The gcp:cloudrunv2/workerPool:WorkerPool resource, part of the Pulumi GCP provider, manages Cloud Run worker pools that execute pull-based workloads: background processing, queue consumers, and stream processors that don’t expose HTTP endpoints. This guide focuses on four capabilities: container deployment with resource limits, VPC networking for private resource access, storage mounts (Cloud SQL, Secret Manager, Cloud Storage, NFS), and GPU acceleration and health monitoring.
Worker pools require container images in Artifact Registry or Container Registry, and may reference VPC networks, Cloud SQL instances, secrets, or storage buckets. The examples are intentionally small. Combine them with your own infrastructure and IAM permissions.
Deploy a worker pool with a container image
Most deployments start with a container image and basic configuration for background processing workloads.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
}],
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
The template property defines the container specification. The containers array lists one or more container images to run. The launchStage property set to BETA enables preview features. Without additional configuration, the worker pool uses default resource limits and runs in the default network.
Set CPU and memory resource limits
Workloads with known requirements benefit from explicit CPU and memory limits for cost control and predictable performance.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
resources: {
limits: {
cpu: "2",
memory: "1024Mi",
},
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
"resources": {
"limits": {
"cpu": "2",
"memory": "1024Mi",
},
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
Resources: &cloudrunv2.WorkerPoolTemplateContainerResourcesArgs{
Limits: pulumi.StringMap{
"cpu": pulumi.String("2"),
"memory": pulumi.String("1024Mi"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
Resources = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerResourcesArgs
{
Limits =
{
{ "cpu", "2" },
{ "memory", "1024Mi" },
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.resources(WorkerPoolTemplateContainerResourcesArgs.builder()
.limits(Map.ofEntries(
Map.entry("cpu", "2"),
Map.entry("memory", "1024Mi")
))
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
resources:
limits:
cpu: '2'
memory: 1024Mi
The resources.limits property sets maximum CPU and memory allocation. CPU is specified as a string (e.g., “2” for 2 vCPUs), and memory uses units like “1024Mi” for mebibytes. These limits determine the instance size and billing rate.
Connect to private VPC resources
Worker pools that access Cloud SQL, Memorystore, or internal services need VPC networking.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
}],
vpcAccess: {
networkInterfaces: [{
network: "default",
subnetwork: "default",
tags: [
"tag1",
"tag2",
"tag3",
],
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
}],
"vpc_access": {
"network_interfaces": [{
"network": "default",
"subnetwork": "default",
"tags": [
"tag1",
"tag2",
"tag3",
],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
},
},
VpcAccess: &cloudrunv2.WorkerPoolTemplateVpcAccessArgs{
NetworkInterfaces: cloudrunv2.WorkerPoolTemplateVpcAccessNetworkInterfaceArray{
&cloudrunv2.WorkerPoolTemplateVpcAccessNetworkInterfaceArgs{
Network: pulumi.String("default"),
Subnetwork: pulumi.String("default"),
Tags: pulumi.StringArray{
pulumi.String("tag1"),
pulumi.String("tag2"),
pulumi.String("tag3"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
},
},
VpcAccess = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVpcAccessArgs
{
NetworkInterfaces = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVpcAccessNetworkInterfaceArgs
{
Network = "default",
Subnetwork = "default",
Tags = new[]
{
"tag1",
"tag2",
"tag3",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateVpcAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.build())
.vpcAccess(WorkerPoolTemplateVpcAccessArgs.builder()
.networkInterfaces(WorkerPoolTemplateVpcAccessNetworkInterfaceArgs.builder()
.network("default")
.subnetwork("default")
.tags(
"tag1",
"tag2",
"tag3")
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
vpcAccess:
networkInterfaces:
- network: default
subnetwork: default
tags:
- tag1
- tag2
- tag3
The vpcAccess.networkInterfaces property connects the worker pool to your VPC. The network and subnetwork properties specify where instances run. The tags property applies network tags for firewall rules. This configuration enables access to private databases and internal APIs.
Mount Cloud SQL instances and inject secrets
Applications connecting to Cloud SQL need both the Unix socket mount and database credentials.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const secret = new gcp.secretmanager.Secret("secret", {
secretId: "secret-1",
replication: {
auto: {},
},
});
const secret_version_data = new gcp.secretmanager.SecretVersion("secret-version-data", {
secret: secret.name,
secretData: "secret-data",
});
const instance = new gcp.sql.DatabaseInstance("instance", {
name: "cloudrun-sql",
region: "us-central1",
databaseVersion: "MYSQL_5_7",
settings: {
tier: "db-f1-micro",
},
deletionProtection: true,
});
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
volumes: [{
name: "cloudsql",
cloudSqlInstance: {
instances: [instance.connectionName],
},
}],
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
envs: [
{
name: "FOO",
value: "bar",
