I made a webapp referred to as Scorching Maze and tried to deploy it to App Engine, to Cloud Features, and to Cloud Run. That is what I realized within the course of.

What’s Scorching Maze

Hot Maze is an online web page that permits you to share a photograph or a doc out of your pc to your telephone, utilizing a QR code.

It’s a quick, frictionless and safe solution to switch a useful resource, which doesn’t require any account creation or any password.

Let’s see it in motion. Right here, sending a blue gopher:

Conceptually, that is what occurs inside seconds while you drop a file (e.g. a kangaroo) to the Scorching Maze internet web page:

  • Your browser uploads it to a Cloud location

  • The net web page shows a QR code containing a URL to the Cloud location

qr code
  • Your telephone scans and decodes the QR code, and downloads the useful resource.


The precise request sequence would rely upon the Cloud elements we select to orchestrate the file switch. Here’s a first wise workflow utilizing Google Cloud:

  • You drop a file F
  • The net web page asks the Cloud server for two distinctive one-time use URLs: one URL U to add a file to a brief location L in Cloud Storage, and one other URL D to obtain the file from L.
  • The net web page now makes use of Uto addF to L.
  • The net web page encodes D right into a QR codeQ and shows it.
  • You scan Qwith a QR code scanner cellular app.
  • The cellular decodes D.
  • The cellular makes use of D to obtain Ffrom L.
  • A couple of minutes later, F is completely deleted from L.

On this situation, the cell phone makes use of a normal QR code reader app (many decisions accessible within the Play retailer and within the App Retailer) after which lets its default browser obtain the file with none additional logic on the telephone aspect.

This situation is safe as a result of nobody else is aware of the key URLs U and D, thus nobody can see your file F or tamper with it. U and D use the HTTPS protocol. The Cloud location L shouldn’t be publicly accessible.

This text exhibits the right way to design the appliance Scorching Maze and deploy it to completely different serverless merchandise of Google Cloud. We’ll discover three options: App Engine, Cloud Features, and Cloud Run.


A phrase about Serverless

The three design decisions mentioned beneath have one thing in widespread: they’re stateless. Because of this the particular server occasion that processes a given request doesn’t maintain information and isn’t considered a supply of fact. This can be a basic property of autoscaled serverless architectures. The person information (if any) lives in distinct stateful elements: a database, a file storage, or a distributed reminiscence cache.

Design for App Engine

App Engine Commonplace is nice in case your stateless software meets these standards:

  • Handles HTTP(S) requests
  • Is stateless
  • Is written in Go, Java, Python, Node.js, PHP, or Ruby
  • Doesn’t want to make use of the native filesystem or to put in binary dependencies
  • Communicates with different Google Cloud elements

Scorching Maze matches this description very effectively. It’s written in Go, and we use Google Cloud Storage (GCS) as a brief repository of person information. Scorching Maze consists of two elements:

  • The Frontend (static property): HTML, JS, CSS, photos;
  • The Backend: handlers that course of the add and obtain logic.

The supply code is available on GitHub. Within the repo, this implementation (App Engine + Cloud Storage) known asB1.

Mission construction

Excellent news, it’s easy and idiomatic to have the Go webapp serve each the Frontend and the Backend.


The webapp code shouldn’t be adherent to App Engine (GAE), it’s a normal Go app that may be developed and examined domestically. Solely app.yaml is restricted to App Engine: It specifies which App Engine runtime to make use of, and the right way to route the incoming requests.

The webapp doesn’t want to fret about HTTPS. The HTTPS termination occurs upstream in the “Google Front End Service” (GFE), so the Go code doesn’t must cope with certificates and encryption.

It’s a good follow to code the server logic in its personal bundle on the root of the Go module, and have a “main” bundle executable program inside “cmd” that instantiates the server and listens to a selected port. For instance, in my first App Engine implementation of Hot Maze, “github.com/Deleplace/hot-maze/B1” is each the title of the module and the trail of the server bundle.


