Run Google Cloud Run services and jobs locally with proper service account impersonation and environment configuration.
- Service account impersonation using application default credentials
- Secret resolution from Google Secret Manager
- Environment variable resolution from Cloud Run YAML configuration
- Support for both Cloud Run Services and Jobs
- No gcloud CLI dependency for runtime operations
- Application default credentials configured (
gcloud auth application-default login) - IAM permissions to impersonate the service account
- Access to secrets referenced in the configuration
go install github.com/ngalaiko/cloudrun-local/cmd/cloudrun-local@latestOr build from source:
git clone <repository-url>
cd cloudrun-local
go build -o cloudrun-local ./cmd/cloudrun-localPrint environment variables:
cloudrun-local -c service.yamlExecute command with environment:
cloudrun-local -c service.yaml -- go run ./cmd/serverExport to file:
cloudrun-local -c service.yaml > .env-c, --config <file> Path to Cloud Run YAML config (default: service.yaml)
-h, --help Show help
-v, --version Show version
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: my-service
spec:
template:
spec:
serviceAccountName: my-account@my-project.iam.gserviceaccount.com
containers:
- image: gcr.io/my-project/my-service
env:
- name: DATABASE_URL
value: "postgres://localhost:5432/db"
- name: API_KEY
valueFrom:
secretKeyRef:
name: api-key
key: latestapiVersion: run.googleapis.com/v1
kind: Job
metadata:
name: my-job
spec:
template:
spec:
template:
spec:
serviceAccountName: my-account@my-project.iam.gserviceaccount.com
containers:
- image: gcr.io/my-project/my-job
env:
- name: TASK_QUEUE
value: "default"
- name: SECRET_TOKEN
valueFrom:
secretKeyRef:
name: token
key: latestThe following variables are automatically set:
K_SERVICE: Service/job nameK_REVISION: Set to "local"GOOGLE_CLOUD_PROJECT: Extracted from service account emailGOOGLE_APPLICATION_CREDENTIALS: Path to temporary credentials file
- Parse the Cloud Run YAML configuration
- Impersonate the service account using application default credentials
- Fetch secrets from Secret Manager with impersonated credentials
- Resolve all environment variables
- Print variables or execute command with environment
Environment variables are resolved in the following priority order (highest to lowest):
- Current shell environment - Variables from your current shell session
- Cloud Run configuration - Variables defined in the YAML config file
- Automatic variables - System-set variables (K_SERVICE, K_REVISION, etc.)
This means you can override any variable from the config by setting it in your shell:
# Override DATABASE_URL from config
export DATABASE_URL="postgres://localhost:5433/testdb"
cloudrun-local -c service.yaml -- go run ./cmd/server
# Override secrets temporarily
API_KEY=test-key cloudrun-local -c service.yaml -- npm testRun a Go service:
cloudrun-local -c service.yaml -- go run ./cmd/serverRun a Cloud Run job:
cloudrun-local -c job.yaml -- go run ./cmd/workerUse with Docker:
cloudrun-local -c service.yaml > .env
docker run --env-file .env my-imageCheck environment variables:
cloudrun-local -c service.yaml | grep DATABASE_URLNo application default credentials found
gcloud auth application-default loginFailed to generate access token
Grant the iam.serviceAccountTokenCreator role:
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
--member="user:YOUR_EMAIL" \
--role="roles/iam.serviceAccountTokenCreator"Unable to access secret
Grant the service account access to secrets:
gcloud secrets add-iam-policy-binding SECRET_NAME \
--member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
--role="roles/secretmanager.secretAccessor"- Temporary credential files are created with
0600permissions - Files are automatically cleaned up on exit
- Requires explicit IAM permissions for service account impersonation
Thanks to einride/sage for inspiration and ideas.
MIT