},
{
name: "SECRET_ENV_VAR",
valueSource: {
secretKeyRef: {
secret: secret.secretId,
version: "1",
},
},
},
],
volumeMounts: [{
name: "cloudsql",
mountPath: "/cloudsql",
}],
}],
},
instanceSplits: [{
type: "INSTANCE_SPLIT_ALLOCATION_TYPE_LATEST",
percent: 100,
}],
}, {
dependsOn: [secret_version_data],
});
const project = gcp.organizations.getProject({});
const secret_access = new gcp.secretmanager.SecretIamMember("secret-access", {
secretId: secret.id,
role: "roles/secretmanager.secretAccessor",
member: project.then(project => `serviceAccount:${project.number}-compute@developer.gserviceaccount.com`),
}, {
dependsOn: [secret],
});
import pulumi
import pulumi_gcp as gcp
secret = gcp.secretmanager.Secret("secret",
secret_id="secret-1",
replication={
"auto": {},
})
secret_version_data = gcp.secretmanager.SecretVersion("secret-version-data",
secret=secret.name,
secret_data="secret-data")
instance = gcp.sql.DatabaseInstance("instance",
name="cloudrun-sql",
region="us-central1",
database_version="MYSQL_5_7",
settings={
"tier": "db-f1-micro",
},
deletion_protection=True)
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"volumes": [{
"name": "cloudsql",
"cloud_sql_instance": {
"instances": [instance.connection_name],
},
}],
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
"envs": [
{
"name": "FOO",
"value": "bar",
},
{
"name": "SECRET_ENV_VAR",
"value_source": {
"secret_key_ref": {
"secret": secret.secret_id,
"version": "1",
},
},
},
],
"volume_mounts": [{
"name": "cloudsql",
"mount_path": "/cloudsql",
}],
}],
},
instance_splits=[{
"type": "INSTANCE_SPLIT_ALLOCATION_TYPE_LATEST",
"percent": 100,
}],
opts = pulumi.ResourceOptions(depends_on=[secret_version_data]))
project = gcp.organizations.get_project()
secret_access = gcp.secretmanager.SecretIamMember("secret-access",
secret_id=secret.id,
role="roles/secretmanager.secretAccessor",
member=f"serviceAccount:{project.number}-compute@developer.gserviceaccount.com",
opts = pulumi.ResourceOptions(depends_on=[secret]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/sql"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
secret, err := secretmanager.NewSecret(ctx, "secret", &secretmanager.SecretArgs{
SecretId: pulumi.String("secret-1"),
Replication: &secretmanager.SecretReplicationArgs{
Auto: &secretmanager.SecretReplicationAutoArgs{},
},
})
if err != nil {
return err
}
secret_version_data, err := secretmanager.NewSecretVersion(ctx, "secret-version-data", &secretmanager.SecretVersionArgs{
Secret: secret.Name,
SecretData: pulumi.String("secret-data"),
})
if err != nil {
return err
}
instance, err := sql.NewDatabaseInstance(ctx, "instance", &sql.DatabaseInstanceArgs{
Name: pulumi.String("cloudrun-sql"),
Region: pulumi.String("us-central1"),
DatabaseVersion: pulumi.String("MYSQL_5_7"),
Settings: &sql.DatabaseInstanceSettingsArgs{
Tier: pulumi.String("db-f1-micro"),
},
DeletionProtection: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Volumes: cloudrunv2.WorkerPoolTemplateVolumeArray{
&cloudrunv2.WorkerPoolTemplateVolumeArgs{
Name: pulumi.String("cloudsql"),
CloudSqlInstance: &cloudrunv2.WorkerPoolTemplateVolumeCloudSqlInstanceArgs{
Instances: pulumi.StringArray{
instance.ConnectionName,
},
},
},
},
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
Envs: cloudrunv2.WorkerPoolTemplateContainerEnvArray{
&cloudrunv2.WorkerPoolTemplateContainerEnvArgs{
Name: pulumi.String("FOO"),
Value: pulumi.String("bar"),
},
&cloudrunv2.WorkerPoolTemplateContainerEnvArgs{
Name: pulumi.String("SECRET_ENV_VAR"),
ValueSource: &cloudrunv2.WorkerPoolTemplateContainerEnvValueSourceArgs{
SecretKeyRef: &cloudrunv2.WorkerPoolTemplateContainerEnvValueSourceSecretKeyRefArgs{
Secret: secret.SecretId,
Version: pulumi.String("1"),
},
},
},
},
VolumeMounts: cloudrunv2.WorkerPoolTemplateContainerVolumeMountArray{
&cloudrunv2.WorkerPoolTemplateContainerVolumeMountArgs{
Name: pulumi.String("cloudsql"),
MountPath: pulumi.String("/cloudsql"),
},
},
},
},
},
InstanceSplits: cloudrunv2.WorkerPoolInstanceSplitArray{
&cloudrunv2.WorkerPoolInstanceSplitArgs{
Type: pulumi.String("INSTANCE_SPLIT_ALLOCATION_TYPE_LATEST"),
Percent: pulumi.Int(100),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
secret_version_data,
}))
if err != nil {
return err
}
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = secretmanager.NewSecretIamMember(ctx, "secret-access", &secretmanager.SecretIamMemberArgs{
SecretId: secret.ID(),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.Sprintf("serviceAccount:%v-compute@developer.gserviceaccount.com", project.Number),
}, pulumi.DependsOn([]pulumi.Resource{
secret,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var secret = new Gcp.SecretManager.Secret("secret", new()
{
SecretId = "secret-1",
Replication = new Gcp.SecretManager.Inputs.SecretReplicationArgs
{
Auto = null,
},
});
var secret_version_data = new Gcp.SecretManager.SecretVersion("secret-version-data", new()
{
Secret = secret.Name,
SecretData = "secret-data",
});
var instance = new Gcp.Sql.DatabaseInstance("instance", new()
{
Name = "cloudrun-sql",
Region = "us-central1",
DatabaseVersion = "MYSQL_5_7",
Settings = new Gcp.Sql.Inputs.DatabaseInstanceSettingsArgs
{
Tier = "db-f1-micro",
},
DeletionProtection = true,
});
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeArgs
{
Name = "cloudsql",
CloudSqlInstance = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeCloudSqlInstanceArgs
{
Instances = new[]
{
instance.ConnectionName,
},
},
},
},
