This tutorial shows you how to deploy an authenticated Cloud Run service that receives events from Cloud Storage using Cloud Audit Logs. Use this tutorial to deploy production workloads. The Eventarc trigger filters events based on Cloud Audit Logs entries. For more information, see Determine event filters for Cloud Audit Logs.
You can complete this tutorial using either the Google Cloud console or the Google Cloud CLI.
Create an Artifact Registry standard repository
Create an Artifact Registry standard repository to store your container image.Console
- In the Google Cloud console, go to the Repositories page.
- Click Create repository.
- Configure your repository:
- Enter a unique Name.
- For Format, choose Docker.
- For Mode, choose Standard.
- For Location type, choose Region.
- In the Region list, select us-central1 (Iowa).
- Accept the other defaults and click Create.
gcloud
gcloud artifacts repositories create REPOSITORY \ --repository-format=docker \ --location=$REGION
Replace REPOSITORY
with a unique name for the
Artifact Registry repository.
Create a Cloud Storage bucket
This tutorial uses Cloud Storage as the event source. To create a storage bucket:
Console
- In the Google Cloud console, go to the Buckets page.
- Click Create bucket.
- Enter your bucket information and click Continue to complete each step:
- Enter a unique Name. For example,
eventarcbucket
. - Select Region as the Location Type.
- Select us-central1 (Iowa) as the Location.
- Select Standard for default storage class.
- Select Uniform for Access control.
- Enter a unique Name. For example,
- Click Create.
gcloud
gcloud storage buckets create gs://events-tutorial-PROJECT_ID/ --location=$REGION
After the event source is created, you can deploy the event receiver service on Cloud Run.
Deploy the event receiver service to Cloud Run
Deploy a Cloud Run service that receives and logs events. To deploy the sample event receiver service:
Console
- Clone the sample repository to your GitHub account:
- On GitHub, navigate to GoogleCloudPlatform/golang-samples
- Click Fork.
- If prompted, select the location where you want to fork the repository.
- On GitHub, navigate to GoogleCloudPlatform/java-docs-samples.
- Click Fork.
- If prompted, select the location where you want to fork the repository.
- On GitHub, navigate to GoogleCloudPlatform/dotnet-docs-samples.
- Click Fork.
- If prompted, select the location where you want to fork the repository.
- On GitHub, navigate to GoogleCloudPlatform/nodejs-docs-samples.
- Click Fork.
- If prompted, select the location where you want to fork the repository.
- On GitHub, navigate to GoogleCloudPlatform/python-docs-samples.
- Click Fork.
- If prompted, select the location where you want to fork the repository.
- In the Google Cloud console, go to the Services page.
- Click Create service to display the Create service form.
- Select Continuously deploy from a repository.
Changes to your GitHub repository are automatically built into container images in Artifact Registry and deployed to Cloud Run.
- Click Set up with Cloud Build to open the Set up with Cloud Build form.
- If prompted, enable the Cloud Build API and Artifact Analysis API.
- Select GitHub as the Repository Provider.
- If prompted, click Install Google Cloud Build.
- Select the GitHub repository you forked as the Repository.
- Click Next.
- In the Branch field, enter
^main$
. - Select Dockerfile as the Build Type and provide the source
location of the Dockerfile:
eventarc/audit-storage/Dockerfile
or
eventarc/audit_storage/Dockerfile
(Go)
- Click Save.
- In the Create service form, enter a service name.
For example,
helloworld-events
. - Select us-central1(Iowa) as the Region where you want your service located.
- Select any of the Ingress options based on the ingress traffic you want to allow on the Cloud Run service.
- Select Require authentication
- Click Create.
Go

