Google Cloud Run + Travis CI

This repository shows how to use Travis CI to build a container image and deploy it to Google Cloud Run when you push a new commit.

Table of Contents

• Step 0: Fork this repository
• Step 1: Sign up to Travis CI
• Step 1: Install required tools
• Step 2: Create a service account for deploying
• Step 3: Assign permissions to the service account
• Step 4: Encrypt the service account key
• Step 5: Configure your project ID
• Step 6: Commit the changes to your fork
• Step 7: View build result
• Step 8: Clean up

Step 0: Fork this repository

1. Scroll up and click "Fork" so you can try pushing commits and testing builds.
2. Clone the repository on your machine.
3. Go to the cloud-run-travisci directory you cloned.

Step 1: Sign up to Travis CI

Sign up at www.travis-ci.com and enable Travis CI app on your forked cloud-run-travisci repository at https://www.travis-ci.com/account/repositories.

Note: If you have an travis-ci.org account instead of .com, replace --pro arguments in this tutorial with --org.

Step 1: Install required tools

• Google Cloud SDK (gcloud): https://cloud.google.com/sdk

• travis command-line tool:

  sudo gem install travis

  travis login --pro # (use --org if you're on travis-ci.ORG and not .COM)

Step 2: Create a service account for deploying

To authenticate to GCP APIs from Travis CI build environment you will need a service account.

PROJECT_ID="$(gcloud config get-value project -q)" # fetch current GCP project ID

SVCACCT_NAME=travisci-deployer # choose name for service account

Create a service account:

gcloud iam service-accounts create "${SVCACCT_NAME?}"

Find the email address of this account:

SVCACCT_EMAIL="$(gcloud iam service-accounts list \
  --filter="name:${SVCACCT_NAME?}@"  \
  --format=value\(email\))"

Create a JSON key to authenticate as this service account, and save it as google-key.json:

gcloud iam service-accounts keys create "google-key.json" \
   --iam-account="${SVCACCT_EMAIL?}"

Step 3: Assign permissions to the service account

You need to give these IAM roles to the service account created:

1. Storage Admin: Used for pushing docker images to Google Container Registry (GCR).
2. Cloud Run Admin: Used for deploying services to Cloud Run.
3. IAM Service Account user: Required by Cloud Run to be able to "act as" the runtime identity of the Cloud Run application (in this case, our deployer service account needs to able to "act as" the GCE default service account).

gcloud projects add-iam-policy-binding "${PROJECT_ID?}" \
   --member="serviceAccount:${SVCACCT_EMAIL?}" \
   --role="roles/storage.admin"

gcloud projects add-iam-policy-binding "${PROJECT_ID?}" \
   --member="serviceAccount:${SVCACCT_EMAIL?}" \
   --role="roles/run.admin"

gcloud projects add-iam-policy-binding "${PROJECT_ID?}" \
   --member="serviceAccount:${SVCACCT_EMAIL?}" \
   --role="roles/iam.serviceAccountUser"

Step 4: Encrypt the service account key

Run the following command

travis encrypt-file --pro google-key.json

This command will print an openssl [...] command, don’t lose it!

Edit the .travis.yml file, and add this commmand to the before_install step:

 before_install:
-- echo REMOVE_ME # replace with the openssl command from "travis encrypt-file"
+- openssl aes-256-cbc -K $encrypted_fbfaf42b268c_key -iv $encrypted_fbfaf42b268c_iv -in google-key.json.enc -out google-key.json -d
 - curl https://sdk.cloud.google.com | bash > /dev/null
 ...

Step 5: Configure your project ID

Edit the .travis.yml and configure the environment variables under the env: key (such as GCP_PROJECT_ID, IMAGE, and CLOUD_RUN_SERVICE).

Step 6: Commit the changes to your fork

⚠️ Do not add google-key.json file to your repository as it can be reached by others.

Make a commit, and push the changes to your fork:

git add google-key.json.enc .travis.yml

git commit -m "Enable Travis CI"

git push -u origin master

Step 7: View build result

Go to www.travis-ci.com and view your build results.

There might be errors that require you to fix.

If the build succeeds, the output of gcloud run beta deploy command will show you the URL your app is deployed on! Visit the URL to see if the application works!

[...]
Deploying container to Cloud Run service [example-app] in project [...] region [us-central1]
Deploying new service...
Setting IAM Policy.....done
Creating Revision......done
Routing traffic........done
Done.
Service [example-app] revision [example-app-00001] has been deployed
and is serving traffic at https://example-app-pwfuv4g72q-uc.a.run.app

Step 8: Clean up

Delete the service account you created:

gcloud iam service-accounts delete "${SVCACCT_EMAIL?}"

Delete the Cloud Run application you deployed:

gcloud beta run services delete "YOUR-APP-NAME"

---

👍Did this tutorial work for you? Click "✭Star" on the top right of this page and let me know!