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
Envs = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerEnvArgs
{
Name = "FOO",
Value = "bar",
},
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerEnvArgs
{
Name = "SECRET_ENV_VAR",
ValueSource = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerEnvValueSourceArgs
{
SecretKeyRef = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerEnvValueSourceSecretKeyRefArgs
{
Secret = secret.SecretId,
Version = "1",
},
},
},
},
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerVolumeMountArgs
{
Name = "cloudsql",
MountPath = "/cloudsql",
},
},
},
},
},
InstanceSplits = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolInstanceSplitArgs
{
Type = "INSTANCE_SPLIT_ALLOCATION_TYPE_LATEST",
Percent = 100,
},
},
}, new CustomResourceOptions
{
DependsOn =
{
secret_version_data,
},
});
var project = Gcp.Organizations.GetProject.Invoke();
var secret_access = new Gcp.SecretManager.SecretIamMember("secret-access", new()
{
SecretId = secret.Id,
Role = "roles/secretmanager.secretAccessor",
Member = $"serviceAccount:{project.Apply(getProjectResult => getProjectResult.Number)}-compute@developer.gserviceaccount.com",
}, new CustomResourceOptions
{
DependsOn =
{
secret,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.Secret;
import com.pulumi.gcp.secretmanager.SecretArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationAutoArgs;
import com.pulumi.gcp.secretmanager.SecretVersion;
import com.pulumi.gcp.secretmanager.SecretVersionArgs;
import com.pulumi.gcp.sql.DatabaseInstance;
import com.pulumi.gcp.sql.DatabaseInstanceArgs;
import com.pulumi.gcp.sql.inputs.DatabaseInstanceSettingsArgs;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolInstanceSplitArgs;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.secretmanager.SecretIamMember;
import com.pulumi.gcp.secretmanager.SecretIamMemberArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var secret = new Secret("secret", SecretArgs.builder()
.secretId("secret-1")
.replication(SecretReplicationArgs.builder()
.auto(SecretReplicationAutoArgs.builder()
.build())
.build())
.build());
var secret_version_data = new SecretVersion("secret-version-data", SecretVersionArgs.builder()
.secret(secret.name())
.secretData("secret-data")
.build());
var instance = new DatabaseInstance("instance", DatabaseInstanceArgs.builder()
.name("cloudrun-sql")
.region("us-central1")
.databaseVersion("MYSQL_5_7")
.settings(DatabaseInstanceSettingsArgs.builder()
.tier("db-f1-micro")
.build())
.deletionProtection(true)
.build());
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.volumes(WorkerPoolTemplateVolumeArgs.builder()
.name("cloudsql")
.cloudSqlInstance(WorkerPoolTemplateVolumeCloudSqlInstanceArgs.builder()
.instances(instance.connectionName())
.build())
.build())
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.envs(
WorkerPoolTemplateContainerEnvArgs.builder()
.name("FOO")
.value("bar")
.build(),
WorkerPoolTemplateContainerEnvArgs.builder()
.name("SECRET_ENV_VAR")
.valueSource(WorkerPoolTemplateContainerEnvValueSourceArgs.builder()
.secretKeyRef(WorkerPoolTemplateContainerEnvValueSourceSecretKeyRefArgs.builder()
.secret(secret.secretId())
.version("1")
.build())
.build())
.build())
.volumeMounts(WorkerPoolTemplateContainerVolumeMountArgs.builder()
.name("cloudsql")
.mountPath("/cloudsql")
.build())
.build())
.build())
.instanceSplits(WorkerPoolInstanceSplitArgs.builder()
.type("INSTANCE_SPLIT_ALLOCATION_TYPE_LATEST")
.percent(100)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(secret_version_data)
.build());
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var secret_access = new SecretIamMember("secret-access", SecretIamMemberArgs.builder()
.secretId(secret.id())
.role("roles/secretmanager.secretAccessor")
.member(String.format("serviceAccount:%s-compute@developer.gserviceaccount.com", project.number()))
.build(), CustomResourceOptions.builder()
.dependsOn(secret)
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
volumes:
- name: cloudsql
cloudSqlInstance:
instances:
- ${instance.connectionName}
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
envs:
- name: FOO
value: bar
- name: SECRET_ENV_VAR
valueSource:
secretKeyRef:
secret: ${secret.secretId}
version: '1'
volumeMounts:
- name: cloudsql
mountPath: /cloudsql
instanceSplits:
- type: INSTANCE_SPLIT_ALLOCATION_TYPE_LATEST
percent: 100
options:
dependsOn:
- ${["secret-version-data"]}
secret:
type: gcp:secretmanager:Secret
properties:
secretId: secret-1
replication:
auto: {}
secret-version-data:
type: gcp:secretmanager:SecretVersion
properties:
secret: ${secret.name}
secretData: secret-data
secret-access:
type: gcp:secretmanager:SecretIamMember
properties:
secretId: ${secret.id}
role: roles/secretmanager.secretAccessor
member: serviceAccount:${project.number}-compute@developer.gserviceaccount.com
options:
dependsOn:
- ${secret}
instance:
type: gcp:sql:DatabaseInstance
properties:
name: cloudrun-sql
region: us-central1
databaseVersion: MYSQL_5_7
settings:
tier: db-f1-micro
deletionProtection: true
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The volumes array defines storage to mount. The cloudSqlInstance volume type mounts the Cloud SQL Unix socket. The envs array injects environment variables; valueSource.secretKeyRef pulls values from Secret Manager. The volumeMounts property maps volumes into the container file system. The IAM member grants the compute service account permission to read secrets.
