Version 1.8. This version is supported as outlined in the Anthos version support policy, offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem). Refer to the release notes for more details. This is not the most recent version.

Google Cloud project (quickstart)

This document shows how to set up a Google Cloud project and grant roles to a Google Account.

The instructions here are part of a quickstart. For full instructions on using Cloud projects with Anthos clusters on VMware (GKE on-prem), see Using multiple Cloud projects.

Before you begin

Read the Anthos clusters on VMware overview.

Install Cloud SDK.

Choose or create a Cloud project

An Anthos cluster on VMware must be associated with one or more Cloud projects. This quickstart uses only one Cloud project. You can use an existing Cloud project or you can create a new Cloud project. Make a note of your project ID.

Enable services in your Cloud project

Your Cloud project must have the following services enabled:

anthos.googleapis.com
anthosgke.googleapis.com
anthosaudit.googleapis.com
cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
serviceusage.googleapis.com
stackdriver.googleapis.com
opsconfigmonitoring.googleapis.com
monitoring.googleapis.com
logging.googleapis.com

To enable services in a project, you must have certain permissions on your Cloud project. For details, see the required permissions for services.enable in Access control.

If you have the required permissions, you can enable the services yourself. Otherwise, someone else in your organization must enable the services for you.

To enable the required services:

Linux and macOS

gcloud services enable --project=PROJECT_ID \
    anthos.googleapis.com \
    anthosgke.googleapis.com \
    anthosaudit.googleapis.com \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    stackdriver.googleapis.com \
    opsconfigmonitoring.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com

Windows

gcloud services enable --project=PROJECT_ID ^
    anthos.googleapis.com ^
    anthosgke.googleapis.com ^
    anthosaudit.googleapis.com ^
    cloudresourcemanager.googleapis.com ^
    container.googleapis.com ^
    gkeconnect.googleapis.com ^
    gkehub.googleapis.com ^
    serviceusage.googleapis.com ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com

Enabling anthos.googleapis.com might incur charges. See the Pricing guide for details.

Log in and set SDK properties

The gkeadm command-line tool uses your SDK account and SDK project properties to create service accounts and to populate fields in your cluster configuration files. So it is important that you set these properties before you run gkeadm to create an admin workstation.

Log in with any Google Account. This sets your SDK account property:

gcloud auth login

Next, set your SDK project property:

gcloud config set project PROJECT_ID

Verify that your SDK account and project properties are set correctly:

gcloud config list

The output shows the values of your SDK account and SDK project properties. For example:

[core]
account = my-name@google.com
disable_usage_reporting = False
project = my-project-123
Your active configuration is: [default]

Grant roles to your SDK account

The Google Account that is set as your SDK account property must have these IAM roles so that gkeadm can create and manage service accounts for you:

  • resourcemanager.projectIamAdmin
  • serviceusage.serviceUsageAdmin
  • iam.serviceAccountCreator
  • iam.serviceAccountKeyAdmin

To grant roles, you must have certain permissions on your Cloud project. For details, see Granting, changing, and revoking access to resources.

If you have the required permissions, you can grant the roles yourself. Otherwise, someone else in your organization must grant the roles for you.

To grant the roles:

Linux and macOS

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/iam.serviceAccountKeyAdmin"

Windows

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/iam.serviceAccountKeyAdmin"

Replace the following:

  • PROJECT_ID: the value of your SDK project property
  • ACCOUNT: the value of your SDK account property.

What's next

Create a service account (quickstart)