.sql.DatabaseInstance;
import com.pulumi.gcp.sql.DatabaseInstanceArgs;
import com.pulumi.gcp.sql.inputs.DatabaseInstanceSettingsArgs;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceScalingArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTrafficArgs;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.secretmanager.SecretIamMember;
import com.pulumi.gcp.secretmanager.SecretIamMemberArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var secret = new Secret("secret", SecretArgs.builder()
.secretId("secret-1")
.replication(SecretReplicationArgs.builder()
.auto(SecretReplicationAutoArgs.builder()
.build())
.build())
.build());
var secret_version_data = new SecretVersion("secret-version-data", SecretVersionArgs.builder()
.secret(secret.name())
.secretData("secret-data")
.build());
var instance = new DatabaseInstance("instance", DatabaseInstanceArgs.builder()
.name("cloudrun-sql")
.region("us-central1")
.databaseVersion("MYSQL_5_7")
.settings(DatabaseInstanceSettingsArgs.builder()
.tier("db-f1-micro")
.build())
.deletionProtection(true)
.build());
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.ingress("INGRESS_TRAFFIC_ALL")
.scaling(ServiceScalingArgs.builder()
.maxInstanceCount(2)
.build())
.template(ServiceTemplateArgs.builder()
.volumes(ServiceTemplateVolumeArgs.builder()
.name("cloudsql")
.cloudSqlInstance(ServiceTemplateVolumeCloudSqlInstanceArgs.builder()
.instances(instance.connectionName())
.build())
.build())
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.envs(
ServiceTemplateContainerEnvArgs.builder()
.name("FOO")
.value("bar")
.build(),
ServiceTemplateContainerEnvArgs.builder()
.name("SECRET_ENV_VAR")
.valueSource(ServiceTemplateContainerEnvValueSourceArgs.builder()
.secretKeyRef(ServiceTemplateContainerEnvValueSourceSecretKeyRefArgs.builder()
.secret(secret.secretId())
.version("1")
.build())
.build())
.build())
.volumeMounts(ServiceTemplateContainerVolumeMountArgs.builder()
.name("cloudsql")
.mountPath("/cloudsql")
.build())
.build())
.build())
.traffics(ServiceTrafficArgs.builder()
.type("TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST")
.percent(100)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(secret_version_data)
.build());
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var secret_access = new SecretIamMember("secret-access", SecretIamMemberArgs.builder()
.secretId(secret.id())
.role("roles/secretmanager.secretAccessor")
.member(String.format("serviceAccount:%s-compute@developer.gserviceaccount.com", project.number()))
.build(), CustomResourceOptions.builder()
.dependsOn(secret)
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
ingress: INGRESS_TRAFFIC_ALL
scaling:
maxInstanceCount: 2
template:
volumes:
- name: cloudsql
cloudSqlInstance:
instances:
- ${instance.connectionName}
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
envs:
- name: FOO
value: bar
- name: SECRET_ENV_VAR
valueSource:
secretKeyRef:
secret: ${secret.secretId}
version: '1'
volumeMounts:
- name: cloudsql
mountPath: /cloudsql
traffics:
- type: TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST
percent: 100
options:
dependsOn:
- ${["secret-version-data"]}
secret:
type: gcp:secretmanager:Secret
properties:
secretId: secret-1
replication:
auto: {}
secret-version-data:
type: gcp:secretmanager:SecretVersion
properties:
secret: ${secret.name}
secretData: secret-data
secret-access:
type: gcp:secretmanager:SecretIamMember
properties:
secretId: ${secret.id}
role: roles/secretmanager.secretAccessor
member: serviceAccount:${project.number}-compute@developer.gserviceaccount.com
options:
dependsOn:
- ${secret}
instance:
type: gcp:sql:DatabaseInstance
properties:
name: cloudrun-sql
region: us-central1
databaseVersion: MYSQL_5_7
settings:
tier: db-f1-micro
deletionProtection: true
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The cloudSqlInstance volume type creates a Unix socket at the specified mountPath, enabling your application to connect to Cloud SQL without managing IP addresses or SSL certificates. The envs array injects configuration: plain values for non-sensitive data, and valueSource.secretKeyRef for credentials stored in Secret Manager. The service account needs the secretmanager.secretAccessor role to read secrets at runtime.