I selected Cloud Storage to deal with non permanent information storage, so I’ve a dependency to the GCS library cloud.google.com/go/storage. For safety causes (privateness), I don’t grant learn and write entry to a GCS bucket to nameless web customers. As an alternative I’ll have my server generate Signed URLs to let an nameless person add and obtain a given file.



When a pc person drops a file to the Scorching Maze internet web page, the primary request is asking the backend to generate and return 2 URLs: one to let the browser add the person file to GCS, and one to let the cell phone obtain the file from GCS.

That is all the knowledge wanted to proceed:

  • Add the file F to the “secure upload URL” U
  • Then encode and show the safe obtain URL D in a QR code
qr d

The obtain URL is enough to retrieve the file instantly from GCS. Ideally, the cell phone (with a QR code scanner app) wouldn’t want to speak with the App Engine backend in any respect. See the part Shorter URLs beneath to find why we’ll the truth is have the cellular gadget hit the App Engine service.


Serving static property

The Frontend a part of the app consists of an HTML file, a JS file, a CSS file, and some photos. It could be served by the identical server cases because the Backend half, or by completely different servers, presumably underneath a distinct area title.

Go server

The easy path is to have our Go server deal with all of the requests to the (static) Frontend and to the (dynamic) Backend. That is how we serve all the contents of a given folder:


This strategy works precisely the identical in native improvement and in manufacturing. Every incoming request to a static file is dealt with by the Go code of the server occasion.

Static file handlers in app.yaml

It is usually doable to declare the static assets in app.yaml.


This has some benefits:

  • The requests for static property will probably be dealt with by a CDN-like file server, not out of your App Engine cases;
  • The static property could also be served barely sooner;
  • The static property don’t expertise chilly begins. They’re quick even when zero cases are operating.
  • The request logs nonetheless present up within the Cloud Logging console.
  • This will lower the stress on my App Engine cases, enhance their throughput of dynamic requests, and reduce the whole variety of occurrences of chilly begins (loading latency) for scaling up.  

In the event you use this optimization, I counsel that you simply preserve the Go handler for static information (with http.FileServer), which continues to work for native improvement. That is now a element that works in another way in improvement and in manufacturing, so you’ll have to preserve this truth in thoughts throughout QA testing, and watch out to not introduce discrepancies between the app.yaml and the Go code (e.g. the precise set of information and folders, the cache response headers, and so on.).

The built-in CDN is such a pleasant and helpful function of App Engine that we should always preserve it in thoughts when contemplating the serverless choices for a brand new mission.

Shorter URLs

There’s a gotcha: Signed URLs have prolonged crypto parameters, thus are fairly lengthy: 500+ characters.

Lengthy URLs are superb for computer systems, nonetheless they’re not nice for people (if one ever must sort it) and for QR codes. 

qr code

The total-length Signed URL above technically can slot in a normal QR code, however the ensuing image is so complicated and filled with tiny patterns that your cellular QR code scanner app could have troubles to correctly learn it.

The Add URL U is used as-is in its full-length kind: your browser receives it inside a JSON response, and makes use of it instantly in JS to add your useful resource.

Nonetheless, the Obtain URL D in full-length shouldn’t be actually applicable to encode in a QR code. To repair this, we create an additional indirection: a Shortened Obtain URL containing solely the UUID of the useful resource file. When the cellular gadget scans the QR code and extracts the brief URL, it asks App Engine for the matching full-length URL to the useful resource in Cloud Storage.


This URL shortening course of provides a small delay of 1 roundtrip to the App Engine service. It additionally provides some (reasonable) server logic, because the service must someway keep in mind the mapping between the Quick D URL and the Lengthy Signed D URL. It has the good good thing about leveraging a QR code that’s truly usable in follow.


We don’t want and don’t wish to preserve the person information various minutes within the Cloud servers.