Java

.NET

Node.js

Python

gcloud
- Clone the GitHub repository:
Go
git clone https://github.com/GoogleCloudPlatform/golang-samples.git cd golang-samples/eventarc/audit_storage
Java
git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git cd java-docs-samples/eventarc/audit-storage
.NET
git clone https://github.com/GoogleCloudPlatform/dotnet-docs-samples.git cd dotnet-docs-samples/eventarc/audit-storage
Node.js
git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples.git cd nodejs-docs-samples/eventarc/audit-storage
Python
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git cd python-docs-samples/eventarc/audit-storage
- Build the container and upload it to Cloud Build:
gcloud builds submit --tag $REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/$SERVICE_NAME:v1
- Deploy the container image to Cloud Run:
gcloud run deploy $SERVICE_NAME \ --image $REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/$SERVICE_NAME:v1
At the prompt to allow unauthenticated invocations, enter
n
.When the deployment succeeds, the command line displays the service URL.
Now that you have deployed your event receiver service called
helloworld-events
to Cloud Run, you can
set up your trigger.
Create an Eventarc trigger
The Eventarc trigger will send events from the
Cloud Storage bucket to the helloworld-events
Cloud Run service.
Console
- In the Google Cloud console, go to the Triggers page.
- Click Create trigger.
- Type a Trigger name.
This is the ID of the trigger and it must start with a letter. It can contain up to 63 lowercase letters, numbers, or hyphens.
- Select a Trigger type:
- First-party: Filters events sent from Google Cloud providers (directly or through Cloud Audit Logs entries) or providers using Pub/Sub messages.
- Third-party: Filters events sent from third-party providers.
- In the Event provider list, select Cloud Storage as the source of events.
- In the Event type list, select storage.objects.create.
- In the Region list, select us-central1 as the region to receive events from.
- Select the Service account you created. For example,
SERVICE_ACCOUNT_ID@PROJECT_ID
.. - In the Event destination list, select Cloud Run.
- In the Select a Cloud Run service list, select helloworld-events.
- Click Create. Note that you can also create an Eventarc trigger using the Cloud Run console page.
gcloud
- Create a trigger that filters Cloud Storage events and that
uses the service account you created:
Replacegcloud eventarc triggers create events-tutorial-trigger \ --destination-run-service=$SERVICE_NAME \ --destination-run-region=$REGION \ --event-filters="type=google.cloud.audit.log.v1.written" \ --event-filters="serviceName=storage.googleapis.com" \ --event-filters="methodName=storage.objects.create" \ --service-account=sample-service-account@PROJECT_ID.
PROJECT_ID
with the Google Cloud project ID.Where:
type
: specifies that audit logs are created when the trigger's filter criteria is met.serviceName
: the service that writes the audit log, which is Cloud Storage.methodName
: the operation that is being audited, which isstorage.objects.create
.
events-tutorial-trigger
. - To confirm
events-tutorial-trigger
was successfully created, run:gcloud eventarc triggers list --location=$REGION
The trigger,
events-tutorial-trigger
, is listed with a
target of helloworld-events
.
Generate and view an event
- To generate an event:
Console
- Create a text file with the filename
random.txt
and the text "Hello World". - In the Google Cloud console, go to the Buckets page.
- Select the storage bucket you created.
- In the Objects tab, click Upload files and upload the
random.txt
file.
gcloud
Upload a text file to Cloud Storage:
echo "Hello World" > random.txt gcloud storage cp random.txt gs://events-tutorial-PROJECT_ID/random.txt
- Create a text file with the filename
- To view the log entry:
- In the Google Cloud console, go to the Services
page.
- From the list of services, click the name of the service you created to go to its Service details page.
- Click the Logs tab, to get the request and container logs for all revisions of this service. You can filter by log severity level.
- Look for a log entry similar to:
whereDetected change in Cloud Storage bucket: storage.googleapis.com/projects/_/buckets/BUCKET_NAME/objects/random.txt
BUCKET_NAME
is the name of the Cloud Storage bucket. -
gcloud logging read "resource.labels.service_name=helloworld-events AND textPayload:random.txt" --format=json
- Look for a log entry similar to:
whereDetected change in Cloud Storage bucket: storage.googleapis.com/projects/_/buckets/BUCKET_NAME/objects/random.txt
BUCKET_NAME
is the name of the Cloud Storage bucket.
Console
gcloud
You have successfully deployed an event receiver service to Cloud Run, created an Eventarc trigger, generated an event from Cloud Storage, and viewed it in the Cloud Run logs.