Route traffic through a VPC Access connector
Services that need to reach private VPC resources use Serverless VPC Access connectors to route egress traffic through a specified network.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customTestNetwork = new gcp.compute.Network("custom_test", {
name: "run-network",
autoCreateSubnetworks: false,
});
const customTest = new gcp.compute.Subnetwork("custom_test", {
name: "run-subnetwork",
ipCidrRange: "10.2.0.0/28",
region: "us-central1",
network: customTestNetwork.id,
});
const connector = new gcp.vpcaccess.Connector("connector", {
name: "run-vpc",
subnet: {
name: customTest.name,
},
machineType: "e2-standard-4",
minInstances: 2,
maxInstances: 3,
region: "us-central1",
});
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
}],
vpcAccess: {
connector: connector.id,
egress: "ALL_TRAFFIC",
},
},
});
import pulumi
import pulumi_gcp as gcp
custom_test_network = gcp.compute.Network("custom_test",
name="run-network",
auto_create_subnetworks=False)
custom_test = gcp.compute.Subnetwork("custom_test",
name="run-subnetwork",
ip_cidr_range="10.2.0.0/28",
region="us-central1",
network=custom_test_network.id)
connector = gcp.vpcaccess.Connector("connector",
name="run-vpc",
subnet={
"name": custom_test.name,
},
machine_type="e2-standard-4",
min_instances=2,
max_instances=3,
region="us-central1")
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
}],
"vpc_access": {
"connector": connector.id,
"egress": "ALL_TRAFFIC",
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/vpcaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
customTestNetwork, err := compute.NewNetwork(ctx, "custom_test", &compute.NetworkArgs{
Name: pulumi.String("run-network"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
customTest, err := compute.NewSubnetwork(ctx, "custom_test", &compute.SubnetworkArgs{
Name: pulumi.String("run-subnetwork"),
IpCidrRange: pulumi.String("10.2.0.0/28"),
Region: pulumi.String("us-central1"),
Network: customTestNetwork.ID(),
})
if err != nil {
return err
}
connector, err := vpcaccess.NewConnector(ctx, "connector", &vpcaccess.ConnectorArgs{
Name: pulumi.String("run-vpc"),
Subnet: &vpcaccess.ConnectorSubnetArgs{
Name: customTest.Name,
},
MachineType: pulumi.String("e2-standard-4"),
MinInstances: pulumi.Int(2),
MaxInstances: pulumi.Int(3),
Region: pulumi.String("us-central1"),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Template: &cloudrunv2.ServiceTemplateArgs{
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
},
},
VpcAccess: &cloudrunv2.ServiceTemplateVpcAccessArgs{
Connector: connector.ID(),
Egress: pulumi.String("ALL_TRAFFIC"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customTestNetwork = new Gcp.Compute.Network("custom_test", new()
{
Name = "run-network",
AutoCreateSubnetworks = false,
});
var customTest = new Gcp.Compute.Subnetwork("custom_test", new()
{
Name = "run-subnetwork",
IpCidrRange = "10.2.0.0/28",
Region = "us-central1",
Network = customTestNetwork.Id,
});
var connector = new Gcp.VpcAccess.Connector("connector", new()
{
Name = "run-vpc",
Subnet = new Gcp.VpcAccess.Inputs.ConnectorSubnetArgs
{
Name = customTest.Name,
},
MachineType = "e2-standard-4",
MinInstances = 2,
MaxInstances = 3,
Region = "us-central1",
});
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
},
},
VpcAccess = new Gcp.CloudRunV2.Inputs.ServiceTemplateVpcAccessArgs
{
Connector = connector.Id,
Egress = "ALL_TRAFFIC",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.Subnetwork;
import com.pulumi.gcp.compute.SubnetworkArgs;
import com.pulumi.gcp.vpcaccess.Connector;
import com.pulumi.gcp.vpcaccess.ConnectorArgs;
import com.pulumi.gcp.vpcaccess.inputs.ConnectorSubnetArgs;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateVpcAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customTestNetwork = new Network("customTestNetwork", NetworkArgs.builder()
.name("run-network")
.autoCreateSubnetworks(false)
.build());
var customTest = new Subnetwork("customTest", SubnetworkArgs.builder()
.name("run-subnetwork")
.ipCidrRange("10.2.0.0/28")
.region("us-central1")
.network(customTestNetwork.id())
.build());
var connector = new Connector("connector", ConnectorArgs.builder()
.name("run-vpc")
.subnet(ConnectorSubnetArgs.builder()
.name(customTest.name())
.build())
.machineType("e2-standard-4")
.minInstances(2)
.maxInstances(3)
.region("us-central1")
.build());
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.template(ServiceTemplateArgs.builder()
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.build())
.vpcAccess(ServiceTemplateVpcAccessArgs.builder()
.connector(connector.id())
.egress("ALL_TRAFFIC")
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
vpcAccess:
connector: ${connector.id}
egress: ALL_TRAFFIC
connector:
type: gcp:vpcaccess:Connector
properties:
name: run-vpc
subnet:
name: ${customTest.name}
machineType: e2-standard-4
minInstances: 2
maxInstances: 3
region: us-central1
customTest:
type: gcp:compute:Subnetwork
name: custom_test
properties:
name: run-subnetwork
ipCidrRange: 10.2.0.0/28
region: us-central1
network: ${customTestNetwork.id}
customTestNetwork:
type: gcp:compute:Network
name: custom_test
properties:
name: run-network
autoCreateSubnetworks: false
The vpcAccess.connector property references a VPC Access connector that bridges Cloud Run to your VPC. The egress property controls which traffic uses the connector: ALL_TRAFFIC routes everything through the VPC, while PRIVATE_RANGES_ONLY sends only RFC 1918 addresses through the connector and routes public traffic directly.
Attach directly to VPC networks with network interfaces
Direct VPC integration places containers on VPC network interfaces without requiring a connector, enabling lower-latency access to private resources.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
launchStage: "GA",
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
}],
vpcAccess: {
networkInterfaces: [{
network: "default",
subnetwork: "default",
tags: [
"tag1",
"tag2",
"tag3",
],
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
launch_stage="GA",
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
}],
"vpc_access": {
"network_interfaces": [{
"network": "default",
"subnetwork": "default",
"tags": [
"tag1",
"tag2",
"tag3",
],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("GA"),
Template: &cloudrunv2.ServiceTemplateArgs{
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
},
},
VpcAccess: &cloudrunv2.ServiceTemplateVpcAccessArgs{
NetworkInterfaces: cloudrunv2.ServiceTemplateVpcAccessNetworkInterfaceArray{
&cloudrunv2.ServiceTemplateVpcAccessNetworkInterfaceArgs{
Network: pulumi.String("default"),
Subnetwork: pulumi.String("default"),
Tags: pulumi.StringArray{
pulumi.String("tag1"),
pulumi.String("tag2"),
pulumi.String("tag3"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "GA",
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
},
},
VpcAccess = new Gcp.CloudRunV2.Inputs.ServiceTemplateVpcAccessArgs
{
NetworkInterfaces = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVpcAccessNetworkInterfaceArgs
{
Network = "default",
Subnetwork = "default",
Tags = new[]
{
"tag1",
"tag2",
"tag3",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateVpcAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.launchStage("GA")
.template(ServiceTemplateArgs.builder()
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.build())
.vpcAccess(ServiceTemplateVpcAccessArgs.builder()
.networkInterfaces(ServiceTemplateVpcAccessNetworkInterfaceArgs.builder()
.network("default")
.subnetwork("default")
.tags(
"tag1",
"tag2",
"tag3")
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
launchStage: GA
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
vpcAccess:
networkInterfaces:
- network: default
subnetwork: default
tags:
- tag1
- tag2
- tag3
The networkInterfaces property attaches containers directly to VPC subnets, bypassing the need for a VPC Access connector. The tags array applies network tags to the container’s network interface, enabling firewall rules to target Cloud Run traffic. This approach provides lower latency than connectors but requires careful firewall configuration.