Let’s schedule its computerized deletion after 9mn with Cloud Tasks. That is finished in three elements:

  • Creation of a brand new process queue

$ gcloud duties queues create b1-file-expiry

  • A /neglect handler that deletes a useful resource instantly: source
  • A Activity object that can hit /neglect?uuid=<id> 9mn after the signed URLs technology: source

A request header check ensures that the file deletion shouldn’t be a public-facing service: It could solely be triggered by the duty queue.

The Signed URLs themselves are short-lived, so the shoppers could add and obtain just for 5mn after URL technology. The cleanup serves different functions:

  • Cut back storage prices, by deleting out of date information;
  • Foster privateness by ensuring the cloud service doesn’t maintain any copy of the person information longer than mandatory.


The service doesn’t require any account creation, authentication, or password.

It’s safe as a result of person information can’t be intercepted by third events:

  • Transport encryption: add and obtain use HTTPS,
  • Information encryption at rest in Cloud Storage,
  • Use of a nonce UUID to determine a useful resource, generated by the bundle github.com/google/uuid, which makes use of crypto/rand.
  • Era of safe Signed URLs that may’t be solid,
  • Signed URLs expire after 5 minutes,
  • Consumer information is deleted after 9 minutes.

Nonetheless, that is completely different from what we name “end-to-end encryption” (E2EE). The Scorching Maze service proprietor (me) may entry the GCS bucket and see the person information earlier than they’re deleted. Implementing E2EE can be an attention-grabbing mission… possibly the fabric for a future article.

Cloud Storage bucket configuration

Even with correct Signed URLs, the online browser should nonetheless be allowed to entry the particular Cloud Storage bucket. If not configured, the browser could refuse and throw

Entry to XMLHttpRequest from origin has been blocked by CORS coverage: Response to preflight request would not move entry management examine: No 'Entry-Management-Enable-Origin' header is current on the requested useful resource.

I must explicitly configure CORS to permit all domains which will want legit write entry (PUT) to the bucket. For this I create a bucket_cors.json file:

Then I apply it with:

$ gsutil cors set bucket_cors.json gs://hot-maze.appspot.com

 “hot-maze.appspot.com” seems to be like a website title however right here it’s the title of the bucket that I exploit to retailer the non permanent information.

Cloud Storage entry for native improvement setting

Observe that the JSON above features a localhost area. That is mandatory for the event section. It’s superb to maintain this configuration even after the app has been deployed to manufacturing. It doesn’t represent an additional safety threat.

Service Accounts

It seems that producing a GCS Signed URL with the Go client library requires a service account private key, having correct permissions. So I visited IAM, created an account [email protected] and gave it the function “Storage Admin”.

Now I can obtain and use its personal key, however there’s no means I’d examine in such a delicate secret in my code repo! As an alternative I saved the personal key in Secret Manager. Then I made certain to grant the function “Secret Manager Secret Accessor” to the App Engine default service account. That’s numerous indirections! The rationale is:

  • To carry out a delicate operation, the backend should be authenticated someway, however it isn’t enough;
  • Moreover it requires a non-public key, which is a secret;
  • It’s then in a position to generate an add URL for use by an nameless person of the service;
  • The App Engine backend is robotically authenticated in manufacturing;
  • Now the native improvement setting must cope with an specific service account, with the intention to learn the key from Secret Supervisor.

Native improvement

From folder B1:

$ export GOOGLE_APPLICATION_CREDENTIALS=/native/path/to/sa.json

$ go run github.com/Deleplace/hot-maze/B1/cmd/backend

Observe that even when the principle program is in cmd/backend, we run it from the foundation listing of the Go module, in order that it accurately finds the static folder.

The service account key sa.json was downloaded from the IAM internet console and saved someplace in my native file system. It isn’t supposed to be checked in with the supply code.


Prerequisite: I’m already authenticated within the command line software gcloud, and my lively mission is hot-maze. From folder B1:

$ gcloud app deploy

This takes 2 minutes to finish. A brand new model is deployed as we are able to see in the web console. It’s now accessible at two equal URLs:

It is dwell!

