Checklist: Deploying a Firestore backed Go app to Google Cloud Run

This very site is deployed on Google Cloud Run and uses Firestore as a database. In order to not forget how I did it, I wrote this little checklist for myself. Maybe it is helpful to you as well. Let´s get started.

Google Cloud Preparations

Deployment Preparations

The following steps are necessary to make your app deployable.

  1. Create a Dockerfile. You can find templates for Go apps here: https://github.com/GoogleCloudPlatform/cloud-run-samples
  2. Setup Application Default Credentials (https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev) for authentication. The Go App will use these credentials to access Firebase. During local development it is ok to use your user account. Inside Cloud Run, the app gets configured to use a service account.
  3. To test the container locally, you can run the container with test parameters, that Cloud Run will use.
    • PORT=8080 && sudo docker run -v "$HOME/.config/gcloud/application_default_credentials.json":/gcp/creds.json:ro \ --env GOOGLE_APPLICATION_CREDENTIALS=/gcp/creds.json -p 9090:${PORT} -e PORT=${PORT} <imagename>:<imagetag>
    • The command above will mount your ADC configuration file into the container and set the needed environment variables (https://cloud.google.com/run/docs/testing/local#docker-with-google-cloud-access).

Create the Cloud Run Service

  1. To create the actual Cloud Run service you can follow this guide: https://cloud.google.com/run/docs/continuous-deployment-with-cloud-build It will show you how to configure Cloud Run to deploy your app whenever you push new code to your GitHub repository.
  2. Create a service Account. Some helpful commands for the CLI are:
    • list all service accounts for the current project: gcloud iam service-accounts list
    • show projects: gcloud project list or gcloud config get project
    • switch the active project: gcloud config set project <project_name>
  3. Add missing roles to the service account. A service account can be given a role to manage the permissions.
  4. In your Cloud Run application select the service account in the security tab (https://cloud.google.com/run/docs/configuring/services/service-identity).
  5. This step is for the case that you do not have a Firestore database yet. If so, connect to Firebase via the provided Firebase integration: https://cloud.google.com/run/docs/integrate/firestore
    • Don´t forget to add the listed roles to the service account.
  6. In case you already have an existing Firestore database you can grant the GC service account access to your Firebase project. To do that, switch to your Firebase Project (inside the cloud console), go to IAM and click "Grant Access". Then select the service account used in the Cloud Run service. Keep in mind that your service account still needs the roles from step 5.

Add a Custom Domain

The following steps are a possible way to use a custom domain for your app. This is what I did but there are of course many other Services where you can buy your domain.

  1. Buy a domain on Porkbun.
  2. Connect your Cloud Run service to Firebase Hosting via the provided integration (https://cloud.google.com/run/docs/integrate/firebase-hosting).
  3. Copy the DNS settings from Firebase into the Porkbun DNS Records.
  4. Wait for some time and confirm the status in Firebase.

In the end the deployment isn´t that hard, however it was a bit cumbersome to get all the little details right. I think the most important thing is to understand how service accounts and permissions work inside Google Cloud. I wish you all the best for your own deployment!

Bye for now :)

Niklas

Published on: 20. July 2024

Back