Configure startup and liveness health checks
Applications with slow initialization or specific health requirements use probes to signal readiness and detect failures during runtime.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
startupProbe: {
initialDelaySeconds: 0,
timeoutSeconds: 1,
periodSeconds: 3,
failureThreshold: 1,
tcpSocket: {
port: 8080,
},
},
livenessProbe: {
httpGet: {
path: "/",
},
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"startup_probe": {
"initial_delay_seconds": 0,
"timeout_seconds": 1,
"period_seconds": 3,
"failure_threshold": 1,
"tcp_socket": {
"port": 8080,
},
},
"liveness_probe": {
"http_get": {
"path": "/",
},
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Template: &cloudrunv2.ServiceTemplateArgs{
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
StartupProbe: &cloudrunv2.ServiceTemplateContainerStartupProbeArgs{
InitialDelaySeconds: pulumi.Int(0),
TimeoutSeconds: pulumi.Int(1),
PeriodSeconds: pulumi.Int(3),
FailureThreshold: pulumi.Int(1),
TcpSocket: &cloudrunv2.ServiceTemplateContainerStartupProbeTcpSocketArgs{
Port: pulumi.Int(8080),
},
},
LivenessProbe: &cloudrunv2.ServiceTemplateContainerLivenessProbeArgs{
HttpGet: &cloudrunv2.ServiceTemplateContainerLivenessProbeHttpGetArgs{
Path: pulumi.String("/"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
StartupProbe = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerStartupProbeArgs
{
InitialDelaySeconds = 0,
TimeoutSeconds = 1,
PeriodSeconds = 3,
FailureThreshold = 1,
TcpSocket = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerStartupProbeTcpSocketArgs
{
Port = 8080,
},
},
LivenessProbe = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerLivenessProbeArgs
{
HttpGet = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerLivenessProbeHttpGetArgs
{
Path = "/",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.template(ServiceTemplateArgs.builder()
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.startupProbe(ServiceTemplateContainerStartupProbeArgs.builder()
.initialDelaySeconds(0)
.timeoutSeconds(1)
.periodSeconds(3)
.failureThreshold(1)
.tcpSocket(ServiceTemplateContainerStartupProbeTcpSocketArgs.builder()
.port(8080)
.build())
.build())
.livenessProbe(ServiceTemplateContainerLivenessProbeArgs.builder()
.httpGet(ServiceTemplateContainerLivenessProbeHttpGetArgs.builder()
.path("/")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
startupProbe:
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 3
failureThreshold: 1
tcpSocket:
port: 8080
livenessProbe:
httpGet:
path: /
The startupProbe runs during container initialization, delaying traffic until the application is ready. The tcpSocket check attempts a connection to the specified port. The livenessProbe runs continuously after startup, restarting the container if checks fail. The httpGet check sends HTTP requests to the specified path, expecting 2xx or 3xx responses.
Mount secrets as files in the container filesystem
Applications that read configuration from files rather than environment variables mount Secret Manager secrets as volumes at specified paths.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const secret = new gcp.secretmanager.Secret("secret", {
secretId: "secret-1",
replication: {
auto: {},
},
});
const secret_version_data = new gcp.secretmanager.SecretVersion("secret-version-data", {
secret: secret.name,
secretData: "secret-data",
});
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
ingress: "INGRESS_TRAFFIC_ALL",
template: {
volumes: [{
name: "a-volume",
secret: {
secret: secret.secretId,
defaultMode: 292,
items: [{
version: "1",
path: "my-secret",
}],
},
}],
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
volumeMounts: [{
name: "a-volume",
mountPath: "/secrets",
}],
}],
},
}, {
dependsOn: [secret_version_data],
});
const project = gcp.organizations.getProject({});
const secret_access = new gcp.secretmanager.SecretIamMember("secret-access", {
secretId: secret.id,
role: "roles/secretmanager.secretAccessor",
member: project.then(project => `serviceAccount:${project.number}-compute@developer.gserviceaccount.com`),
}, {
dependsOn: [secret],
});
import pulumi
import pulumi_gcp as gcp
secret = gcp.secretmanager.Secret("secret",
secret_id="secret-1",
replication={
"auto": {},
})
secret_version_data = gcp.secretmanager.SecretVersion("secret-version-data",
secret=secret.name,
secret_data="secret-data")
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
ingress="INGRESS_TRAFFIC_ALL",
template={
"volumes": [{
"name": "a-volume",
"secret": {
"secret": secret.secret_id,
"default_mode": 292,
"items": [{
"version": "1",
"path": "my-secret",
}],
},
}],
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"volume_mounts": [{
"name": "a-volume",
"mount_path": "/secrets",
}],
}],
},
opts = pulumi.ResourceOptions(depends_on=[secret_version_data]))
project = gcp.organizations.get_project()
secret_access = gcp.secretmanager.SecretIamMember("secret-access",
secret_id=secret.id,
role="roles/secretmanager.secretAccessor",
member=f"serviceAccount:{project.number}-compute@developer.gserviceaccount.com",
opts = pulumi.ResourceOptions(depends_on=[secret]))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
secret, err := secretmanager.NewSecret(ctx, "secret", &secretmanager.SecretArgs{
SecretId: pulumi.String("secret-1"),
Replication: &secretmanager.SecretReplicationArgs{
Auto: &secretmanager.SecretReplicationAutoArgs{},
},
})
if err != nil {
return err
}
secret_version_data, err := secretmanager.NewSecretVersion(ctx, "secret-version-data", &secretmanager.SecretVersionArgs{
Secret: secret.Name,