Mount secrets as files in the container
Some applications read configuration from files rather than environment variables.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const secret = new gcp.secretmanager.Secret("secret", {
secretId: "secret-1",
replication: {
auto: {},
},
});
const secret_version_data = new gcp.secretmanager.SecretVersion("secret-version-data", {
secret: secret.name,
secretData: "secret-data",
});
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
volumes: [{
name: "a-volume",
secret: {
secret: secret.secretId,
defaultMode: 292,
items: [{
version: "1",
path: "my-secret",
mode: 444,
}],
},
}],
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
volumeMounts: [{
name: "a-volume",
mountPath: "/secrets",
}],
}],
},
}, {
dependsOn: [secret_version_data],
});
const project = gcp.organizations.getProject({});
const secret_access = new gcp.secretmanager.SecretIamMember("secret-access", {
secretId: secret.id,
role: "roles/secretmanager.secretAccessor",
member: project.then(project => `serviceAccount:${project.number}-compute@developer.gserviceaccount.com`),
}, {
dependsOn: [secret],
});
import pulumi
import pulumi_gcp as gcp
secret = gcp.secretmanager.Secret("secret",
secret_id="secret-1",
replication={
"auto": {},
})
secret_version_data = gcp.secretmanager.SecretVersion("secret-version-data",
secret=secret.name,
secret_data="secret-data")
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"volumes": [{
"name": "a-volume",
"secret": {
"secret": secret.secret_id,
"default_mode": 292,
"items": [{
"version": "1",
"path": "my-secret",
"mode": 444,
}],
},
}],
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
"volume_mounts": [{
"name": "a-volume",
"mount_path": "/secrets",
}],
}],
},
opts = pulumi.ResourceOptions(depends_on=[secret_version_data]))
project = gcp.organizations.get_project()
secret_access = gcp.secretmanager.SecretIamMember("secret-access",
secret_id=secret.id,
role="roles/secretmanager.secretAccessor",
member=f"serviceAccount:{project.number}-compute@developer.gserviceaccount.com",
opts = pulumi.ResourceOptions(depends_on=[secret]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/secretmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
secret, err := secretmanager.NewSecret(ctx, "secret", &secretmanager.SecretArgs{
SecretId: pulumi.String("secret-1"),
Replication: &secretmanager.SecretReplicationArgs{
Auto: &secretmanager.SecretReplicationAutoArgs{},
},
})
if err != nil {
return err
}
secret_version_data, err := secretmanager.NewSecretVersion(ctx, "secret-version-data", &secretmanager.SecretVersionArgs{
Secret: secret.Name,
SecretData: pulumi.String("secret-data"),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Volumes: cloudrunv2.WorkerPoolTemplateVolumeArray{
&cloudrunv2.WorkerPoolTemplateVolumeArgs{
Name: pulumi.String("a-volume"),
Secret: &cloudrunv2.WorkerPoolTemplateVolumeSecretArgs{
Secret: secret.SecretId,
DefaultMode: pulumi.Int(292),
Items: cloudrunv2.WorkerPoolTemplateVolumeSecretItemArray{
&cloudrunv2.WorkerPoolTemplateVolumeSecretItemArgs{
Version: pulumi.String("1"),
Path: pulumi.String("my-secret"),
Mode: pulumi.Int(444),
},
},
},
},
},
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
VolumeMounts: cloudrunv2.WorkerPoolTemplateContainerVolumeMountArray{
&cloudrunv2.WorkerPoolTemplateContainerVolumeMountArgs{
Name: pulumi.String("a-volume"),
MountPath: pulumi.String("/secrets"),
},
},
},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
secret_version_data,
}))
if err != nil {
return err
}
project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = secretmanager.NewSecretIamMember(ctx, "secret-access", &secretmanager.SecretIamMemberArgs{
SecretId: secret.ID(),
Role: pulumi.String("roles/secretmanager.secretAccessor"),
Member: pulumi.Sprintf("serviceAccount:%v-compute@developer.gserviceaccount.com", project.Number),
}, pulumi.DependsOn([]pulumi.Resource{
secret,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var secret = new Gcp.SecretManager.Secret("secret", new()
{
SecretId = "secret-1",
Replication = new Gcp.SecretManager.Inputs.SecretReplicationArgs
{
Auto = null,
},
});
var secret_version_data = new Gcp.SecretManager.SecretVersion("secret-version-data", new()
{
Secret = secret.Name,
SecretData = "secret-data",
});
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeArgs
{
Name = "a-volume",
Secret = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeSecretArgs
{
Secret = secret.SecretId,
DefaultMode = 292,
Items = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeSecretItemArgs
{
Version = "1",
Path = "my-secret",
Mode = 444,
},
},
},
},
},
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerVolumeMountArgs
{
Name = "a-volume",
MountPath = "/secrets",
},
},
},
},
},
}, new CustomResourceOptions
{
DependsOn =
{
secret_version_data,
},
});
var project = Gcp.Organizations.GetProject.Invoke();
var secret_access = new Gcp.SecretManager.SecretIamMember("secret-access", new()
{
SecretId = secret.Id,
Role = "roles/secretmanager.secretAccessor",
Member = $"serviceAccount:{project.Apply(getProjectResult => getProjectResult.Number)}-compute@developer.gserviceaccount.com",
}, new CustomResourceOptions
{
DependsOn =
{
secret,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.secretmanager.Secret;
import com.pulumi.gcp.secretmanager.SecretArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationArgs;
import com.pulumi.gcp.secretmanager.inputs.SecretReplicationAutoArgs;
import com.pulumi.gcp.secretmanager.SecretVersion;
import com.pulumi.gcp.secretmanager.SecretVersionArgs;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.secretmanager.SecretIamMember;
import com.pulumi.gcp.secretmanager.SecretIamMemberArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var secret = new Secret("secret", SecretArgs.builder()
