Update gcp cloudrun

JosepSampe · JosepSampe · commit f9e0a9f4be5c · 2026-05-06T16:26:40.000+02:00
diff --git a/docs/source/compute_config/gcp_cloudrun.md b/docs/source/compute_config/gcp_cloudrun.md
@@ -42,6 +42,18 @@ gcloud artifacts repositories create lithops \
 
 Grant the service account **Artifact Registry Writer** (or **Artifact Registry Create-on-push Writer** if you prefer) so it can push images.
 
+Example command:
+
+```bash
+gcloud artifacts repositories add-iam-policy-binding gcf-artifacts \
+  --location=us-east1 \
+  --project=lithops-dev \
+  --member="serviceAccount:lithops-executor@lithops-dev.iam.gserviceaccount.com" \
+  --role="roles/artifactregistry.writer"
+```
+
+Replace `gcf-artifacts`, `us-east1`, `lithops-dev`, and the service account email with your own values.
+
 ## Configuration
 
 1. Edit your lithops config and add the following keys:
diff --git a/lithops/serverless/backends/gcp_cloudrun/cloudrun.py b/lithops/serverless/backends/gcp_cloudrun/cloudrun.py
@@ -17,17 +17,19 @@
 import os
 import time
 import json
-import urllib
 import yaml
 import hashlib
 import logging
 import httplib2
+import requests
 import google.auth
 import google.oauth2.id_token
+import google.auth.transport.requests
 from threading import Lock
 from google.oauth2 import service_account
 from google_auth_httplib2 import AuthorizedHttp
 from googleapiclient.discovery import build
+from googleapiclient.errors import HttpError
 
 from lithops import utils
 from lithops.constants import COMPUTE_CLI_MSG
@@ -51,6 +53,7 @@ def __init__(self, cloudrun_config, internal_storage):
         self.credentials_path = cloudrun_config.get('credentials_path')
 
         self._build_api_resource()
+        self._resolve_artifact_registry_repository_fallback()
 
         self._service_url = None
         self._id_token = None
@@ -121,10 +124,122 @@ def _build_api_resource(self):
                 'api_endpoint': f'https://{self.region}-run.googleapis.com'
             }
         )
+        self._ar_resource = build(
+            'artifactregistry', 'v1',
+            http=http, cache_discovery=False
+        )
 
         self.cr_config['project_name'] = self.project_name
         self.cr_config['service_account'] = self.service_account
 