SecretData: pulumi.String("secret-data"),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Ingress: pulumi.String("INGRESS_TRAFFIC_ALL"),
Template: &cloudrunv2.ServiceTemplateArgs{
Volumes: cloudrunv2.ServiceTemplateVolumeArray{
&cloudrunv2.ServiceTemplateVolumeArgs{
Name: pulumi.String("a-volume"),
Secret: &cloudrunv2.ServiceTemplateVolumeSecretArgs{
Secret: secret.SecretId,
DefaultMode: pulumi.Int(292),
Items: cloudrunv2.ServiceTemplateVolumeSecretItemArray{
&cloudrunv2.ServiceTemplateVolumeSecretItemArgs{
Version: pulumi.String("1"),
Path: pulumi.String("my-secret"),
},
},
},
},
},
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
VolumeMounts: cloudrunv2.ServiceTemplateContainerVolumeMountArray{
&cloudrunv2.ServiceTemplateContainerVolumeMountArgs{
Name: pulumi.String("a-volume"),
MountPath: pulumi.String("/secrets"),
},
},
},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
secret_version_data,
}))
if err != nil {
return err
}
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = secretmanager.NewSecretIamMember(ctx, "secret-access", &secretmanager.SecretIamMemberArgs{
SecretId: secret.ID(),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.Sprintf("serviceAccount:%v-compute@developer.gserviceaccount.com", project.Number),
}, pulumi.DependsOn([]pulumi.Resource{
secret,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var secret = new Gcp.SecretManager.Secret("secret", new()
{
SecretId = "secret-1",
Replication = new Gcp.SecretManager.Inputs.SecretReplicationArgs
{
Auto = null,
},
});
var secret_version_data = new Gcp.SecretManager.SecretVersion("secret-version-data", new()
{
Secret = secret.Name,
SecretData = "secret-data",
});
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Ingress = "INGRESS_TRAFFIC_ALL",
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeArgs
{
Name = "a-volume",
Secret = new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeSecretArgs
{
Secret = secret.SecretId,
DefaultMode = 292,
Items = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeSecretItemArgs
{
Version = "1",
Path = "my-secret",
},
},
},
},
},
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerVolumeMountArgs
{
Name = "a-volume",
MountPath = "/secrets",
},
},
},
},
},
}, new CustomResourceOptions
{
DependsOn =
{
secret_version_data,
},
});
var project = Gcp.Organizations.GetProject.Invoke();
var secret_access = new Gcp.SecretManager.SecretIamMember("secret-access", new()
{
SecretId = secret.Id,
Role = "roles/secretmanager.secretAccessor",
Member = $"serviceAccount:{project.Apply(getProjectResult => getProjectResult.Number)}-compute@developer.gserviceaccount.com",
}, new CustomResourceOptions
{
DependsOn =
{
secret,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.Secret;
import com.pulumi.gcp.secretmanager.SecretArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationAutoArgs;
import com.pulumi.gcp.secretmanager.SecretVersion;
import com.pulumi.gcp.secretmanager.SecretVersionArgs;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.secretmanager.SecretIamMember;
import com.pulumi.gcp.secretmanager.SecretIamMemberArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var secret = new Secret("secret", SecretArgs.builder()
.secretId("secret-1")
.replication(SecretReplicationArgs.builder()
.auto(SecretReplicationAutoArgs.builder()
.build())
.build())
.build());
var secret_version_data = new SecretVersion("secret-version-data", SecretVersionArgs.builder()
.secret(secret.name())
.secretData("secret-data")
.build());
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.ingress("INGRESS_TRAFFIC_ALL")
.template(ServiceTemplateArgs.builder()
.volumes(ServiceTemplateVolumeArgs.builder()
.name("a-volume")
.secret(ServiceTemplateVolumeSecretArgs.builder()
.secret(secret.secretId())
.defaultMode(292)
.items(ServiceTemplateVolumeSecretItemArgs.builder()
.version("1")
.path("my-secret")
.build())
.build())
.build())
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.volumeMounts(ServiceTemplateContainerVolumeMountArgs.builder()
.name("a-volume")
.mountPath("/secrets")
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(secret_version_data)
.build());
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var secret_access = new SecretIamMember("secret-access", SecretIamMemberArgs.builder()
.secretId(secret.id())
.role("roles/secretmanager.secretAccessor")
.member(String.format("serviceAccount:%s-compute@developer.gserviceaccount.com", project.number()))
.build(), CustomResourceOptions.builder()
.dependsOn(secret)
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
ingress: INGRESS_TRAFFIC_ALL
template:
volumes:
- name: a-volume
secret:
secret: ${secret.secretId}
defaultMode: 292
items:
- version: '1'
path: my-secret
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
volumeMounts:
- name: a-volume
mountPath: /secrets
options:
dependsOn:
- ${["secret-version-data"]}
secret:
type: gcp:secretmanager:Secret
properties:
secretId: secret-1
replication:
auto: {}
secret-version-data:
type: gcp:secretmanager:SecretVersion
properties:
secret: ${secret.name}
secretData: secret-data
secret-access:
type: gcp:secretmanager:SecretIamMember
properties:
secretId: ${secret.id}
role: roles/secretmanager.secretAccessor
member: serviceAccount:${project.number}-compute@developer.gserviceaccount.com
options:
dependsOn:
- ${secret}
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The volumes.secret block mounts a Secret Manager secret as files in the container. The defaultMode sets Unix file permissions (292 is octal 0444, read-only). The items array maps secret versions to filenames: version “1” appears as “my-secret” at /secrets/my-secret. The service account needs secretmanager.secretAccessor to read the secret.
