This guide walks you through setting up Code-Cube.io's Cloud Run monitoring for your Google Tag Manager server-side containers running on Google Cloud Platform.
What will you do?
- Configure GCP project details in the Code-Cube.io portal
- Create and upload a service account key with required permissions
- Add Cloud Run service details for monitoring
- Set up notification channels for alerts
- Verify monitoring is active
⏰ Estimated time: 15–20 minutes
🔧 Requirements: Access to your GCP project, Code-Cube.io portal, and Cloud Run services
Implementation
- Step 1 – Portal configuration
- Step 2 – Create GCP service account
- Step 3 – Configure Cloud Run details
- Step 4 – Deploy and verify monitoring
- Step 5 – Set up notifications
Step 1 – Portal configuration
Before setting up monitoring, configure your Google Cloud Platform project details in the Code-Cube.io portal.
1.1 Enable Cloud Run monitoring
- Go to the Tag Monitor configuration page
- Click the "Cloud Run monitoring" tab
- Enable the toggle for "Cloud Run montioring"
1.2 Enter project details
- Add your GCP Project Number (see how to find it)
Important: Monitoring will only be available for the specified GCP project. Make sure you're using the correct project number of the project where your Cloud Run services for GTM server-side are deployed.
Step 2 – Create GCP service account
Set up the required service account with appropriate permissions for monitoring configuration.
2.1 Create service account
- Go to
IAM & Admin>Service Accountsin the Google Cloud Console - Click "Create Service Account"
- Create a service account:
- Write the service account name and ID the same as the screenshot above
- Use the Service account description to recognize this service account
- Under the Service account ID you see a email address, save this address
2.2 Assign required roles
- Go to
IAM & Admin>IAM - Click "Grant Access"
- Paste the service account email in the New principals field
- Assign these roles from the table below.
Role | Purpose |
BigQuery Admin | Manages BigQuery datasets used when exporting or analyzing Cloud Run logs and metrics. |
Cloud Funtions Invoker | Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead. |
Logging Admin | Manages log-based metrics and alerts used for monitoring Cloud Run request logs and error events. |
Monitoring AlertPolicy Editor | Creates, updates, and manages alert policies used to trigger notifications based on Cloud Run metrics and logs. |
Monitoring NotificationChannel Editor (Beta) | Configures and manages notification channels (email, Slack, PagerDuty, etc.) used by monitoring alerts. |
Monitoring Uptime Check Configuration Editor (Beta) | Creates and manages uptime checks to monitor Cloud Run service availability and response health. |
Project IAM Admin | Manages IAM roles and permissions required for setting up and maintaining monitoring access. |
Pub/Sub Admin | Manages Pub/Sub topics and subscriptions used to deliver monitoring alerts and events. |
Pub/Sub Publisher | Publishes monitoring events or alerts to Pub/Sub topics for downstream processing. |
Service Account Admin | Creates and manages service accounts used by monitoring and alerting components. |
Service Account Token Creator | Allows monitoring services to generate access tokens for service-to-service authentication. |
Service Account User | Grants permission for Cloud Run or monitoring services to impersonate a service account. |
Service Usage Admin | Enables and manages required Google Cloud APIs for monitoring and logging. |
2.3 Generate service account key
- In the
Service Accountspage, click the three dots > "Manage keys" - Click "Add Key" > "Create new key"
- Choose JSON format and click "Create"
- The key will download automatically—store it securely
2.4 Upload service account key
- Return to the Code-Cube.io configuration page
- Upload the downloaded JSON key file
- The system will validate permissions automatically
Important: Service account keys are used once during setup and never stored in Code-Cube.io systems.
Step 3 – Configure Cloud Run details
Add your Cloud Run service information for monitoring setup.
3.1 Locate Cloud Run details
- Go to the Google Cloud Console
- Navigate to Cloud Run under "Serverless"
- Note the service name and region for each GTM server you want to monitor
3.2 Add Cloud Run services
- In the Code-Cube.io portal, add each Cloud Run service:
- Service Name: Copy from Cloud Run console
- Region: Copy from Cloud Run console
- You can add multiple services for comprehensive monitoring
3.3 Start configuration
- Click "Start Configuration"
- The system will automatically create monitoring resources in your GCP project
Step 4 – Deploy and verify monitoring
Once configuration is complete, verify that monitoring is active and working correctly.
4.1 Confirm setup completion
- Wait for the "Setup Successful" confirmation message
- Review the list of created monitoring resources
4.2 Verify monitoring resources
The following resources are automatically created in your GCP project:
- Alert Policies: CPU usage, memory usage, uptime checks, SSL certificate expiration
- Notification Channel: Connects alerts to Pub/Sub processing
- Pub/Sub Topic & Subscription: Handles alert message routing
- Cloud Function: Processes and forwards alert notifications
- Monitoring Service Account: Named
cloud-run-monitoring@{project_id}.iam.gserviceaccount.com
4.3 Test monitoring
- Check the Code-Cube.io portal dashboard for incoming monitoring data
- Verify that your Cloud Run services appear in the monitoring overview
How to find your GCP project number
- Log in to the Google Cloud Console
- Click the project dropdown at the top of the page
- In the Project Info panel, copy the Project number
The project number is different from the project ID—make sure you're using the numeric project number.
Security & Privacy
Code-Cube.io follows strict security protocols for Cloud Run monitoring:
- One-time use: Service account keys are used once during setup and immediately discarded
- Secure processing: All uploads are processed via HTTPS with backend validation
- No credential storage: Service account credentials are never stored or cached
- Minimum permissions: Only essential GCP resources and permissions are configured
- Dedicated service account: A separate monitoring service account is created with limited scope
For more information about our security practices, visit the Code-Cube.io Security Documentation.
Resources Created in Your GCP Project
- Notification Channel
- Pub/Sub Topic & Subscription
- Alert Policies
- CPU usage
- Memory usage
- Uptime checks
- SSL certificate expiration
- Monitoring Service Account
Connects alert policies to a Pub/Sub topic.
Handles alert messages and forwards them to a Cloud Function for processing.
Named cloud-run-monitoring@{project_id}.iam.gserviceaccount.com
with roles such as Pub/Sub Publisher, Monitoring Admin, and more.