+    def _parse_artifact_registry_image_name(self, image_name):
+        """
+        Parse Artifact Registry image format:
+        REGION-docker.pkg.dev/PROJECT/REPOSITORY/IMAGE[:TAG]
+        """
+        parts = image_name.split('/')
+        if len(parts) < 4:
+            return None
+        host, project, repository = parts[0], parts[1], parts[2]
+        if not host.endswith('-docker.pkg.dev'):
+            return None
+        location = host.replace('-docker.pkg.dev', '')
+        return project, location, repository
+
+    def _artifact_registry_uploader_identity(self):
+        if self.credentials_path and os.path.isfile(self.credentials_path):
+            try:
+                with open(self.credentials_path, 'r') as f:
+                    cred_data = json.load(f)
+                return cred_data.get('client_email')
+            except Exception:
+                return None
+        return self.service_account
+
+    def _list_docker_repositories(self):
+        parent = f'projects/{self.project_name}/locations/{self.region}'
+        repos = []
+        page_token = None
+        while True:
+            req = self._ar_resource.projects().locations().repositories().list(
+                parent=parent, pageToken=page_token
+            )
+            res = req.execute()
+            for repo in res.get('repositories', []):
+                if repo.get('format') == 'DOCKER':
+                    repos.append(repo['name'].rsplit('/', 1)[-1])
+            page_token = res.get('nextPageToken')
+            if not page_token:
+                break
+        return repos
+
+    def _resolve_artifact_registry_repository_fallback(self):
+        """
+        Minimal repository resolution:
+        - Use configured repository if accessible
+        - Otherwise fallback to an existing DOCKER repository (prefer gcf-artifacts)
+        """
+        repository = self.cr_config.get('artifact_registry_repository', 'lithops')
+        name = f'projects/{self.project_name}/locations/{self.region}/repositories/{repository}'
+
+        try:
+            self._ar_resource.projects().locations().repositories().get(name=name).execute()
+            return
+        except Exception:
+            pass
+
+        try:
+            docker_repos = self._list_docker_repositories()
+        except Exception:
+            docker_repos = []
+
+        if not docker_repos:
+            return
+
+        fallback = 'gcf-artifacts' if 'gcf-artifacts' in docker_repos else sorted(docker_repos)[0]
+        if fallback != repository:
+            self.cr_config['artifact_registry_repository'] = fallback
+            logger.info(
+                f'Using Artifact Registry repository "{fallback}" '
+                f'(configured "{repository}" is not accessible).'
+            )
+
+    def _ensure_artifact_registry_upload_permission(self, image_name):
+        """
+        Check that current principal can upload artifacts to the target repo.
+        """
+        parsed = self._parse_artifact_registry_image_name(image_name)
+        if not parsed:
+            return
+
+        project, location, repository = parsed
+        resource = f'projects/{project}/locations/{location}/repositories/{repository}'
+
+        try:
+            result = self._ar_resource.projects().locations().repositories().testIamPermissions(
+                resource=resource,
+                body={
+                    'permissions': ['artifactregistry.repositories.uploadArtifacts']
+                }
+            ).execute()
+        except HttpError:
+            # If we cannot test permissions (forbidden/unavailable), fail later on push.
+            return
+
+        granted = set(result.get('permissions', []))
+        if 'artifactregistry.repositories.uploadArtifacts' in granted:
+            return
+
+        principal = self._artifact_registry_uploader_identity() or 'current credentials principal'
+        raise Exception(
+            'Missing Artifact Registry permission to push runtime image. '
+            f'Principal "{principal}" does not have '
+            f'"artifactregistry.repositories.uploadArtifacts" on "{resource}". '
+            'Grant role "roles/artifactregistry.writer" on the repository/project or configure '
+            'a repository where this principal has write access via '
+            '`gcp_cloudrun.artifact_registry_repository`.'
+        )
+
     def _get_url_and_token(self, service_name):
         """
         Generates a connection token
@@ -207,17 +322,24 @@ def invoke(self, runtime_name, runtime_memory, payload, return_result=False):
         else:
             logger.debug('Invoking function')
 
-        req = urllib.request.Request(service_url + route, data=json.dumps(payload, default=str).encode('utf-8'))
-        req.add_header("Authorization", f"Bearer {id_token}")
-        res = urllib.request.urlopen(req)
+        headers = {
+            "Authorization": f"Bearer {id_token}",
+            "Content-Type": "application/json"
+        }
+        response = requests.post(
+            service_url + route,
+            data=json.dumps(payload, default=str),
+            headers=headers,
+            timeout=120
+        )
 
-        if res.getcode() in (200, 202):
-            data = json.loads(res.read())
+        if response.status_code in (200, 202):
+            data = response.json()
             if return_result:
                 return data
             return data["activationId"]
         else:
-            raise Exception(res.text)
+            raise Exception(response.text)
 
     def build_runtime(self, runtime_name, dockerfile, extra_args=[]):
         """
@@ -253,11 +375,19 @@ def build_runtime(self, runtime_name, dockerfile, extra_args=[]):
             raise Exception(f'There was an error authorizing Docker for push to {registry_host}')
 
         logger.debug(f'Pushing runtime {image_name} to {registry_host}')
+        self._ensure_artifact_registry_upload_permission(image_name)
         if utils.is_podman(docker_path):
             cmd = f'{docker_path} push {image_name} --format docker --remove-signatures'
         else:
             cmd = f'{docker_path} push {image_name}'
-        utils.run_command(cmd)
+        try:
+            utils.run_command(cmd)
+        except Exception as e:
+            raise Exception(
+                f'Unable to push runtime image to Artifact Registry ({image_name}). '
+                'Verify the repository exists and that your identity has Artifact Registry write permissions '
+                '(artifactregistry.repositories.uploadArtifacts).'
+            ) from e
 
     def _create_service(self, runtime_name, runtime_memory, timeout):
         """
@@ -292,9 +422,19 @@ def _create_service(self, runtime_name, runtime_memory, timeout):
         container['resources']['requests']['cpu'] = str(self.cr_config['runtime_cpu'])
 