Run multiple containers with shared volumes
Sidecar patterns and multi-process applications deploy multiple containers in a single service, sharing data through in-memory volumes.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
ingress: "INGRESS_TRAFFIC_ALL",
template: {
containers: [
{
name: "hello-1",
ports: {
containerPort: 8080,
},
image: "us-docker.pkg.dev/cloudrun/container/hello",
dependsOns: ["hello-2"],
volumeMounts: [{
name: "empty-dir-volume",
mountPath: "/mnt",
}],
},
{
name: "hello-2",
image: "us-docker.pkg.dev/cloudrun/container/hello",
envs: [{
name: "PORT",
value: "8081",
}],
startupProbe: {
httpGet: {
port: 8081,
},
},
},
],
volumes: [{
name: "empty-dir-volume",
emptyDir: {
medium: "MEMORY",
sizeLimit: "256Mi",
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
ingress="INGRESS_TRAFFIC_ALL",
template={
"containers": [
{
"name": "hello-1",
"ports": {
"container_port": 8080,
},
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"depends_ons": ["hello-2"],
"volume_mounts": [{
"name": "empty-dir-volume",
"mount_path": "/mnt",
}],
},
{
"name": "hello-2",
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"envs": [{
"name": "PORT",
"value": "8081",
}],
"startup_probe": {
"http_get": {
"port": 8081,
},
},
},
],
"volumes": [{
"name": "empty-dir-volume",
"empty_dir": {
"medium": "MEMORY",
"size_limit": "256Mi",
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Ingress: pulumi.String("INGRESS_TRAFFIC_ALL"),
Template: &cloudrunv2.ServiceTemplateArgs{
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Name: pulumi.String("hello-1"),
Ports: &cloudrunv2.ServiceTemplateContainerPortsArgs{
ContainerPort: pulumi.Int(8080),
},
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
DependsOns: pulumi.StringArray{
pulumi.String("hello-2"),
},
VolumeMounts: cloudrunv2.ServiceTemplateContainerVolumeMountArray{
&cloudrunv2.ServiceTemplateContainerVolumeMountArgs{
Name: pulumi.String("empty-dir-volume"),
MountPath: pulumi.String("/mnt"),
},
},
},
&cloudrunv2.ServiceTemplateContainerArgs{
Name: pulumi.String("hello-2"),
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
Envs: cloudrunv2.ServiceTemplateContainerEnvArray{
&cloudrunv2.ServiceTemplateContainerEnvArgs{
Name: pulumi.String("PORT"),
Value: pulumi.String("8081"),
},
},
StartupProbe: &cloudrunv2.ServiceTemplateContainerStartupProbeArgs{
HttpGet: &cloudrunv2.ServiceTemplateContainerStartupProbeHttpGetArgs{
Port: pulumi.Int(8081),
},
},
},
},
Volumes: cloudrunv2.ServiceTemplateVolumeArray{
&cloudrunv2.ServiceTemplateVolumeArgs{
Name: pulumi.String("empty-dir-volume"),
EmptyDir: &cloudrunv2.ServiceTemplateVolumeEmptyDirArgs{
Medium: pulumi.String("MEMORY"),
SizeLimit: pulumi.String("256Mi"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Ingress = "INGRESS_TRAFFIC_ALL",
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Name = "hello-1",
Ports = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerPortsArgs
{
ContainerPort = 8080,
},
Image = "us-docker.pkg.dev/cloudrun/container/hello",
DependsOns = new[]
{
"hello-2",
},
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerVolumeMountArgs
{
Name = "empty-dir-volume",
MountPath = "/mnt",
},
},
},
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Name = "hello-2",
Image = "us-docker.pkg.dev/cloudrun/container/hello",
Envs = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerEnvArgs
{
Name = "PORT",
Value = "8081",
},
},
StartupProbe = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerStartupProbeArgs
{
HttpGet = new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerStartupProbeHttpGetArgs
{
Port = 8081,
},
},
},
},
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeArgs
{
Name = "empty-dir-volume",
EmptyDir = new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeEmptyDirArgs
{
Medium = "MEMORY",
SizeLimit = "256Mi",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.ingress("INGRESS_TRAFFIC_ALL")
.template(ServiceTemplateArgs.builder()
.containers(
ServiceTemplateContainerArgs.builder()
.name("hello-1")
.ports(ServiceTemplateContainerPortsArgs.builder()
.containerPort(8080)
.build())
.image("us-docker.pkg.dev/cloudrun/container/hello")
.dependsOns("hello-2")
.volumeMounts(ServiceTemplateContainerVolumeMountArgs.builder()
.name("empty-dir-volume")
.mountPath("/mnt")
.build())
.build(),
ServiceTemplateContainerArgs.builder()
.name("hello-2")
.image("us-docker.pkg.dev/cloudrun/container/hello")
.envs(ServiceTemplateContainerEnvArgs.builder()
.name("PORT")
.value("8081")
.build())
.startupProbe(ServiceTemplateContainerStartupProbeArgs.builder()
.httpGet(ServiceTemplateContainerStartupProbeHttpGetArgs.builder()
.port(8081)
.build())
.build())
.build())
.volumes(ServiceTemplateVolumeArgs.builder()
.name("empty-dir-volume")
.emptyDir(ServiceTemplateVolumeEmptyDirArgs.builder()
.medium("MEMORY")
.sizeLimit("256Mi")
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
ingress: INGRESS_TRAFFIC_ALL
template:
containers:
- name: hello-1
ports:
containerPort: 8080
image: us-docker.pkg.dev/cloudrun/container/hello
dependsOns:
- hello-2
volumeMounts:
- name: empty-dir-volume
mountPath: /mnt
- name: hello-2
image: us-docker.pkg.dev/cloudrun/container/hello
envs:
- name: PORT
value: '8081'
startupProbe:
httpGet:
port: 8081
volumes:
- name: empty-dir-volume
emptyDir:
medium: MEMORY
sizeLimit: 256Mi
The containers array defines multiple containers in a single service. The dependsOns property controls startup order: “hello-1” waits for “hello-2” to start. The emptyDir volume creates in-memory storage shared between containers. The medium property set to “MEMORY” uses RAM instead of disk, and sizeLimit caps the volume size.
