Overview

Serverless computing on Google Cloud lets you develop and deploy highly scalable applications on a fully managed serverless platform. Services are automatically scaled up and down depending on traffic.

Eventarc lets you build event-driven architectures without having to implement, customize, or maintain the underlying infrastructure. Eventarc offers a standardized solution to manage the flow of state changes, called events, between decoupled services.

An Eventarc trigger is a declaration that a specific destination service is interested in a chosen event from an event provider. Eventarc manages the routing and delivery of events to the destination service.

In this lab, you create a trigger that sends an event when a message is sent to a Pub/Sub topic. You create a second trigger that sends an event when an IAM service account is created.

The events are routed to a Cloud Run service that logs CloudEvents-formatted event data to Cloud Audit Logs.

What you will learn

In this lab, you will learn to:

• Create a trigger that generates an event when a Pub/Sub message is sent.
• Create a trigger that generates events from audit log entries.
• Deploy a Cloud Run service that acts as an Eventarc destination service.
• Create service accounts that follow the principle of least privilege.

Setup and requirements

Before you click the Start Lab button

Note: Read these instructions.

Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).
• Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab. Note: If you are using a Pixelbook, open an Incognito window to run this lab.

How to start your lab and sign in to the Console

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

   

2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Choose an account page.

   Note: Open the tabs in separate windows, side-by-side.

3. On the Choose an account page, click Use Another Account. The Sign in page opens.

   

4. Paste the username that you copied from the Connection Details panel. Then copy and paste the password.

Note: You must use the credentials from the Connection Details panel. Do not use your Google Cloud Skills Boost credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).

5. Click through the subsequent pages:

• Accept the terms and conditions.
• Do not add recovery options or two-factor authentication (because this is a temporary account).
• Do not sign up for free trials.

After a few moments, the Cloud console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

   

2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

• You can list the active account name with this command:

gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net

• You can list the project ID with this command:

gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

Task 1. Enable required APIs

In this task, you enable APIs that are required for the event-driven architecture for this lab.

Enable APIs

1. To enable the required APIs, run the following command:

   gcloud services enable \ pubsub.googleapis.com \ logging.googleapis.com \ eventarc.googleapis.com \ run.googleapis.com \ cloudbuild.googleapis.com \ artifactregistry.googleapis.com

   This application uses several Google Cloud services, and you must enable each of the APIs for these services.

   The APIs being enabled are:

   • The Pub/Sub API manages Pub/Sub topics and subscriptions and publishes Pub/Sub messages. Pub/Sub is used to manage the event transport in Eventarc. In this lab, a Pub/Sub topic is be used by Eventarc to generate events when messages are published to the topic.
   • The Cloud Logging API writes log entries and manages Cloud Logging configuration. Cloud Logging log entries are used by Eventarc to generate many types of events, including IAM events.
   • The Eventarc API manages Eventarc configuration. In this lab, Eventarc is used to create triggers that deliver events to the event destination service.
   • The Cloud Run API creates and manages Cloud Run services. In this lab, a Cloud Run service logs the event data delivered by Eventarc.
   • The Cloud Build API manages application builds.
   • The Artifact Registry API manages build artifacts and registries.

Task 2. Deploy the event logging service to Cloud Run

In this task, you build and deploy the Cloud Run service that will be used to log events.

Clone the source code repository

1. In Cloud Shell, clone the git repository:

   git clone --depth=1 https://github.com/GoogleCloudPlatform/training-data-analyst

2. Create a soft link shortcut to the root directory for this service:

   ln -s ~/training-data-analyst/courses/eventarc-building-apps/lab1/cloud-run/eventarc-event-logger ~/eventarc-event-logger

Create a repository in Artifact Registry

Artifact Registry is the next generation of Container Registry. You can store build artifacts inside an Artifact Registry repository.

1. To create an Artifact Registry repository for Docker images, in Cloud Shell, run the following command:

   export REPO_NAME=eventarc-apps-repo export REPO_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} gcloud artifacts repositories create ${REPO_NAME} \ --location=${REPO_REGION} --repository-format=docker

2. To retrieve the repository details, run the following command:

   export REPO_NAME=eventarc-apps-repo export REPO_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} gcloud artifacts repositories describe ${REPO_NAME} --location={{{ project_0.default_region | REGION_PLACEHOLDER }}}

Build and deploy the eventarc-event-logger service

The Eventarc event logger service logs an incoming HTTP request. The log entries created by this service will be used to explore the contents of the Eventarc event request.

1. In Cloud Shell, click Open Editor.

2. Click Open in new window.

   Note: It may take a minute or two until the Open in new window link appears. After opening the editor, you can ignore or close the error message boxes that are displayed.

   The editor will open in a new tab.

3. In the previous tab, click Open Terminal to reopen Cloud Shell.

4. Return to the Cloud Editor tab, navigate to ~/eventarc-event-logger, and then examine the files for the eventarc-event-logger service.

   The directory contains three files:

   • package.json holds metadata relevant to building the Node.js service. It defines the command that starts the application (node index.js) and specifies the versions of packages used by the code.
   • Dockerfile specifies the starting image (node:18-slim) and contains the list of commands that are run to build the container image that will host our service.
   • index.js contains the code for the service.

5. To build the Docker image of the eventarc-event-logger service, in Cloud Shell, run the following command:

   export REPO_NAME=eventarc-apps-repo export REPO_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} export SERVICE_NAME=eventarc-event-logger cd ~/eventarc-event-logger gcloud builds submit \ . \ --tag ${REPO_REGION}-docker.pkg.dev/${GOOGLE_CLOUD_PROJECT}/${REPO_NAME}/${SERVICE_NAME}

   Cloud Build builds the Docker image and stores it in the specified Artifact Registry repository.

6. To deploy the service to Cloud Run, in Cloud Shell, run the following commands:

   export REPO_NAME=eventarc-apps-repo export REPO_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} export SERVICE_NAME=eventarc-event-logger export SERVICE_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} gcloud config set run/region ${SERVICE_REGION} gcloud config set run/platform managed gcloud run deploy ${SERVICE_NAME} \ --image ${REPO_REGION}-docker.pkg.dev/${GOOGLE_CLOUD_PROJECT}/${REPO_NAME}/${SERVICE_NAME} \ --no-allow-unauthenticated \ --memory=1Gi

   The Docker image you stored in the Artifact Registry repository is now being deployed to Cloud Run.

7. In the Google Cloud console, navigate to Cloud Run.

   You should see that the service is deployed or is in the process of deploying.

8. Wait for the deployment to finish.

Click Check my progress to verify the objective. Deploy the event logging service to Cloud Run

Task 3. Create a Pub/Sub trigger

In this task, you create and test a trigger that delivers an event when a message is published to a Pub/Sub topic.

Create the Pub/Sub trigger

1. In the Google Cloud console, navigate to Cloud Run, and then click on eventarc-event-logger service.

2. On the Service details page, navigate to the Triggers tab.

3. Click + Add Triggers and select Other Eventarc trigger from the dropdown.

4. In the Eventarc trigger window, specify the following:

   Property	Value
   Trigger name	pubsub-trigger
   Trigger type	select Google sources
   Event provider	select Cloud Pub/Sub
   Event type	select google.cloud.pubsub.topic.v1.messagePublished
   Select a Cloud Pub/Sub topic	leave as None
   Region	select

   By leaving the Pub/Sub topic set to None, you have indicated that Eventarc should automatically create and manage the Pub/Sub topic for this trigger. If your Eventarc trigger is deleted, the corresponding Pub/Sub topic will also be automatically deleted.

5. On the same page, select Service account > Create New Service Account.

6. On the Create new service account pane, set the Service account name to pubsub-trigger-sa and then click Create.

7. Click Done.

8. If you're notified that Pub/Sub needs the role roles/iam.serviceAccountTokenCreator granted to the Pub/Sub service account, click Grant.

   You can also add the role by running the following command in Cloud Shell:

   export PROJECT_NUMBER=$(gcloud projects describe "$GOOGLE_CLOUD_PROJECT" \ --format "value(projectNumber)") export PUBSUB_SERVICE_ACCOUNT="service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} \ --member="serviceAccount:${PUBSUB_SERVICE_ACCOUNT}"\ --role='roles/iam.serviceAccountTokenCreator'

9. Click Save Trigger.

   After the trigger has been created, you're automatically taken to the Service details page.

   The Pub/Sub topic has already been created for you. Your topic should resemble this:

   projects/{{{ project_0.project_id | PROJECT_ID_PLACEHOLDER }}}/topics/eventarc-{{{ project_0.default_region | REGION_PLACEHOLDER }}}-pubsub-trigger-###

10. On the Service details page, click the Logs tab.

    Log entries from the eventarc-event-logger service are shown here. You should see that the service has been deployed, but there are no events logged yet.

Send a message to the topic

1. In Cloud Shell, run the following commands:

   export TRIGGER_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} export PUBSUB_TRIGGER_TOPIC=$(gcloud eventarc triggers describe pubsub-trigger \ --location=${TRIGGER_REGION} \ --format "value(transport.pubsub.topic)") gcloud pubsub topics publish ${PUBSUB_TRIGGER_TOPIC} \ --message "My Pub/Sub message!" \ --attribute=my_key="my_value"

   The gcloud pubsub topics publish command sends a message with attached attributes to the topic.

2. On the Logs page for eventarc-event-logger, drag the scroll bar to search for newer entries in the log.

   The log entries for the eventarc-event-logger service are shown, but the Pub/Sub event has not been logged!

   Instead, you will see one or more POST 403 entries.

3. Expand one of the POST 403 entries.

   The textPayload field in the log shows an error that looks like this:

   The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client

   The error message indicates that you can solve the problem by allowing unauthenticated invocations. It is not a best practice to allow unauthenticated calls to your event receivers.

   The HTTP request from Eventarc was unauthorized. Do you know why that might be?

Fix the service account permissions

The eventarc-event-logger service is being called, but the error indicates that the service account can't call the Cloud Run service.

Follow the principle of least privilege when creating service accounts. The service account should only be able to access services necessary for the specific trigger.

1. To give the service account permission to call the Cloud Run service, in Cloud Shell, run the following commands:

   export SERVICE_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} gcloud run services add-iam-policy-binding eventarc-event-logger \ --region=${SERVICE_REGION} \ --member=serviceAccount:pubsub-trigger-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \ --role='roles/run.invoker'

2. To send another message, run the following commands:

   export TRIGGER_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} export PUBSUB_TRIGGER_TOPIC=$(gcloud eventarc triggers describe pubsub-trigger \ --location=${TRIGGER_REGION} \ --format "value(transport.pubsub.topic)") gcloud pubsub topics publish ${PUBSUB_TRIGGER_TOPIC} \ --message "My Pub/Sub message!" \ --attribute=my_key="my_value"

3. Drag the scrollbar on the Logs page for eventarc-event-logger until you see a successful event.

   Note: It may take a minute before the log entry appears.

   When the service successfully receives the event, it logs EVENT RECEIVED (google.cloud.pubsub.topic.v1.messagePublished). This log entry shows the event type that was delivered in the ce-type header.

Examine the logged event

1. Expand the log entry that follows the HEADERS (EXCEPT AUTH) entry, and then expand the jsonPayload object.

   The jsonPayload object contains the headers that were received with the request. Important headers include:

   Header	Example value
   ce-id	7029339182900292
   ce-type	google.cloud.pubsub.topic.v1.messagePublished
   ce-source	//pubsub.googleapis.com/projects/qwiklabs-gcp-03-cbf626add551/topics/eventarc-us-west1-pubsub-trigger-830
   ce-time	2023-02-27T23:02:53.861Z
   content-type	application/json

   Headers starting with ce- are CloudEvents standard headers.

   ce-id is the Pub/Sub message ID of the message you delivered to the topic. The message ID is used as the CloudEvents ID for Pub/Sub messaging triggers.

   ce-type is the event type of the received event.

   ce-source is the URI for the topic.

   ce-time indicates the time the Pub/Sub message was received by the topic.

   content-type specifies the type of the body. In this case, the header indicates that the body contains JSON.

2. Expand the log entry that follows the BODY entry, and then expand the jsonPayload object.

   The jsonPayload object in this entry contains the Pub/Sub event. The JSON for this object resembles this:

   { "subscription": "projects/qwiklabs-gcp-03-cbf626add551/subscriptions/eventarc-us-west1-pubsub-trigger-sub-929", "message": { "messageId": "7029339182900292", "message_id": "7029339182900292", "data": "TXkgUHViL1N1YiBtZXNzYWdlIQ==", "publishTime": "2023-02-27T23:02:53.861Z", "attributes": { "my_key": "my_value" }, "publish_time": "2023-02-27T23:02:53.861Z" } }

   You can see the attributes that were added to the Pub/Sub message. The message content is in the data value, stored as base64 data.

   Note: You may click the Open in Logs Explorer button and then click Copy to clipboard to retrieve the JSON for an entry.

3. In Cloud Shell, run the following command:

   echo -n "TXkgUHViL1N1YiBtZXNzYWdlIQ==" | base64 --decode

   The base64 data decodes to My Pub/Sub message!.

Click Check my progress to verify the objective. Create a Pub/Sub trigger

Task 4. Create the service account for the Audit Logs trigger

In this task, you create a service account for the Audit Logs trigger and add the required permissions.

Create the service account

Before you create the trigger, you use gcloud CLI commands to create the service account with the correct permissions.

1. To create the service account, in Cloud Shell, run the following command:

   gcloud iam service-accounts create svcacct-create-sa

   This service account initially has no roles assigned.

   For triggers that source events from Cloud Audit Logs entries, the service account needs the eventarc.eventReceiver.

Add roles to the service account

1. To let the service account use Cloud Audit Logs entries as a source, run the following command:

   gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} \ --member=serviceAccount:svcacct-create-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \ --role="roles/eventarc.eventReceiver"

2. To let the service account invoke the eventarc-event-logger service, run the following command:

   export SERVICE_REGION={{{ project_0.default_region | REGION_PLACEHOLDER }}} gcloud run services add-iam-policy-binding eventarc-event-logger \ --region=${SERVICE_REGION} \ --member=serviceAccount:svcacct-create-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \ --role="roles/run.invoker" Note: It may take a minute for the run.invoker role to be reflected when you check your progress.

Click Check my progress to verify the objective. Create the service account for the Audit Logs trigger

Task 5. Create an Audit Logs trigger

In this task, you create and test a trigger that delivers an event when a log entry indicates that a service account was created.

Create the trigger

1. In the Google Cloud console, navigate to Cloud Run, and then click on eventarc-event-logger service.

2. On the Service details page, navigate to the Triggers tab.

3. Click + Add Triggers and select Other Eventarc trigger from the dropdown.

4. In the Eventarc trigger window, specify the following:

   Property	Value
   Trigger name	svcacct-create-trigger
   Trigger type	select Google sources
   Event provider	select Cloud IAM
   Event type	select google.iam.admin.v1.CreateServiceAccount
   Resource	select Any resource
   Region	select
   Service account	select the svcacct-create-sa service account

   Note: You may see a warning that some Data Access audit logs are disabled for IAM. Data Access logs are used when someone retrieves information about an entity. In this case, your event occurs when a service account is created, not just accessed. Logging of service account creation is enabled by default, so you don't need to enable Data Access logging.

   By selecting Any resource, you will get an event for each service account created for this project.

5. Click Save Trigger.

   After the trigger has been created, you're automatically taken to the Service details page.

6. On the Service details page, click the Logs tab.

   You should only see google.cloud.pubsub.topic.v1.messagePublished logs. The generation of IAM service account creation events started when the trigger was created. Service accounts you created before the trigger will not result in events.

Create a service account

1. To create a new service account, in Cloud Shell, run the following command:

   gcloud iam service-accounts create test-sa --display-name="Test service account"

2. Drag the scrollbar on the Logs page for eventarc-event-logger until you see a successful audit log event.

   You should see an EVENT RECEIVED (google.cloud.audit.log.v1.written) log entry. All events that are generated by Cloud Audit Logs entries use the google.cloud.audit.log.v1.written event type.

Examine the logged event

1. Expand the log entry that follows the latest HEADERS (EXCEPT AUTH) entry, and then expand the jsonPayload object.

   The jsonPayload object contains the headers that were received with the request. Important headers include:

   Header	Example value
   ce-id	projects/qwiklabs-gcp-03-cbf626add551/logs/cloudaudit.googleapis.com%2Factivity1i3uhx4e1rkoq1677550139268490
   ce-type	google.cloud.audit.log.v1.written
   ce-servicename	iam.googleapis.com
   ce-methodname	google.iam.admin.v1.CreateServiceAccount
   ce-time	2023-02-28T02:09:00.735689083Z
   ce-recordedtime	2023-02-28T02:08:59.268490773Z

   Headers starting with ce- are CloudEvents standard headers.

   ce-id specifies the unique CloudEvents ID for the event.

   ce-type is the event type of the received event. For Cloud Audit Logs events, the type is always google.cloud.audit.log.v1.written.

   ce-servicename specifies the service that created the audit log entry.

   ce-methodname specifies the log entry type. For this example, the method name is the Event that you selected when creating the trigger.

   ce-time indicates the time that the audit log entry was created.

   ce-recordedtime indicates the time that the actual event occurred, according to the originating service. For this event, the recorded time is the time when the service account was created.

2. Expand the log entry that follows the latest BODY entry, and then expand the jsonPayload object.

   The jsonPayload object contains the IAM event. The JSON for the object looks similar to this:

   { "protoPayload": { "request": { "account_id": "test-sa", "@type": "type.googleapis.com/google.iam.admin.v1.CreateServiceAccountRequest", "service_account": { display_name: "Test service account" }, "name": "projects/qwiklabs-gcp-03-cbf626add551" }, "serviceName": "iam.googleapis.com", "response": { "etag": "MDEwMjE5MjA=", "@type": "type.googleapis.com/google.iam.admin.v1.ServiceAccount", "email": "test-sa@qwiklabs-gcp-03-cbf626add551.iam.gserviceaccount.com", "unique_id": "111838109385240037392", "oauth2_client_id": "111838109385240037392", "display_name": "Test service account", "project_id": "qwiklabs-gcp-03-cbf626add551", "name": "projects/qwiklabs-gcp-03-cbf626add551/serviceAccounts/test-sa@qwiklabs-gcp-03-cbf626add551.iam.gserviceaccount.com" }, "authenticationInfo": { "principalEmail": "student-03-8032d1be7989@qwiklabs.net", "principalSubject": "user:student-03-8032d1be7989@qwiklabs.net" }, "serviceData": {}, "methodName": "google.iam.admin.v1.CreateServiceAccount", "requestMetadata": { "callerSuppliedUserAgent": "google-cloud-sdk gcloud/417.0.0 command/gcloud.iam.service-accounts.create invocation-id/a080e4a6c62e494aa7f943e117ed7923 environment/devshell environment-version/None interactive/True from-script/False python/3.9.2 term/screen (Linux 5.15.65+),gzip(gfe)", "callerIp": "34.168.192.86", "requestAttributes": { "time": "2023-02-28T02:08:59.282374752Z", "auth": {} }, "destinationAttributes": {} }, "resourceName": "projects/qwiklabs-gcp-03-cbf626add551", "authorizationInfo": [ { "resourceAttributes": {}, "resource": "projects/qwiklabs-gcp-03-cbf626add551", "permission": "iam.serviceAccounts.create", "granted": true } ], "status": {} }, "resource": { "labels": { "email_id": "test-sa@qwiklabs-gcp-03-cbf626add551.iam.gserviceaccount.com", "unique_id": "111838109385240037392", "project_id": "qwiklabs-gcp-03-cbf626add551" }, "type": "service_account" }, "insertId": "1i3uhx4e1rkoq", "receiveTimestamp": "2023-02-28T02:09:00.735689083Z", "logName": "projects/qwiklabs-gcp-03-cbf626add551/logs/cloudaudit.googleapis.com%2Factivity", "timestamp": "2023-02-28T02:08:59.268490773Z" }

   You can see the details of the service account creation in the request and response objects. The log entry shows the details of the API call made by the gcloud CLI command.

Click Check my progress to verify the objective. Create an Audit Logs trigger

Congratulations!

In this lab, you enabled required APIs and built and deployed a Cloud Run service that logs delivered events. You created an Eventarc trigger that generated an event when a message was sent to a Pub/Sub topic. You created another trigger that sent an event when an IAM service account was created.

Next Steps / Learn More

For more information about Eventarc, view these links:

• Event-driven architectures
• Eventarc triggers
• Event providers and destinations
• CloudEvents

Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.