Design for Cloud Features

Utilizing Cloud Features (GCF) to course of the incoming occasions is a light-weight choice with superb granularity. GCF is suitable to course of occasions asynchronously or synchronously. See the supply code of the B2 implementation utilizing GCF, GCS and Firebase Internet hosting.


Frontend construction (static property)

The principle distinction with the primary choice is that Cloud Features shouldn’t be a “web backend” designed to serve HTML pages and sources. For this, we’ll use Firebase Hosting. Let’s:

  • run firebase init in a frontend mission folder, and observe the directions.
  • retailer index.html and the static folders inside the brand new firebase public folder.
  • deploy the Frontend with

$ firebase deploy

Observe: by default the property served by Firebase have a header cache-control: max-age=3600 (one hour).

Firebase Internet hosting serves requests from a worldwide CDN.

Backend construction

One other distinction is that Cloud Features written in Go should not “standard” Go internet servers. To develop and check them domestically, we’d like the Functions framework.

Within the case of my app:

  • It’s nonetheless a good suggestion to have my server enterprise logic in its “hotmaze” bundle on the root of the Go module
  • We don’t register handlers with http.HandleFunc anymore
  • For native dev, now we have a predominant bundle that calls funcframework.RegisterHTTPFunctionContext for every uncovered Operate.

Observe that some configuration values at the moment are supplied contained in the bundle “hotmaze” as an alternative of the bundle “main”. That’s as a result of the executable cmd/backend/predominant.go is not going to be utilized in manufacturing. We don’t deploy executables or full servers to GCF. As an alternative, we deploy every Operate individually:

$ gcloud capabilities deploy B2_SecureURLs

  --runtime go113 --trigger-http --allow-unauthenticated

$ gcloud capabilities deploy B2_Get

  --runtime go113 --trigger-http --allow-unauthenticated

$ gcloud capabilities deploy B2_Forget

  --runtime go113 --trigger-http --allow-unauthenticated

There are three deploy instructions, as a result of now we have three dynamic handlers within the backend: one to generate safe URLs, one to redirect from a Quick URL to a full-length GCS Signed URL, and one to delete a useful resource from GCS.

The full variety of instructions to deploy the complete software is 4. It’s doable to redeploy the Frontend solely, or to redeploy solely a single Operate.

It is dwell!

Native improvement

The Frontend and the Backend are operating at a distinct port.

Let’s be specific in firebase.json and host the Fronted at port 8081:


Then, in a primary terminal:

$ cd B2/frontend

$ firebase emulators:begin

Lastly, I run the Backend within the default port 8080 in a second terminal:

$ cd B2/backend

$ go run cmd/backend/predominant.go

Cloud Features for Firebase

Firebase has a nice built-in integration with Cloud Features for Javascript capabilities.

My backend is written in Go, which is why I’m utilizing the “traditional” Cloud Features.

Design for Cloud Run

Cloud Run lets me bundle the Frontend and the Backend in a Docker picture, and deploy this picture to manufacturing. 

Within the source repo, this implementation (Cloud Run + Cloud Storage) known as B3.


With Cloud Run come all the advantages of working with containers, and some extra:

  • I can code in any language I would like,
  • utilizing arbitrary binary dependencies (that may work in Linux),
  • similar container for native dev, QA, and manufacturing,
  • one single container to host the static property and the dynamic handlers,
  • autoscaling from zero as much as many,
  • quick chilly begins,
  • and no complicated cluster to handle (that is finished by the cloud vendor).

Mission construction

The idiomatic Go webapp serves each the Frontend and the Backend. The construction is much like the B1 (App Engine)implementation.


Utilizing a Dockerfile

To bundle the server (Frontend + Backend) right into a Docker picture, we first compile the server for the goal platform linux amd64

$ go construct -o server github.com/Deleplace/hot-maze/B3/cmd/backend

Then we ship the executable binary, in addition to the folder of static property. We don’t must ship the Go supply code. The Quickstart sample helps us write a Dockerfile to provide a picture with correct CA certificates:


Observe:Go 1.16 will make it doable to bundle all resources contained in the server executable file, thus not copy the static folder within the Dockerfile.