Mount Cloud Storage buckets as filesystem paths
Applications that need to read or write large files use Cloud Storage bucket mounts, which appear as directories in the container filesystem.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultBucket = new gcp.storage.Bucket("default", {
name: "cloudrun-service",
location: "US",
});
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
template: {
executionEnvironment: "EXECUTION_ENVIRONMENT_GEN2",
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
volumeMounts: [{
name: "bucket",
mountPath: "/var/www",
}],
}],
volumes: [{
name: "bucket",
gcs: {
bucket: defaultBucket.name,
readOnly: false,
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default_bucket = gcp.storage.Bucket("default",
name="cloudrun-service",
location="US")
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
template={
"execution_environment": "EXECUTION_ENVIRONMENT_GEN2",
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"volume_mounts": [{
"name": "bucket",
"mount_path": "/var/www",
}],
}],
"volumes": [{
"name": "bucket",
"gcs": {
"bucket": default_bucket.name,
"read_only": False,
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultBucket, err := storage.NewBucket(ctx, "default", &storage.BucketArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("US"),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Template: &cloudrunv2.ServiceTemplateArgs{
ExecutionEnvironment: pulumi.String("EXECUTION_ENVIRONMENT_GEN2"),
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
VolumeMounts: cloudrunv2.ServiceTemplateContainerVolumeMountArray{
&cloudrunv2.ServiceTemplateContainerVolumeMountArgs{
Name: pulumi.String("bucket"),
MountPath: pulumi.String("/var/www"),
},
},
},
},
Volumes: cloudrunv2.ServiceTemplateVolumeArray{
&cloudrunv2.ServiceTemplateVolumeArgs{
Name: pulumi.String("bucket"),
Gcs: &cloudrunv2.ServiceTemplateVolumeGcsArgs{
Bucket: defaultBucket.Name,
ReadOnly: pulumi.Bool(false),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultBucket = new Gcp.Storage.Bucket("default", new()
{
Name = "cloudrun-service",
Location = "US",
});
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
ExecutionEnvironment = "EXECUTION_ENVIRONMENT_GEN2",
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerVolumeMountArgs
{
Name = "bucket",
MountPath = "/var/www",
},
},
},
},
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeArgs
{
Name = "bucket",
Gcs = new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeGcsArgs
{
Bucket = defaultBucket.Name,
ReadOnly = false,
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.storage.Bucket;
import com.pulumi.gcp.storage.BucketArgs;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultBucket = new Bucket("defaultBucket", BucketArgs.builder()
.name("cloudrun-service")
.location("US")
.build());
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.template(ServiceTemplateArgs.builder()
.executionEnvironment("EXECUTION_ENVIRONMENT_GEN2")
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.volumeMounts(ServiceTemplateContainerVolumeMountArgs.builder()
.name("bucket")
.mountPath("/var/www")
.build())
.build())
.volumes(ServiceTemplateVolumeArgs.builder()
.name("bucket")
.gcs(ServiceTemplateVolumeGcsArgs.builder()
.bucket(defaultBucket.name())
.readOnly(false)
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
template:
executionEnvironment: EXECUTION_ENVIRONMENT_GEN2
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
volumeMounts:
- name: bucket
mountPath: /var/www
volumes:
- name: bucket
gcs:
bucket: ${defaultBucket.name}
readOnly: false
defaultBucket:
type: gcp:storage:Bucket
name: default
properties:
name: cloudrun-service
location: US
The volumes.gcs block mounts a Cloud Storage bucket at the specified mountPath. The readOnly property controls write access: false allows the container to create and modify objects. GCS mounts require executionEnvironment set to EXECUTION_ENVIRONMENT_GEN2, which provides the FUSE filesystem support needed for bucket mounting.
