Installing on Google Cloud VM

This page describes how to install Piped on Google Cloud VM.


Having piped’s ID and Key strings
  • Ensure that the piped has been registered and you are having its PIPED_ID and PIPED_KEY strings.
  • If you are not having them, this page guides you how to register a new one.
Preparing SSH key
  • If your Git repositories are private, piped requires a private SSH key to access those repositories.
  • Please checkout this documentation for how to generate a new SSH key pair. Then add the public key to your repositories. (If you are using GitHub, you can add it to Deploy Keys at the repository’s Settings page.)


  • Preparing a piped configuration file as the following:

    kind: Piped
      projectID: {PROJECT_ID}
      pipedID: {PIPED_ID}
      pipedKeyData: {BASE64_ENCODED_PIPED_KEY}
      # Write in a format like "host:443" because the communication is done via gRPC.
        sshKeyData: {BASE64_ENCODED_PRIVATE_SSH_KEY}
        - repoId: {REPO_ID_OR_NAME}
          branch: {GIT_BRANCH}
      # Optional
      # Uncomment this if you want to enable this Piped to handle Cloud Run application.
      # platformProviders:
      #  - name: cloudrun-in-project
      #    type: CLOUDRUN
      #    config:
      #      project: {GCP_PROJECT_ID}
      #      region: {GCP_PROJECT_REGION}
      # Optional
      # Uncomment this if you want to enable this Piped to handle Terraform application.
      #  - name: terraform-gcp
      #    type: TERRAFORM
      # Optional
      # Uncomment this if you want to enable SecretManagement feature.
      # secretManagement:
      #   type: KEY_PAIR
      #   config:
      #     privateKeyData: {BASE64_ENCODED_PRIVATE_KEY}
      #     publicKeyData: {BASE64_ENCODED_PUBLIC_KEY}
  • Creating a new secret in SecretManager to store above configuration data securely

    gcloud secrets create vm-piped-config --data-file={PATH_TO_CONFIG_FILE}
  • Creating a new Service Account for Piped and giving it needed roles

    gcloud iam service-accounts create vm-piped \
      --description="Using by Piped running on Google Cloud VM" \
    # Allow Piped to access the created secret.
    gcloud secrets add-iam-policy-binding vm-piped-config \
      --member="serviceAccount:vm-piped@{GCP_PROJECT_ID}" \
    # Allow Piped to write its log messages to Google Cloud Logging service.
    gcloud projects add-iam-policy-binding {GCP_PROJECT_ID} \
      --member="serviceAccount:vm-piped@{GCP_PROJECT_ID}" \
    # Optional
    # If you want to use this Piped to handle Cloud Run application
    # run the following command to give it the needed roles.
    # gcloud projects add-iam-policy-binding {GCP_PROJECT_ID} \
    #   --member="serviceAccount:vm-piped@{GCP_PROJECT_ID}" \
    #   --role="roles/run.developer"
    # gcloud iam service-accounts add-iam-policy-binding {GCP_PROJECT_NUMBER} \
    #   --member="serviceAccount:vm-piped@{GCP_PROJECT_ID}" \
    #   --role="roles/iam.serviceAccountUser"
  • Running Piped on a Google Cloud VM

    # Enable remote-upgrade feature of Piped.
    # This allows upgrading Piped to a new version from the web console.
      gcloud compute instances create-with-container vm-piped \
        --container-image="" \
        --container-arg="launcher" \
        --container-arg="--config-from-gcp-secret=true" \
        --container-arg="--gcp-secret-id=projects/{GCP_PROJECT_ID}/secrets/vm-piped-config/versions/{SECRET_VERSION}" \
        --network="{VPC_NETWORK}" \
        --subnet="{VPC_SUBNET}" \
        --scopes="cloud-platform" \
    # This just installs a Piped with the specified version.
    # Whenever you want to upgrade that Piped to a new version or update its config data you have to restart it.
      gcloud compute instances create-with-container vm-piped \
        --container-image="" \
        --container-arg="piped" \
        --container-arg="--config-gcp-secret=projects/{GCP_PROJECT_ID}/secrets/vm-piped-config/versions/{SECRET_VERSION}" \
        --network="{VPC_NETWORK}" \
        --subnet="{VPC_SUBNET}" \
        --scopes="cloud-platform" \

After that, you can see on PipeCD web at Settings page that Piped is connecting to the Control Plane. You can also view Piped log as described here.