.secretId("secret-1")
.replication(SecretReplicationArgs.builder()
.auto(SecretReplicationAutoArgs.builder()
.build())
.build())
.build());
var secret_version_data = new SecretVersion("secret-version-data", SecretVersionArgs.builder()
.secret(secret.name())
.secretData("secret-data")
.build());
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.volumes(WorkerPoolTemplateVolumeArgs.builder()
.name("a-volume")
.secret(WorkerPoolTemplateVolumeSecretArgs.builder()
.secret(secret.secretId())
.defaultMode(292)
.items(WorkerPoolTemplateVolumeSecretItemArgs.builder()
.version("1")
.path("my-secret")
.mode(444)
.build())
.build())
.build())
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.volumeMounts(WorkerPoolTemplateContainerVolumeMountArgs.builder()
.name("a-volume")
.mountPath("/secrets")
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(secret_version_data)
.build());
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var secret_access = new SecretIamMember("secret-access", SecretIamMemberArgs.builder()
.secretId(secret.id())
.role("roles/secretmanager.secretAccessor")
.member(String.format("serviceAccount:%s-compute@developer.gserviceaccount.com", project.number()))
.build(), CustomResourceOptions.builder()
.dependsOn(secret)
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
volumes:
- name: a-volume
secret:
secret: ${secret.secretId}
defaultMode: 292
items:
- version: '1'
path: my-secret
mode: 444
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
volumeMounts:
- name: a-volume
mountPath: /secrets
options:
dependsOn:
- ${["secret-version-data"]}
secret:
type: gcp:secretmanager:Secret
properties:
secretId: secret-1
replication:
auto: {}
secret-version-data:
type: gcp:secretmanager:SecretVersion
properties:
secret: ${secret.name}
secretData: secret-data
secret-access:
type: gcp:secretmanager:SecretIamMember
properties:
secretId: ${secret.id}
role: roles/secretmanager.secretAccessor
member: serviceAccount:${project.number}-compute@developer.gserviceaccount.com
options:
dependsOn:
- ${secret}
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The volumes.secret property mounts Secret Manager secrets as files. The defaultMode sets file permissions (292 is octal 0444). The items array maps secret versions to file paths with custom permissions. The volumeMounts property specifies where secrets appear in the container.
Mount Cloud Storage buckets as file systems
Workloads processing large files can mount Cloud Storage buckets directly.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const defaultBucket = new gcp.storage.Bucket("default", {
name: "cloudrun-worker-pool",
location: "US",
uniformBucketLevelAccess: true,
});
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
volumeMounts: [{
name: "bucket",
mountPath: "/var/www",
}],
}],
volumes: [{
name: "bucket",
gcs: {
bucket: defaultBucket.name,
readOnly: false,
},
}],
},
});
import pulumi
import pulumi_gcp as gcp
default_bucket = gcp.storage.Bucket("default",
name="cloudrun-worker-pool",
location="US",
uniform_bucket_level_access=True)
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
"volume_mounts": [{
"name": "bucket",
"mount_path": "/var/www",
}],
}],
"volumes": [{
"name": "bucket",
"gcs": {
"bucket": default_bucket.name,
"read_only": False,
},
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
defaultBucket, err := storage.NewBucket(ctx, "default", &storage.BucketArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("US"),
UniformBucketLevelAccess: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
VolumeMounts: cloudrunv2.WorkerPoolTemplateContainerVolumeMountArray{
&cloudrunv2.WorkerPoolTemplateContainerVolumeMountArgs{
Name: pulumi.String("bucket"),
MountPath: pulumi.String("/var/www"),
},
},
},
},
Volumes: cloudrunv2.WorkerPoolTemplateVolumeArray{
&cloudrunv2.WorkerPoolTemplateVolumeArgs{
Name: pulumi.String("bucket"),
Gcs: &cloudrunv2.WorkerPoolTemplateVolumeGcsArgs{
Bucket: defaultBucket.Name,
ReadOnly: pulumi.Bool(false),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultBucket = new Gcp.Storage.Bucket("default", new()
{
Name = "cloudrun-worker-pool",
Location = "US",
UniformBucketLevelAccess = true,
});
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
VolumeMounts = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerVolumeMountArgs
{
Name = "bucket",
MountPath = "/var/www",
},
},
},
},
Volumes = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeArgs
{
Name = "bucket",
Gcs = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVolumeGcsArgs
{
Bucket = defaultBucket.Name,
ReadOnly = false,
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.storage.Bucket;
import com.pulumi.gcp.storage.BucketArgs;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultBucket = new Bucket("defaultBucket", BucketArgs.builder()
.name("cloudrun-worker-pool")
.location("US")
.uniformBucketLevelAccess(true)
.build());
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.volumeMounts(WorkerPoolTemplateContainerVolumeMountArgs.builder()
.name("bucket")
.mountPath("/var/www")
.build())
.build())
.volumes(WorkerPoolTemplateVolumeArgs.builder()
.name("bucket")
.gcs(WorkerPoolTemplateVolumeGcsArgs.builder()
.bucket(defaultBucket.name())
.readOnly(false)
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
volumeMounts:
- name: bucket
mountPath: /var/www
volumes:
- name: bucket
gcs:
bucket: ${defaultBucket.name}
readOnly: false
defaultBucket:
type: gcp:storage:Bucket
name: default
properties:
name: cloudrun-worker-pool
location: US
uniformBucketLevelAccess: true
The volumes.gcs property mounts a Cloud Storage bucket. The readOnly property controls write access. The volumeMounts property maps the bucket to a container path. This enables file-based access to Cloud Storage without SDK calls.
