5.1 KiB
title, type, weight, description
| title | type | weight | description |
|---|---|---|---|
| Deploy to Cloud Run | docs | 3 | How to set up and configure Toolbox to run on Cloud Run. |
Before you begin
-
Install the Google Cloud CLI.
-
Set the PROJECT_ID environment variable:
export PROJECT_ID="my-project-id" -
Initialize gcloud CLI:
gcloud init gcloud config set project $PROJECT_ID -
Make sure you've set up and initialized your database.
-
You must have the following APIs enabled:
gcloud services enable run.googleapis.com \ cloudbuild.googleapis.com \ artifactregistry.googleapis.com \ iam.googleapis.com \ secretmanager.googleapis.com -
To create an IAM account, you must have the following IAM permissions (or roles):
- Create Service Account role (roles/iam.serviceAccountCreator)
-
To create a secret, you must have the following roles:
- Secret Manager Admin role (roles/secretmanager.admin)
-
To deploy to Cloud Run, you must have the following set of roles:
- Cloud Run Developer (roles/run.developer)
- Service Account User role (roles/iam.serviceAccountUser)
{{< notice note >}} If you are using sources that require VPC-access (such as AlloyDB or Cloud SQL over private IP), make sure your Cloud Run service and the database are in the same VPC network. {{< /notice >}}
Create a service account
-
Create a backend service account if you don't already have one:
gcloud iam service-accounts create toolbox-identity -
Grant permissions to use secret manager:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:toolbox-identity@$PROJECT_ID.iam.gserviceaccount.com \ --role roles/secretmanager.secretAccessor -
Grant additional permissions to the service account that are specific to the source, e.g.:
Configure tools.yaml file
Create a tools.yaml file that contains your configuration for Toolbox. For
details, see the
configuration
section.
Deploy to Cloud Run
-
Upload
tools.yamlas a secret:gcloud secrets create tools --data-file=tools.yamlIf you already have a secret and want to update the secret version, execute the following:
gcloud secrets versions add tools --data-file=tools.yaml -
Set an environment variable to the container image that you want to use for cloud run:
export IMAGE=us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest -
Deploy Toolbox to Cloud Run using the following command:
gcloud run deploy toolbox \ --image $IMAGE \ --service-account toolbox-identity \ --region us-central1 \ --set-secrets "/app/tools.yaml=tools:latest" \ --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080" # --allow-unauthenticated # https://cloud.google.com/run/docs/authenticating/public#gcloudIf you are using a VPC network, use the command below:
gcloud run deploy toolbox \ --image $IMAGE \ --service-account toolbox-identity \ --region us-central1 \ --set-secrets "/app/tools.yaml=tools:latest" \ --args="--tools-file=/app/tools.yaml","--address=0.0.0.0","--port=8080" \ # TODO(dev): update the following to match your VPC if necessary --network default \ --subnet default # --allow-unauthenticated # https://cloud.google.com/run/docs/authenticating/public#gcloud
Connecting with Toolbox Client SDK
You can connect to Toolbox Cloud Run instances directly through the SDK.
-
Set up
Cloud Run Invokerrole access to your Cloud Run service. -
(Only for local runs) Set up Application Default Credentials for the principle you set up the
Cloud Run Invokerrole access to. -
Run the following to retrieve a non-deterministic URL for the cloud run service:
gcloud run services describe toolbox --format 'value(status.url)' -
Import and initialize the toolbox client with the URL retrieved above:
from toolbox_core import ToolboxClient, auth_methods # Replace with the Cloud Run service URL generated in the previous step. URL = "https://cloud-run-url.app" auth_token_provider = auth_methods.aget_google_id_token(URL) # can also use sync method async with ToolboxClient( URL, client_headers={"Authorization": auth_token_provider}, ) as toolbox:
Now, you can use this client to connect to the deployed Cloud Run instance!