Service accounts

A deployed Cloud Run service comes with a default Service account enabled.

service acc

I needed to take a minute in IAM to grant it the function “Secret Manager Secret Accessor”

secret mgr

As defined in the B1 part, accessing secrets and techniques lets us retrieve the service account [email protected], which is allowed to generate Signed URLs to our GCS bucket.

Native improvement

Once we “just start” our Docker container domestically although, there’s no Service account automagically injected. And I would definitely not advocate copying a Service account personal key within the Dockerfile, on the threat of checking it within the supply repo of container registry.

Following the Cloud Run documentation for local testing, I move my service account JSON key file as arguments to the docker run command:

$ export GOOGLE_APPLICATION_CREDENTIALS=/native/path/to/sa.json

$ docker construct -t hotmaze-b3 . 

$ docker run -p 8080:8080

   -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/keys/sa.json -v



The server is began and accessible at http://localhost:8080 .

The service account key sa.json was downloaded from the IAM internet console and saved someplace in my native file system. It isn’t supposed to be checked in with the supply code.


These instructions compile the Go internet server, construct an Docker picture, push it to Container Registry, and deploy it to Cloud Run:

$ go construct -o server github.com/Deleplace/hot-maze/B3/cmd/backend

$ docker construct -t hotmaze-b3 .

$ gcloud builds submit --tag gcr.io/hot-maze/hot-maze-b3

$ gcloud run deploy hot-maze

   --image gcr.io/hot-maze/hot-maze-b3

   --platform managed --allow-unauthenticated

This overwrites the tag newest each time I deploy. For correct versioning, I could wish to use extra particular tag names akin to release-1.0.0.

Caveat:if the --allow-unauthenticated flag fails for some motive (“Setting IAM policy failed…”), then one could need to run an additional gcloud command supplied within the error message, or within the internet console go to Cloud Run > Service > Permissions > Add member “allUsers” and grant it the function “Cloud Run Invoker”.

It is dwell!

Utilizing Buildpacks

Writing an accurate Dockerfile and deploying a container is extra complicated than “just deploying the code” to e.g. App Engine.

Nonetheless, Buildpacks are a Cloud Native solution to seamlessly containerize and deploy an app from its supply code. The principle distinction with the earlier part is that I don’t want a Dockerfile.

Following these instructions, right here is how I can deploy Scorching Maze to Cloud Run:

$ pack set-default-builder gcr.io/buildpacks/builder:v1

$ pack construct --publish gcr.io/hot-maze/hot-maze

$ gcloud run deploy --image gcr.io/hot-maze/hot-maze

--platform managed --allow-unauthenticated

Its dwell as effectively!

Static information

For aforementioned strategic causes, one could wish to have a CDN serve the static property, e.g. Google Cloud CDN. This half is non-compulsory and most helpful when the app serves plenty of visitors.

Additional work

We’ve already seen two efficiency optimizations:

  • Utilizing a CDN for static property,
  • Decreasing the complexity of the QR code, with URL shortening.

I can consider much more doable enhancements of UX, simplicity and efficiency. I preserve these for potential future articles!


On this article we’ve seen how we are able to construction an app of reasonable complexity with the intention to deploy it to 3 completely different serverless platforms in Google Cloud.

All of them are legitimate decisions: 

  • App Engine + Cloud Storage
  • Cloud Features + Firebase internet hosting + Cloud Storage
  • Cloud Run + Cloud Storage.

You might select the one that most closely fits your wants relying on the small print of your personal workflow, or on distinctive options of one in all them. For instance in case your app is already packaged as a Docker container, then Cloud Run is the only option.

In the event you want to be taught extra concerning the companies talked about above, please try these sources:

Leave a Reply

Your email address will not be published. Required fields are marked *