Attach GPUs for accelerated workloads
Machine learning inference and compute-intensive tasks can use GPUs for acceleration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
deletionProtection: false,
launchStage: "BETA",
template: {
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/worker-pool",
resources: {
limits: {
cpu: "4",
memory: "16Gi",
"nvidia.com/gpu": "1",
},
},
}],
nodeSelector: {
accelerator: "nvidia-l4",
},
gpuZonalRedundancyDisabled: true,
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
deletion_protection=False,
launch_stage="BETA",
template={
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/worker-pool",
"resources": {
"limits": {
"cpu": "4",
"memory": "16Gi",
"nvidia.com/gpu": "1",
},
},
}],
"node_selector": {
"accelerator": "nvidia-l4",
},
"gpu_zonal_redundancy_disabled": True,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(false),
LaunchStage: pulumi.String("BETA"),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/worker-pool"),
Resources: &cloudrunv2.WorkerPoolTemplateContainerResourcesArgs{
Limits: pulumi.StringMap{
"cpu": pulumi.String("4"),
"memory": pulumi.String("16Gi"),
"nvidia.com/gpu": pulumi.String("1"),
},
},
},
},
NodeSelector: &cloudrunv2.WorkerPoolTemplateNodeSelectorArgs{
Accelerator: pulumi.String("nvidia-l4"),
},
GpuZonalRedundancyDisabled: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
DeletionProtection = false,
LaunchStage = "BETA",
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/worker-pool",
Resources = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerResourcesArgs
{
Limits =
{
{ "cpu", "4" },
{ "memory", "16Gi" },
{ "nvidia.com/gpu", "1" },
},
},
},
},
NodeSelector = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateNodeSelectorArgs
{
Accelerator = "nvidia-l4",
},
GpuZonalRedundancyDisabled = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateNodeSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.deletionProtection(false)
.launchStage("BETA")
.template(WorkerPoolTemplateArgs.builder()
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/worker-pool")
.resources(WorkerPoolTemplateContainerResourcesArgs.builder()
.limits(Map.ofEntries(
Map.entry("cpu", "4"),
Map.entry("memory", "16Gi"),
Map.entry("nvidia.com/gpu", "1")
))
.build())
.build())
.nodeSelector(WorkerPoolTemplateNodeSelectorArgs.builder()
.accelerator("nvidia-l4")
.build())
.gpuZonalRedundancyDisabled(true)
.build())
.build());
}
}
resources:
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
deletionProtection: false
launchStage: BETA
template:
containers:
- image: us-docker.pkg.dev/cloudrun/container/worker-pool
resources:
limits:
cpu: '4'
memory: 16Gi
nvidia.com/gpu: '1'
nodeSelector:
accelerator: nvidia-l4
gpuZonalRedundancyDisabled: true
The resources.limits property includes “nvidia.com/gpu” to request GPU allocation. The nodeSelector.accelerator property specifies the GPU type (e.g., “nvidia-l4”). The gpuZonalRedundancyDisabled property controls whether GPUs must be in multiple zones. GPU instances require higher CPU and memory minimums.
Configure health checks with startup and liveness probes
Long-running workers benefit from health checks that detect failures and restart containers.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const customTest = new gcp.compute.Network("custom_test", {
name: "wp-net",
autoCreateSubnetworks: false,
});
const customTestSubnetwork = new gcp.compute.Subnetwork("custom_test", {
name: "wp-subnet",
ipCidrRange: "10.2.0.0/28",
region: "us-central1",
network: customTest.id,
});
const _default = new gcp.cloudrunv2.WorkerPool("default", {
name: "cloudrun-worker-pool",
location: "us-central1",
launchStage: "BETA",
deletionProtection: false,
template: {
annotations: {},
labels: {},
containers: [{
image: "us-docker.pkg.dev/cloudrun/container/hello",
commands: [],
args: [],
startupProbe: {
initialDelaySeconds: 0,
timeoutSeconds: 1,
periodSeconds: 3,
failureThreshold: 3,
tcpSocket: {
port: 8080,
},
},
livenessProbe: {
initialDelaySeconds: 0,
timeoutSeconds: 1,
periodSeconds: 10,
failureThreshold: 3,
httpGet: {
path: "/",
port: 8080,
},
},
}],
vpcAccess: {
networkInterfaces: [{
network: customTest.id,
subnetwork: customTestSubnetwork.id,
tags: [],
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
custom_test = gcp.compute.Network("custom_test",
name="wp-net",
auto_create_subnetworks=False)
custom_test_subnetwork = gcp.compute.Subnetwork("custom_test",
name="wp-subnet",
ip_cidr_range="10.2.0.0/28",
region="us-central1",
network=custom_test.id)
default = gcp.cloudrunv2.WorkerPool("default",
name="cloudrun-worker-pool",
location="us-central1",
launch_stage="BETA",
deletion_protection=False,
template={
"annotations": {},
"labels": {},
"containers": [{
"image": "us-docker.pkg.dev/cloudrun/container/hello",
"commands": [],
"args": [],
"startup_probe": {
"initial_delay_seconds": 0,
"timeout_seconds": 1,
"period_seconds": 3,
"failure_threshold": 3,
"tcp_socket": {
"port": 8080,
},
},
"liveness_probe": {
"initial_delay_seconds": 0,
"timeout_seconds": 1,
"period_seconds": 10,
"failure_threshold": 3,
"http_get": {
"path": "/",
"port": 8080,
},
},
}],
"vpc_access": {
"network_interfaces": [{
"network": custom_test.id,
"subnetwork": custom_test_subnetwork.id,
"tags": [],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
customTest, err := compute.NewNetwork(ctx, "custom_test", &compute.NetworkArgs{
Name: pulumi.String("wp-net"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
customTestSubnetwork, err := compute.NewSubnetwork(ctx, "custom_test", &compute.SubnetworkArgs{
Name: pulumi.String("wp-subnet"),
IpCidrRange: pulumi.String("10.2.0.0/28"),
Region: pulumi.String("us-central1"),
Network: customTest.ID(),
})
if err != nil {
return err
}
_, err = cloudrunv2.NewWorkerPool(ctx, "default", &cloudrunv2.WorkerPoolArgs{
Name: pulumi.String("cloudrun-worker-pool"),
Location: pulumi.String("us-central1"),
LaunchStage: pulumi.String("BETA"),
DeletionProtection: pulumi.Bool(false),
