Running FaaSr on Google Cloud
This guide covers what you need to run FaaSr workflows on Google Cloud, where each action runs as a Cloud Run job. It assumes you have already set up your FaaSr-workflow repo and are familiar with the tutorial. For Google Cloud account setup itself, refer to the Google Cloud documentation.
Overview
When you register a workflow with a Google Cloud compute server, FAASR REGISTER creates one Cloud Run job per action (named WorkflowName-ActionName), using a container image from a container registry. Invoking the workflow runs those jobs, which read and write their data to your S3 data store.
Prerequisites
- A Google Cloud project with the Cloud Run API enabled.
- A service account in that project with permission to create and run Cloud Run jobs.
- A service account key (JSON) for that service account.
- A container image available in a registry Cloud Run can pull from (see Container image).
Credentials and secrets
Store the service account key as a GitHub Secret in your FaaSr-workflow repo (see Creating cloud credentials):
| Secret | Value |
|---|---|
GCP_SecretKey |
the service account key for your project |
The service account's email and token endpoint are supplied through the compute-server configuration (below), not as secrets.
Container image
FaaSr provides gcp-python / gcp-r images (published to DockerHub as, e.g., faasr/gcp-python:latest); you can also build and publish your own with the gcp -> DockerHub action described in Building containers. Reference the image under Action Containers in the workflow builder (or ActionContainers in the workflow JSON).
Configuring the compute server
In the workflow builder, use Edit Compute Servers to add a Google Cloud server. The default compute server name for Google Cloud is GCP. The configuration fields are:
| Field | Meaning | Example |
|---|---|---|
FaaSType |
must be GoogleCloud |
GoogleCloud |
Namespace |
your GCP project ID | my-gcp-project-123456 |
Region |
region for the Cloud Run jobs | us-central1 |
Endpoint |
Cloud Run API endpoint | https://run.googleapis.com/v2/projects/ |
ClientEmail |
the service account's email | faasr@my-project.iam.gserviceaccount.com |
TokenUri |
OAuth2 token endpoint | https://oauth2.googleapis.com/token |
Memory |
memory per job, in MB | 512 |
CPUsPerTask |
vCPUs allocated per job | 1 |
TimeLimit |
per-invocation timeout, in seconds | 3600 |
Equivalent JSON:
"ComputeServers": {
"GCP": {
"FaaSType": "GoogleCloud",
"Namespace": "my-gcp-project-123456",
"Region": "us-central1",
"Endpoint": "https://run.googleapis.com/v2/projects/",
"UseSecretStore": true,
"ClientEmail": "faasr@my-project.iam.gserviceaccount.com",
"TokenUri": "https://oauth2.googleapis.com/token",
"Memory": 512,
"CPUsPerTask": 1,
"TimeLimit": 3600
}
}
Register and invoke
Once the secret, container image, and compute server are set:
- Upload your workflow JSON to your FaaSr-workflow repo.
- Run
FAASR REGISTER— this creates a Cloud Run job per action (WorkflowName-ActionName) from your container image (see Registering workflows). - Run
FAASR INVOKEto execute the workflow (see Invoking workflows).
Notes
ClientEmailandGCP_SecretKeymust match — the email in the compute-server config must be the service account whose key you stored asGCP_SecretKey.- Permissions: the service account needs to be able to create and run Cloud Run jobs in the project; if your S3 data store is on Google Cloud Storage, it also needs access there.
- Timeout: Cloud Run jobs allow longer runtimes than AWS Lambda (the
TimeLimitabove is in seconds), which makes GCP a good choice for longer-running actions. - Provider action logs: in addition to FaaSr's
faasr_logoutput in S3, per-job logs are available in Google Cloud Logging (see Retrieving logs).