Mount Filestore NFS shares for persistent storage
Stateful applications that need shared persistent storage mount Filestore NFS shares, which provide POSIX-compliant filesystem access across container instances.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultInstance = new gcp.filestore.Instance("default", {
name: "cloudrun-service",
location: "us-central1-b",
tier: "BASIC_HDD",
fileShares: {
capacityGb: 1024,
name: "share1",
},
networks: [{
network: "default",
modes: ["MODE_IPV4"],
}],
});
const _default = new gcp.cloudrunv2.Service("default", {
name: "cloudrun-service",
location: "us-central1",
deletionProtection: false,
ingress: "INGRESS_TRAFFIC_ALL",
template: {
executionEnvironment: "EXECUTION_ENVIRONMENT_GEN2",
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello:latest",
volumeMounts: [{
name: "nfs",
mountPath: "/mnt/nfs/filestore",
}],
}],
vpcAccess: {
networkInterfaces: [{
network: "default",
subnetwork: "default",
}],
},
volumes: [{
name: "nfs",
nfs: {
server: defaultInstance.networks.apply(networks => networks[0].ipAddresses?.[0]),
path: "/share1",
readOnly: false,
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default_instance = gcp.filestore.Instance("default",
name="cloudrun-service",
location="us-central1-b",
tier="BASIC_HDD",
file_shares={
"capacity_gb": 1024,
"name": "share1",
},
networks=[{
"network": "default",
"modes": ["MODE_IPV4"],
}])
default = gcp.cloudrunv2.Service("default",
name="cloudrun-service",
location="us-central1",
deletion_protection=False,
ingress="INGRESS_TRAFFIC_ALL",
template={
"execution_environment": "EXECUTION_ENVIRONMENT_GEN2",
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello:latest",
"volume_mounts": [{
"name": "nfs",
"mount_path": "/mnt/nfs/filestore",
}],
}],
"vpc_access": {
"network_interfaces": [{
"network": "default",
"subnetwork": "default",
}],
},
"volumes": [{
"name": "nfs",
"nfs": {
"server": default_instance.networks[0].ip_addresses[0],
"path": "/share1",
"read_only": False,
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/filestore"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultInstance, err := filestore.NewInstance(ctx, "default", &filestore.InstanceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1-b"),
Tier: pulumi.String("BASIC_HDD"),
FileShares: &filestore.InstanceFileSharesArgs{
CapacityGb: pulumi.Int(1024),
Name: pulumi.String("share1"),
},
Networks: filestore.InstanceNetworkArray{
&filestore.InstanceNetworkArgs{
Network: pulumi.String("default"),
Modes: pulumi.StringArray{
pulumi.String("MODE_IPV4"),
},
},
},
})
if err != nil {
return err
}
_, err = cloudrunv2.NewService(ctx, "default", &cloudrunv2.ServiceArgs{
Name: pulumi.String("cloudrun-service"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
Ingress: pulumi.String("INGRESS_TRAFFIC_ALL"),
Template: &cloudrunv2.ServiceTemplateArgs{
ExecutionEnvironment: pulumi.String("EXECUTION_ENVIRONMENT_GEN2"),
Containers: cloudrunv2.ServiceTemplateContainerArray{
&cloudrunv2.ServiceTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello:latest"),
VolumeMounts: cloudrunv2.ServiceTemplateContainerVolumeMountArray{
&cloudrunv2.ServiceTemplateContainerVolumeMountArgs{
Name: pulumi.String("nfs"),
MountPath: pulumi.String("/mnt/nfs/filestore"),
},
},
},
},
VpcAccess: &cloudrunv2.ServiceTemplateVpcAccessArgs{
NetworkInterfaces: cloudrunv2.ServiceTemplateVpcAccessNetworkInterfaceArray{
&cloudrunv2.ServiceTemplateVpcAccessNetworkInterfaceArgs{
Network: pulumi.String("default"),
Subnetwork: pulumi.String("default"),
},
},
},
Volumes: cloudrunv2.ServiceTemplateVolumeArray{
&cloudrunv2.ServiceTemplateVolumeArgs{
Name: pulumi.String("nfs"),
Nfs: &cloudrunv2.ServiceTemplateVolumeNfsArgs{
Server: defaultInstance.Networks.ApplyT(func(networks []filestore.InstanceNetwork) (*string, error) {
return &networks[0].IpAddresses[0], nil
}).(pulumi.StringPtrOutput),
Path: pulumi.String("/share1"),
ReadOnly: pulumi.Bool(false),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultInstance = new Gcp.Filestore.Instance("default", new()
{
Name = "cloudrun-service",
Location = "us-central1-b",
Tier = "BASIC_HDD",
FileShares = new Gcp.Filestore.Inputs.InstanceFileSharesArgs
{
CapacityGb = 1024,
Name = "share1",
},
Networks = new[]
{
new Gcp.Filestore.Inputs.InstanceNetworkArgs
{
Network = "default",
Modes = new[]
{
"MODE_IPV4",
},
},
},
});
var @default = new Gcp.CloudRunV2.Service("default", new()
{
Name = "cloudrun-service",
Location = "us-central1",
DeletionProtection = false,
Ingress = "INGRESS_TRAFFIC_ALL",
Template = new Gcp.CloudRunV2.Inputs.ServiceTemplateArgs
{
ExecutionEnvironment = "EXECUTION_ENVIRONMENT_GEN2",
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello:latest",
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateContainerVolumeMountArgs
{
Name = "nfs",
MountPath = "/mnt/nfs/filestore",
},
},
},
},
VpcAccess = new Gcp.CloudRunV2.Inputs.ServiceTemplateVpcAccessArgs
{
NetworkInterfaces = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVpcAccessNetworkInterfaceArgs
{
Network = "default",
Subnetwork = "default",
},
},
},
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeArgs
{
Name = "nfs",
Nfs = new Gcp.CloudRunV2.Inputs.ServiceTemplateVolumeNfsArgs
{
Server = defaultInstance.Networks.Apply(networks => networks[0].IpAddresses[0]),
Path = "/share1",
ReadOnly = false,
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.filestore.Instance;
import com.pulumi.gcp.filestore.InstanceArgs;
import com.pulumi.gcp.filestore.inputs.InstanceFileSharesArgs;
import com.pulumi.gcp.filestore.inputs.InstanceNetworkArgs;
import com.pulumi.gcp.cloudrunv2.Service;
import com.pulumi.gcp.cloudrunv2.ServiceArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.ServiceTemplateVpcAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultInstance = new Instance("defaultInstance", InstanceArgs.builder()
.name("cloudrun-service")
.location("us-central1-b")
.tier("BASIC_HDD")
.fileShares(InstanceFileSharesArgs.builder()
.capacityGb(1024)
.name("share1")
.build())
.networks(InstanceNetworkArgs.builder()
.network("default")
.modes("MODE_IPV4")
.build())
.build());
var default_ = new Service("default", ServiceArgs.builder()
.name("cloudrun-service")
.location("us-central1")
.deletionProtection(false)
.ingress("INGRESS_TRAFFIC_ALL")