Template: &cloudrunv2.WorkerPoolTemplateArgs{
Annotations: pulumi.StringMap{},
Labels: pulumi.StringMap{},
Containers: cloudrunv2.WorkerPoolTemplateContainerArray{
&cloudrunv2.WorkerPoolTemplateContainerArgs{
Image: pulumi.String("us-docker.pkg.dev/cloudrun/container/hello"),
Commands: pulumi.StringArray{},
Args: pulumi.StringArray{},
StartupProbe: &cloudrunv2.WorkerPoolTemplateContainerStartupProbeArgs{
InitialDelaySeconds: pulumi.Int(0),
TimeoutSeconds: pulumi.Int(1),
PeriodSeconds: pulumi.Int(3),
FailureThreshold: pulumi.Int(3),
TcpSocket: &cloudrunv2.WorkerPoolTemplateContainerStartupProbeTcpSocketArgs{
Port: pulumi.Int(8080),
},
},
LivenessProbe: &cloudrunv2.WorkerPoolTemplateContainerLivenessProbeArgs{
InitialDelaySeconds: pulumi.Int(0),
TimeoutSeconds: pulumi.Int(1),
PeriodSeconds: pulumi.Int(10),
FailureThreshold: pulumi.Int(3),
HttpGet: &cloudrunv2.WorkerPoolTemplateContainerLivenessProbeHttpGetArgs{
Path: pulumi.String("/"),
Port: pulumi.Int(8080),
},
},
},
},
VpcAccess: &cloudrunv2.WorkerPoolTemplateVpcAccessArgs{
NetworkInterfaces: cloudrunv2.WorkerPoolTemplateVpcAccessNetworkInterfaceArray{
&cloudrunv2.WorkerPoolTemplateVpcAccessNetworkInterfaceArgs{
Network: customTest.ID(),
Subnetwork: customTestSubnetwork.ID(),
Tags: pulumi.StringArray{},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var customTest = new Gcp.Compute.Network("custom_test", new()
{
Name = "wp-net",
AutoCreateSubnetworks = false,
});
var customTestSubnetwork = new Gcp.Compute.Subnetwork("custom_test", new()
{
Name = "wp-subnet",
IpCidrRange = "10.2.0.0/28",
Region = "us-central1",
Network = customTest.Id,
});
var @default = new Gcp.CloudRunV2.WorkerPool("default", new()
{
Name = "cloudrun-worker-pool",
Location = "us-central1",
LaunchStage = "BETA",
DeletionProtection = false,
Template = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateArgs
{
Annotations = null,
Labels = null,
Containers = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerArgs
{
Image = "us-docker.pkg.dev/cloudrun/container/hello",
Commands = new() { },
Args = new() { },
StartupProbe = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerStartupProbeArgs
{
InitialDelaySeconds = 0,
TimeoutSeconds = 1,
PeriodSeconds = 3,
FailureThreshold = 3,
TcpSocket = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerStartupProbeTcpSocketArgs
{
Port = 8080,
},
},
LivenessProbe = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerLivenessProbeArgs
{
InitialDelaySeconds = 0,
TimeoutSeconds = 1,
PeriodSeconds = 10,
FailureThreshold = 3,
HttpGet = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateContainerLivenessProbeHttpGetArgs
{
Path = "/",
Port = 8080,
},
},
},
},
VpcAccess = new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVpcAccessArgs
{
NetworkInterfaces = new[]
{
new Gcp.CloudRunV2.Inputs.WorkerPoolTemplateVpcAccessNetworkInterfaceArgs
{
Network = customTest.Id,
Subnetwork = customTestSubnetwork.Id,
Tags = new() { },
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.Subnetwork;
import com.pulumi.gcp.compute.SubnetworkArgs;
import com.pulumi.gcp.cloudrunv2.WorkerPool;
import com.pulumi.gcp.cloudrunv2.WorkerPoolArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateArgs;
import com.pulumi.gcp.cloudrunv2.inputs.WorkerPoolTemplateVpcAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customTest = new Network("customTest", NetworkArgs.builder()
.name("wp-net")
.autoCreateSubnetworks(false)
.build());
var customTestSubnetwork = new Subnetwork("customTestSubnetwork", SubnetworkArgs.builder()
.name("wp-subnet")
.ipCidrRange("10.2.0.0/28")
.region("us-central1")
.network(customTest.id())
.build());
var default_ = new WorkerPool("default", WorkerPoolArgs.builder()
.name("cloudrun-worker-pool")
.location("us-central1")
.launchStage("BETA")
.deletionProtection(false)
.template(WorkerPoolTemplateArgs.builder()
.annotations(Map.ofEntries(
))
.labels(Map.ofEntries(
))
.containers(WorkerPoolTemplateContainerArgs.builder()
.image("us-docker.pkg.dev/cloudrun/container/hello")
.commands()
.args()
.startupProbe(WorkerPoolTemplateContainerStartupProbeArgs.builder()
.initialDelaySeconds(0)
.timeoutSeconds(1)
.periodSeconds(3)
.failureThreshold(3)
.tcpSocket(WorkerPoolTemplateContainerStartupProbeTcpSocketArgs.builder()
.port(8080)
.build())
.build())
.livenessProbe(WorkerPoolTemplateContainerLivenessProbeArgs.builder()
.initialDelaySeconds(0)
.timeoutSeconds(1)
.periodSeconds(10)
.failureThreshold(3)
.httpGet(WorkerPoolTemplateContainerLivenessProbeHttpGetArgs.builder()
.path("/")
.port(8080)
.build())
.build())
.build())
.vpcAccess(WorkerPoolTemplateVpcAccessArgs.builder()
.networkInterfaces(WorkerPoolTemplateVpcAccessNetworkInterfaceArgs.builder()
.network(customTest.id())
.subnetwork(customTestSubnetwork.id())
.tags()
.build())
.build())
.build())
.build());
}
}
resources:
customTest:
type: gcp:compute:Network
name: custom_test
properties:
name: wp-net
autoCreateSubnetworks: false
customTestSubnetwork:
type: gcp:compute:Subnetwork
name: custom_test
properties:
name: wp-subnet
ipCidrRange: 10.2.0.0/28
region: us-central1
network: ${customTest.id}
default:
type: gcp:cloudrunv2:WorkerPool
properties:
name: cloudrun-worker-pool
location: us-central1
launchStage: BETA
deletionProtection: false
template:
annotations: {}
labels: {}
containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
commands: []
args: []
startupProbe:
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 3
failureThreshold: 3
tcpSocket:
port: 8080
livenessProbe:
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 10
failureThreshold: 3
httpGet:
path: /
port: 8080
vpcAccess:
networkInterfaces:
- network: ${customTest.id}
subnetwork: ${customTestSubnetwork.id}
tags: []
The startupProbe property checks if the container started successfully using TCP or HTTP. The livenessProbe property monitors ongoing health. The periodSeconds property controls check frequency, and failureThreshold sets how many failures trigger a restart. Probes prevent traffic to unhealthy instances.
