Search

What is Code Cube

User management

Notifications & alerts

Understanding & solving tracking errors

Privacy & security

FAQ

Code Cube documentation library
Code Cube documentation library
☁️

Monitor Cloud Run

This guide walks you through setting up Code Cube's Cloud Run monitoring for your Google Tag Manager server-side containers running on Google Cloud Platform.

What will you do?

  • Configure GCP project details in the Code Cube portal
  • Create and upload a service account key with required permissions
  • Add Cloud Run service details for monitoring
  • Set up notification channels for alerts
  • Verify monitoring is active

Estimated time: 15–20 minutes

🔧 Requirements: Access to your GCP project, Code Cube portal, and Cloud Run services

Implementation

  • Step 1 – Portal configuration
  • Step 2 – Create GCP service account
  • Step 3 – Configure Cloud Run details
  • Step 4 – Deploy and verify monitoring
  • Step 5 – Set up notifications

Step 1 – Portal configuration

Before setting up monitoring, configure your Google Cloud Platform project details in the Code Cube portal.

1.1 Enable Cloud Run monitoring

  • Go to the Tag Monitor configuration page
  • Click the "Cloud Run monitoring" tab
  • Enable the toggle for "Cloud Run montioring"
image

1.2 Enter project details

  • Add your GCP Project Number (see how to find it)
☝🏼

Important: Monitoring will only be available for the specified GCP project. Make sure you're using the correct project number of the project where your Cloud Run services for GTM server-side are deployed.

image

Step 2 – Create GCP service account

Set up the required service account with appropriate permissions for monitoring configuration.

2.1 Create service account

  • Go to IAM & Admin > Service Accounts in the Google Cloud Console
    • image
  • Click "Create Service Account"
    • image
  • Create a service account:
    • image
  • Write the service account name and ID the same as the screenshot above
  • Use the Service account description to recognize this service account
  • Under the Service account ID you see a email address, save this address

2.2 Assign required roles

  1. Go to IAM & Admin > IAM
  2. Click "Grant Access"
    3. image
  3. Paste the service account email in the New principals field
  4. Assign these roles from the table below.
    5. Role
    Purpose
    BigQuery Admin
    Manages BigQuery datasets used when exporting or analyzing Cloud Run logs and metrics.
    Logging Admin
    Manages log-based metrics and alerts used for monitoring Cloud Run request logs and error events.
    Monitoring AlertPolicy Editor
    Creates, updates, and manages alert policies used to trigger notifications based on Cloud Run metrics and logs.
    Monitoring NotificationChannel Editor (Beta)
    Configures and manages notification channels (email, Slack, PagerDuty, etc.) used by monitoring alerts.
    Monitoring Uptime Check Configuration Editor (Beta)
    Creates and manages uptime checks to monitor Cloud Run service availability and response health.
    Project IAM Admin
    Manages IAM roles and permissions required for setting up and maintaining monitoring access.
    Pub/Sub Admin
    Manages Pub/Sub topics and subscriptions used to deliver monitoring alerts and events.
    Pub/Sub Publisher
    Publishes monitoring events or alerts to Pub/Sub topics for downstream processing.
    Service Account Admin
    Creates and manages service accounts used by monitoring and alerting components.
    Service Account Token Creator
    Allows monitoring services to generate access tokens for service-to-service authentication.
    Service Account User
    Grants permission for Cloud Run or monitoring services to impersonate a service account.
    Service Usage Admin
    Enables and manages required Google Cloud APIs for monitoring and logging.

2.3 Generate service account key

  • In the Service Accounts page, click the three dots > "Manage keys"
  • Click "Add Key" > "Create new key"
  • Choose JSON format and click "Create"
  • The key will download automatically—store it securely

2.4 Upload service account key

  • Return to the Code Cube configuration page
  • Upload the downloaded JSON key file
  • The system will validate permissions automatically
☝🏼

Important: Service account keys are used once during setup and never stored in Code Cube systems.

Step 3 – Configure Cloud Run details

Add your Cloud Run service information for monitoring setup.

3.1 Locate Cloud Run details

  • Go to the Google Cloud Console
  • Navigate to Cloud Run under "Serverless"
  • Note the service name and region for each GTM server you want to monitor

3.2 Add Cloud Run services

  • In the Code Cube portal, add each Cloud Run service:
    • Service Name: Copy from Cloud Run console
    • Region: Copy from Cloud Run console
  • You can add multiple services for comprehensive monitoring

3.3 Start configuration

  • Click "Start Configuration"
  • The system will automatically create monitoring resources in your GCP project

Step 4 – Deploy and verify monitoring

Once configuration is complete, verify that monitoring is active and working correctly.

4.1 Confirm setup completion

  • Wait for the "Setup Successful" confirmation message
  • Review the list of created monitoring resources

4.2 Verify monitoring resources

The following resources are automatically created in your GCP project:

  • Alert Policies: CPU usage, memory usage, uptime checks, SSL certificate expiration
  • Notification Channel: Connects alerts to Pub/Sub processing
  • Pub/Sub Topic & Subscription: Handles alert message routing
  • Cloud Function: Processes and forwards alert notifications
  • Monitoring Service Account: Named cloud-run-monitoring@{project_id}.iam.gserviceaccount.com

4.3 Test monitoring

  • Check the Code Cube portal dashboard for incoming monitoring data
  • Verify that your Cloud Run services appear in the monitoring overview

How to find your GCP project number

  1. Log in to the Google Cloud Console
  2. Click the project dropdown at the top of the page
  3. In the Project Info panel, copy the Project number

The project number is different from the project ID—make sure you're using the numeric project number.

Security & Privacy

Code Cube follows strict security protocols for Cloud Run monitoring:

  • One-time use: Service account keys are used once during setup and immediately discarded
  • Secure processing: All uploads are processed via HTTPS with backend validation
  • No credential storage: Service account credentials are never stored or cached
  • Minimum permissions: Only essential GCP resources and permissions are configured
  • Dedicated service account: A separate monitoring service account is created with limited scope

For more information about our security practices, visit the Code Cube Security Documentation.

Resources Created in Your GCP Project

  1. Notification Channel

    2. Connects alert policies to a Pub/Sub topic.

  2. Pub/Sub Topic & Subscription

    3. Handles alert messages and forwards them to a Cloud Function for processing.

  3. Alert Policies
    • CPU usage
    • Memory usage
    • Uptime checks
    • SSL certificate expiration
  4. Monitoring Service Account

    5. Named cloud-run-monitoring@{project_id}.iam.gserviceaccount.com

    with roles such as Pub/Sub Publisher, Monitoring Admin, and more.