         logger.debug(f"Creating service: {service_name}")
-        res = self._api_resource.namespaces().services().create(
-            parent=f'namespaces/{self.project_name}', body=svc_res
-        ).execute()
+        try:
+            res = self._api_resource.namespaces().services().create(
+                parent=f'namespaces/{self.project_name}', body=svc_res
+            ).execute()
+        except HttpError as e:
+            if e.resp.status == 409:
+                logger.debug(f'Service {service_name} already exists. Recreating it')
+                self._delete_service(service_name)
+                res = self._api_resource.namespaces().services().create(
+                    parent=f'namespaces/{self.project_name}', body=svc_res
+                ).execute()
+            else:
+                raise
         logger.debug(f'Ok -- service created {service_name}')
 
         # Wait until service is up
diff --git a/lithops/serverless/backends/gcp_cloudrun/config.py b/lithops/serverless/backends/gcp_cloudrun/config.py
@@ -30,7 +30,7 @@
     'runtime_timeout': 300,  # seconds (max 3600 for services)
     'runtime_memory': 256,  # MiB (max 32768)
     'runtime_cpu': 0.25,  # vCPU: 0.08–<1 in 0.001 steps, or 1, 2, 4, 6, 8
-    'max_workers': 1000,
+    'max_workers': 100,
     'min_workers': 0,
     'worker_processes': 1,
     'invoke_pool_threads': 100,
@@ -85,7 +85,6 @@ def is_valid_cloud_run_cpu(cpu):
         cloudpickle \
         ps-mem \
         tblib \
-        namegenerator \
         cryptography \
         httplib2 \
         google-cloud-storage \
@@ -96,20 +95,20 @@ def is_valid_cloud_run_cpu(cpu):
         psutil
 
 
-ENV PORT 8080
-ENV PYTHONUNBUFFERED TRUE
+ENV PORT=8080
+ENV PYTHONUNBUFFERED=TRUE
 
-ENV CONCURRENCY 1
-ENV TIMEOUT 600
+ENV CONCURRENCY=1
+ENV TIMEOUT=600
 
 # Copy Lithops proxy and lib to the container image.
-ENV APP_HOME /lithops
+ENV APP_HOME=/lithops
 WORKDIR $APP_HOME
 
 COPY lithops_cloudrun.zip .
 RUN unzip lithops_cloudrun.zip && rm lithops_cloudrun.zip
 
-CMD exec gunicorn --bind :$PORT --workers $CONCURRENCY --timeout $TIMEOUT lithopsproxy:proxy
+CMD ["sh", "-c", "exec gunicorn --bind :$PORT --workers $CONCURRENCY --timeout $TIMEOUT lithopsproxy:proxy"]
 """
 
 service_res = """
@@ -162,6 +161,13 @@ def load_config(config_data):
 
     if 'credentials_path' in config_data['gcp']:
         config_data['gcp']['credentials_path'] = os.path.expanduser(config_data['gcp']['credentials_path'])
+    if 'credentials_path' not in config_data['gcp']:
+        raise Exception("'credentials_path' parameter is mandatory under the 'gcp' section for gcp_cloudrun")
+    if not os.path.isfile(config_data['gcp']['credentials_path']):
+        raise Exception(
+            'A valid "gcp.credentials_path" service account JSON file is required '
+            f'({config_data["gcp"]["credentials_path"]})'
+        )
 
     temp = copy.deepcopy(config_data['gcp_cloudrun'])
     config_data['gcp_cloudrun'].update(config_data['gcp'])
diff --git a/runtime/gcp_cloudrun/Dockerfile.conda b/runtime/gcp_cloudrun/Dockerfile.conda
@@ -25,7 +25,6 @@ RUN pip install --upgrade setuptools six pip \
         cloudpickle \
         ps-mem \
         tblib \
-        namegenerator \
         cryptography \
         httplib2 \
         google-cloud-storage \
diff --git a/runtime/gcp_cloudrun/README.md b/runtime/gcp_cloudrun/README.md
@@ -80,7 +80,6 @@ gcp_cloudrun:
             cloudpickle \
             ps-mem \
             tblib \
-            namegenerator \
             torch \
             torchvision \
             google-cloud-storage \