Beyond these examples
These snippets focus on specific worker pool features: container deployment and resource limits, VPC networking and storage mounts, and secrets injection and health probes. They’re intentionally minimal rather than full background processing systems.
The examples may reference pre-existing infrastructure such as container images in Artifact Registry or Container Registry, VPC networks, subnets, and security groups, Cloud SQL instances, Secret Manager secrets, Cloud Storage buckets, and IAM service account permissions. They focus on configuring the worker pool rather than provisioning everything around it.
To keep things focused, common worker pool patterns are omitted, including:
- Scaling configuration (minInstanceCount, maxInstanceCount)
- Instance split allocation for gradual rollouts
- Binary Authorization for deployment policies
- Multi-container sidecar patterns
- Custom audiences for authentication
- Annotations and labels for organization
These omissions are intentional: the goal is to illustrate how each worker pool feature is wired, not provide drop-in processing modules. See the Cloud Run WorkerPool resource reference for all available configuration options.
Let's configure GCP Cloud Run Worker Pools
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Lifecycle
What properties can't I change after creating a WorkerPool?
The
location, name, and project properties are immutable. Changing any of these will force Pulumi to destroy and recreate the WorkerPool.What does launchStage do and why might it change?
The
launchStage property determines which preview features are available (ALPHA, BETA, GA). If you set it to ALPHA but only use BETA/GA features, the output will show BETA instead. The output reflects the actual feature level used, not your input value.How do I prevent accidental deletion of my WorkerPool?
Set
deletionProtection to true to prevent accidental deletion.Annotations & Labels
Why aren't my annotations or labels showing up in the resource?
The
annotations and labels fields are non-authoritative and only manage values in your Pulumi configuration. Annotations or labels set outside Pulumi won’t be removed. Use the effectiveAnnotations and effectiveLabels output properties to see all annotations and labels on the resource.Why are my annotations or labels being rejected?
Cloud Run API v2 rejects annotations and labels with
run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces. Avoid using these reserved namespaces.Reconciliation & State
What does reconciling mean and why are my fields showing unexpected values?
When
reconciling is true, Cloud Run is actively updating your WorkerPool. During this time, fields like observedGeneration, latestReadyRevision, and trafficStatuses may have transient values that don’t match your desired state. Wait for reconciling to become false, then check terminalCondition for any errors.Container Configuration
How do I configure container startup dependencies?
Use the
dependsOns array in a container to specify other containers (by name) that must start first.How do I configure resource limits and GPUs?
Set
resources.limits with cpu and memory values (e.g., '2' and '1024Mi'). For GPUs, add 'nvidia.com/gpu' to limits, configure nodeSelector.accelerator (e.g., 'nvidia-l4'), and set gpuZonalRedundancyDisabled to true.How do I use multiple containers in a WorkerPool?
Add multiple entries to the
containers array in your template. Each container needs a unique name.Storage & Secrets
How do I connect my WorkerPool to Cloud SQL?
Add a
cloudSqlInstance volume with the instance connection name, then mount it in your container using volumeMounts. You’ll also need VPC access configured.How do I use secrets in my WorkerPool?
For environment variables, use
envs with valueSource.secretKeyRef pointing to your secret ID and version. For files, create a secret volume with secret, defaultMode, and items, then add a volumeMount in your container.How do I mount GCS buckets or NFS volumes?
For GCS, create a
gcs volume with bucket name and readOnly flag. For NFS, create an nfs volume with server IP, path, and readOnly flag (requires VPC access). Then mount either volume in your container.Networking & Security
How do I configure VPC access for my WorkerPool?
Set
vpcAccess.networkInterfaces with network, subnetwork, and optional tags to connect your WorkerPool to VPC resources.How do I configure custom audiences for authentication?
Set the
customAudiences array with full URL strings for each audience you want to support. These are encoded in tokens to authenticate requests.Health & Monitoring
How do I configure health probes for my containers?
Use
startupProbe and livenessProbe with either httpGet (path and port) or tcpSocket (port) checks. Configure timing with periodSeconds, timeoutSeconds, failureThreshold, and initialDelaySeconds.