.template(ServiceTemplateArgs.builder()
.executionEnvironment("EXECUTION_ENVIRONMENT_GEN2")
.containers(ServiceTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello:latest")
.volumeMounts(ServiceTemplateContainerVolumeMountArgs.builder()
.name("nfs")
.mountPath("/mnt/nfs/filestore")
.build())
.build())
.vpcAccess(ServiceTemplateVpcAccessArgs.builder()
.networkInterfaces(ServiceTemplateVpcAccessNetworkInterfaceArgs.builder()
.network("default")
.subnetwork("default")
.build())
.build())
.volumes(ServiceTemplateVolumeArgs.builder()
.name("nfs")
.nfs(ServiceTemplateVolumeNfsArgs.builder()
.server(defaultInstance.networks().applyValue(_networks -> _networks[0].ipAddresses()[0]))
.path("/share1")
.readOnly(false)
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:Service
properties:
name: cloudrun-service
location: us-central1
deletionProtection: false
ingress: INGRESS_TRAFFIC_ALL
template:
executionEnvironment: EXECUTION_ENVIRONMENT_GEN2
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello:latest
volumeMounts:
- name: nfs
mountPath: /mnt/nfs/filestore
vpcAccess:
networkInterfaces:
- network: default
subnetwork: default
volumes:
- name: nfs
nfs:
server: ${defaultInstance.networks[0].ipAddresses[0]}
path: /share1
readOnly: false
defaultInstance:
type: gcp:filestore:Instance
name: default
properties:
name: cloudrun-service
location: us-central1-b
tier: BASIC_HDD
fileShares:
capacityGb: 1024
name: share1
networks:
- network: default
modes:
- MODE_IPV4
The volumes.nfs block mounts a Filestore NFS share using the instance’s IP address and export path. The server property references the Filestore instance’s IP, which you extract from the instance’s networks array. NFS mounts require both EXECUTION_ENVIRONMENT_GEN2 and VPC network interfaces, since Filestore is only accessible from within your VPC.
Beyond these examples
These snippets focus on specific service-level features: container deployment and resource limits, VPC networking (connectors and direct attachment), secrets and database connectivity, and health probes and multi-container patterns. They’re intentionally minimal rather than full application deployments.
The examples may reference pre-existing infrastructure such as VPC networks, subnets, and VPC Access connectors, Cloud SQL instances and Filestore NFS shares, Secret Manager secrets with IAM bindings, and Cloud Storage buckets and container images. They focus on configuring the service rather than provisioning everything around it.
To keep things focused, common service patterns are omitted, including:
- Traffic splitting and revision management (traffics property)
- GPU configuration (nodeSelector, GPU limits)
- Service mesh integration (serviceMesh property)
- IAP and invoker IAM controls
- Binary Authorization and build configuration
- Zip-based source code deployment
These omissions are intentional: the goal is to illustrate how each service feature is wired, not provide drop-in application modules. See the Cloud Run Service resource reference for all available configuration options.
Let's deploy GCP Cloud Run Services
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Lifecycle & Immutability
How do I delete my Cloud Run service if it's protected?
deletionProtection defaults to true, blocking deletion. Set it to false in your configuration before running pulumi up or terraform destroy.What properties can't I change after creating my service?
location, name, and project are immutable. Changing any of these forces resource replacement.Networking & VPC Access
What's the difference between connector-based and direct VPC access?
Connector-based uses
vpcAccess.connector with a Serverless VPC Access connector. Direct VPC uses vpcAccess.networkInterfaces with network, subnetwork, and optional tags (requires launchStage: GA).What ingress options are available?
Three options:
INGRESS_TRAFFIC_ALL (public), INGRESS_TRAFFIC_INTERNAL_ONLY (VPC only), or INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER (internal load balancer).Storage & Volumes
How do I mount GCS buckets or NFS shares in my service?
Set
template.executionEnvironment to EXECUTION_ENVIRONMENT_GEN2, then configure a gcs volume (with bucket name) or nfs volume (with server IP and path). NFS also requires vpcAccess.networkInterfaces.How do I connect my service to Cloud SQL?
Add a
cloudSqlInstance volume with the instance connection name, then mount it in your container. The service account automatically gets access.Security & IAM
How do I use Secret Manager secrets in my service?
Mount secrets as volumes or reference them in environment variables using
valueSource.secretKeyRef. Grant roles/secretmanager.secretAccessor to the compute service account, and use dependsOn to ensure the secret version exists before deployment.Can I disable IAM checks for my service URL?
Yes, set
invokerIamDisabled: true to allow unauthenticated access without IAM permission checks.Configuration & Metadata
Why aren't my annotations or labels being removed?
These fields are non-authoritative and only manage values in your configuration. They won’t remove annotations or labels set by other tools. Use
effectiveAnnotations or effectiveLabels to see all values on the resource.Can I use run.googleapis.com annotations in Cloud Run v2?
No, Cloud Run v2 rejects annotations and labels with
run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces. Use custom namespaces or corresponding v2 Service fields instead.Deployment & Revisions
What launch stage do I need for preview features?
Set
launchStage to BETA for readinessProbe with gRPC, or GA for direct VPC access with networkInterfaces. If not specified, GA is assumed.How is traffic distributed if I don't specify it?
Traffic defaults to 100% to the latest Ready Revision if
traffics is empty or not provided.What does the reconciling field indicate?
It shows Cloud Run is asynchronously updating the service to match your desired state. During reconciliation, fields like
observedGeneration and latestReadyRevision may have transient values.How do I control startup order for multiple containers?
Use the
dependsOns field in each container to specify which containers must start first.Using a different cloud?
Explore containers guides for other cloud providers: