Fix GCP Cloud Run Run Eventarc Errors
When working with GCP Cloud Run, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with run eventarc and shows the exact fix.
A Common Mistake
Creating an Eventarc trigger for Cloud Run but not granting the Eventarc service account the required permissions, causing events to be silently dropped.
The incorrect command:
gcloud eventarc triggers create my-trigger --destination-run-service=my-service --destination-run-region=us-central1 --event-filters=type=google.cloud.storage.object.v1.finalized
Error output:
Created trigger.
When objects are uploaded to any bucket in the project, the event is NOT delivered to Cloud Run. The Eventarc service account lacks permissions to invoke the Cloud Run service. Events are silently dropped.
The Correct Approach
The right way to configure run eventarc in GCP Cloud Run:
gcloud run services add-iam-policy-binding my-service --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-eventarc.iam.gserviceaccount.com --role=roles/run.invoker --region=us-central1 && gcloud eventarc triggers create my-trigger --destination-run-service=my-service --destination-run-region=us-central1 --event-filters=type=google.cloud.storage.object.v1.finalized
Successful result:
Created trigger with permissions.
Now every object creation in the project triggers the Cloud Run service. Events are delivered reliably.
How to Prevent This
Grant Eventarc SA the roles/run.invoker role on the Cloud Run service. The Eventarc SA format is service-PROJECT_NUMBER@gcp-sa-eventarc.iam.gserviceaccount.com. Use event-filters to scope which events trigger the service. Eventarc supports Cloud Storage, Pub/Sub, Firestore, and 60+ event sources.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro