Stay organized with collections Save and categorize content based on your preferences.
Build environment variables are key-value pairs that let you pass configuration information to buildpacks when deploying from source code. For example, at build time, you might want to customize compiler options, specify build-time certificates, configure parameters, and so forth.
This page shows how to set build environment variables that are available at build time, and is relevant for platform developers who are deploying Cloud Run services or functions from source. The build environment variable gcloud CLI flags are supported for source deployments (--source), and not supported for container image deployments (--image).
You can use environment variables for service or function configuration, but we don't recommend them as a way to store secrets such as database credentials or API keys. Store sensitive values outside both your source code and environment variables. To store secrets, we recommend using Secret Manager. To configure services that access secrets stored in Secret Manager, see Configure secrets.
Before you beginEnable the Cloud Run Admin API and the Cloud Build API:
gcloud services enable run.googleapis.com \
cloudbuild.googleapis.com
After the Cloud Run Admin API is enabled, the Compute Engine default service account is automatically created.
You or your administrator must grant the deployer account and the Cloud Build service account the following IAM roles.
Click to view required roles for the deployer accountTo get the permissions that you need to build and deploy from source, ask your administrator to grant you the following IAM roles:
roles/run.sourceDeveloper) on your projectroles/serviceusage.serviceUsageConsumer) on your projectroles/iam.serviceAccountUser) on the Cloud Run service identityCloud Build automatically uses the Compute Engine default service account as the default Cloud Build service account to build your source code and Cloud Run resource, unless you override this behavior. For Cloud Build to build your sources, ask your administrator to grant Cloud Run Builder (roles/run.builder) to the Compute Engine default service account on your project:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com \
--role=roles/run.builder
Replace PROJECT_NUMBER with your Google Cloud project number, and PROJECT_ID with your Google Cloud project ID. For detailed instructions on how to find your project ID, and project number, see Creating and managing projects.
Granting the Cloud Run builder role to the Compute Engine default service account takes a couple of minutes to propagate.
Note:The iam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint prevents the Editor role from being automatically granted to default service accounts. If you created your organization after May 3, 2024, this constraint is enforced by default.
We strongly recommend that you enforce this constraint to disable the automatic role grant. If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.
If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.
For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.
Maximum number of build environment variables and limitsYou can define up to 100 build environment variables, with a total key and value limit of 64 KiB.
Set build environment variablesYou can set build environment variables to establish new variables or completely replace existing build variables.
Note: Keys must start with an uppercase ASCII letter, and consist of uppercase ASCII letters, digits, and underscores. You should avoid creating variable keys with aGOOGLE_* prefix. View all supported buildpacks environment variables. gcloud
To set build environment variables when deploying a service from source code, use the --set-build-env-vars flag:
gcloud run deploy SERVICE \
--source . \
--set-build-env-vars KEY1=VALUE1,KEY2=VALUE2
Replace:
If you are deploying a function, add the --function flag with the function entry point from your source code.
You can update build environment variables for existing services. This is a non-destructive approach that changes or adds build environment variables, but does not delete the build environment variables.
gcloudTo update build environment variables for existing services, use the --update-build-env-vars flag:
gcloud run deploy SERVICE \
--source . \
--update-build-env-vars KEY1=VALUE1,KEY2=VALUE2
If you are deploying a function, add the --function flag with the function entry point from your source code.
You can delete build environment variables for existing services.
gcloudTo remove build environment variables for existing services, use the --remove-build-env-vars flag:
gcloud run deploy SERVICE \
--source . \
--remove-build-env-vars KEY1=VALUE1,KEY2=VALUE2
Alternatively, you can clear build environment variables by using the --clear-build-env-vars for existing services:
gcloud run deploy SERVICE \
--source . \
--clear-build-env-vars KEY1=VALUE1,KEY2=VALUE2
If you are deploying a function, add the --function flag with the function entry point from your source code.
You can use a build environment variables file for existing functions.
gcloudTo set build environment variables from a file, use the --build-env-vars-file flag:
gcloud run deploy SERVICE \
--source . \
--build-env-vars-file FILE_NAME.yaml
Replace FILE_NAME.yaml where the contents of the file, which should look as follows:
KEY1: VALUE1
KEY2: VALUE2
If you are deploying a function, add the --function flag with the function entry point from your source code.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4