Stay organized with collections
Save and categorize content based on your preferences.
This document describes the Cloud Deploy resources used to execute
automations.
You can configure Cloud Deploy to automatically perform certain delivery
pipeline tasks, such as promote a release or advance a rollout to a given phase.
These automations rely on two Cloud Deploy resources:
The Automation itself
The AutomationRun
These resources are described in this document.
The Automation resource
An Automation is a Cloud Deploy resource that defines how to automate
one or more delivery pipeline tasks. The Automation associates one or more
target resources with one or more automation rules.
The Automation resource includes the following:
A reference to the target (or targets) against which to perform the automation
(the selector).
An automation rule that determines how to do the automation.
Metadata, such as description, annotations, and labels.
A suspended property.
The service account to use to perform the automation. The service account is
required, and it must have the
necessary permissions
to perform the automation. Automation doesn't assume a default service
account.
The Automation resource is a child resource of the
delivery pipeline; if you
delete a delivery pipeline, all automations that
are children of that pipeline are also deleted.
An AutomationRun represents an execution of an
automation rule.
The automation service account
The service account you use to invoke an automation can be the
default service account
or another service account. However, even if you're using the default service
account, you must specify it, using the serviceAccount property in the
Automation configuration.
The automation service account must have iam.serviceAccount.actAs permission
on the
applicable execution service account.
Also, if the automation service account isn't in the same project as the
delivery pipeline, the Cloud Deploy
service agent must
have iam.serviceAccount.actAs on the automation service account.
Required permissions on the automation service account
Whether you specify the default or a non-default service account for an
automation, the service account must have the following permissions:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eCloud Deploy automations execute delivery pipeline tasks, such as promoting a release or advancing a rollout.\u003c/p\u003e\n"],["\u003cp\u003eAutomations rely on two primary resources: the \u003ccode\u003eAutomation\u003c/code\u003e, which defines the automation process, and the \u003ccode\u003eAutomationRun\u003c/code\u003e, which represents an execution of an automation rule.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAutomation\u003c/code\u003e resource includes a target selector, an automation rule, metadata, a suspended property, and a specified service account to perform the automation.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAutomation\u003c/code\u003e resource is a child of the delivery pipeline, meaning deleting a delivery pipeline also deletes its automations.\u003c/p\u003e\n"],["\u003cp\u003eThe automation service account, which must be explicitly defined in the \u003ccode\u003eAutomation\u003c/code\u003e configuration, requires specific permissions, including the ability to \u003ccode\u003eactAs\u003c/code\u003e the execution service account and permissions to perform the automated operations.\u003c/p\u003e\n"]]],[],null,["# About the automation resource\n\nThis document describes the Cloud Deploy resources used to execute\n[automations](/deploy/docs/automation).\n\nYou can configure Cloud Deploy to automatically perform certain delivery\npipeline tasks, such as promote a release or advance a rollout to a given phase.\nThese automations rely on two Cloud Deploy resources:\n\n- The `Automation` itself\n\n- The `AutomationRun`\n\nThese resources are described in this document.\n\nThe `Automation` resource\n-------------------------\n\nAn `Automation` is a Cloud Deploy resource that defines how to automate\none or more delivery pipeline tasks. The `Automation` associates one or more\ntarget resources with one or more automation `rules`.\n\nThe `Automation` resource includes the following:\n\n- A reference to the target (or targets) against which to perform the automation\n (the `selector`).\n\n- An automation rule that determines how to do the automation.\n\n- Metadata, such as `description`, `annotations`, and `labels`.\n\n- A `suspended` property.\n\n- The service account to use to perform the automation. The service account is\n required, and it must have the\n [necessary permissions](/deploy/docs/automation#roles_and_permissions_required)\n to perform the automation. Automation doesn't assume a default service\n account.\n\nThe `Automation` resource is a child resource of the\n[delivery pipeline](/deploy/docs/architecture#resources); if you\n[delete a delivery pipeline](/deploy/docs/delete-pipeline), all automations that\nare children of that pipeline are also deleted.\n\nThe [configuration file schema](/deploy/docs/config-files#automation_definitions)\ndescribes how to configure the `Automation`.\n\nThe `AutomationRun` resource\n----------------------------\n\nAn `AutomationRun` represents an execution of an\n[automation rule](/deploy/docs/automation-rules).\n\nThe automation service account\n------------------------------\n\nThe service account you use to invoke an automation can be the\n[default service account](/deploy/docs/cloud-deploy-service-account#execution_service_account)\nor another service account. However, even if you're using the default service\naccount, you must specify it, using the `serviceAccount` property in the\n`Automation` configuration.\n\nThe automation service account must have `iam.serviceAccount.actAs` permission\non the\n[applicable execution service account](/deploy/docs/cloud-deploy-service-account#execution_service_account).\nAlso, if the automation service account isn't in the same project as the\ndelivery pipeline, the Cloud Deploy\n[service agent](/deploy/docs/cloud-deploy-service-account#service_agent) must\nhave `iam.serviceAccount.actAs` on the automation service account.\n\n### Required permissions on the automation service account\n\nWhether you specify the default or a non-default service account for an\nautomation, the service account must have the following permissions:\n\n- Permission to `actAs` the\n [execution service account](/deploy/docs/cloud-deploy-service-account#execution_service_account).\n\n- [Permissions](/deploy/docs/iam-roles-permissions#permissions) to perform the operations that are being automated. See the\n [automation rules](/deploy/docs/automation-rules) for specific permission\n requirements.\n\nWhat's next\n-----------\n\n- Try the [quickstart: Automate release creation and rollout advancement](/deploy/docs/deploy-app-automation).\n\n- Read about [automation rules](/deploy/docs/automation-rules)."]]