Set build worker pools (source deploy)

When you deploy your function's source code to Cloud Run, that source is stored in a Cloud Storage bucket. Cloud Build then automatically builds your code into a container image and pushes that image to an image registry. Each build runs on its own worker. Cloud Run accesses this image when it needs to run the container to execute your function.

If you wanted to customize the build worker pool that Cloud Build uses for a VPC Service Controls secured build context, you would customize the worker pool. This page is relevant for platform developers who are deploying functions in Cloud Run, and configuring private pools that are used by Cloud Build.

Before you begin

Enable the Cloud Build API:

gcloud services enable cloudbuild.googleapis.com

Required roles

To get the permissions that you need to deploy from source, ask your administrator to grant you the following IAM roles on your project:

Cloud Run Source Developer (roles/run.sourceDeveloper)
Service Account User (roles/iam.serviceAccountUser)

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Secure your build with private pools

By default, Cloud Build has unlimited internet access during the build process. If you have set up a VPC Service Controls (VPC SC) perimeter and want to limit the build's access only to dependencies stored inside the perimeter (for example, npm packages), you can use the Cloud Build private worker pools feature.

In general, follow these steps to set up your private pool:

Create your private worker pool. See Creating and managing private pools.
Configure your VPC Service Controls perimeter. See Using VPC Service Controls.
If your private worker pool is in a different project than your Cloud Run function, you need to grant the Cloud Run Service Agent (service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com) the Cloud Build WorkerPool User (cloudbuild.workerPoolUser) role so that the Cloud Build service can access the worker pool.
```
gcloud projects add-iam-policy-binding PRIVATE_POOL_PROJECT_ID \
    --member serviceAccount:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com \
    --role roles/cloudbuild.workerPoolUser
```
Replace:
- PROJECT_NUMBER with the project number where the function runs.
- PRIVATE_POOL_PROJECT_ID with the ID of the project in which the worker pool is located. See Running builds in a private pool for more information.
Deploy your function to build using a private pool:

gcloud

To specify a private pool to build when deploying a function from source code:

gcloud beta run deploy SERVICE \
  --source . \
  --function FUNCTION_ENTRY_POINT \
  --build-worker-pool WORKER_POOL

Replace:

SERVICE with name of your function.
FUNCTION_ENTRY_POINT with the entry point to your function in your source code.
WORKER_POOL with the name of the private pool.

Delete build worker pools

You can delete build worker pools for existing functions.

gcloud

To clear the Cloud Build worker pool for a function:

gcloud beta run deploy SERVICE \
  --source . \
  --function FUNCTION_ENTRY_POINT \
  --clear-build-worker-pool WORKER_POOL

Replace:

SERVICE with name of your function.
FUNCTION_ENTRY_POINT with the entry point to your function in your source code.
WORKER_POOL with the name of the private pool you would like to delete.