This document shows how to set up a Google Cloud project and grant roles to a Google Account.
The instructions here are part of a quickstart. For full instructions on using Google Cloud projects with Google Distributed Cloud, see Using multiple Google Cloud projects.
Before you begin
Read the Google Distributed Cloud overview.
Choose or create a Google Cloud project
An GKE cluster on VMware must be associated with one or more Google Cloud projects. This quickstart uses only one Google Cloud project. You can use an existing Google Cloud project or you can create a new Google Cloud project. Make a note of your project ID.
Enable services in your Google Cloud project
Your Google Cloud project must have the following services enabled:
anthos.googleapis.com anthosgke.googleapis.com anthosaudit.googleapis.com cloudresourcemanager.googleapis.com container.googleapis.com gkeconnect.googleapis.com gkehub.googleapis.com serviceusage.googleapis.com stackdriver.googleapis.com opsconfigmonitoring.googleapis.com monitoring.googleapis.com logging.googleapis.com
To enable services in a project, you must have certain permissions on your
Google Cloud project. For details, see the required permissions for
services.enable
in Access control.
If you have the required permissions, you can enable the services yourself. Otherwise, someone else in your organization must enable the services for you.
To enable the required services:
Linux and macOS
gcloud services enable --project=PROJECT_ID \ anthos.googleapis.com \ anthosgke.googleapis.com \ anthosaudit.googleapis.com \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ gkeconnect.googleapis.com \ gkehub.googleapis.com \ serviceusage.googleapis.com \ stackdriver.googleapis.com \ opsconfigmonitoring.googleapis.com \ monitoring.googleapis.com \ logging.googleapis.com
Windows
gcloud services enable --project=PROJECT_ID ^ anthos.googleapis.com ^ anthosgke.googleapis.com ^ anthosaudit.googleapis.com ^ cloudresourcemanager.googleapis.com ^ container.googleapis.com ^ gkeconnect.googleapis.com ^ gkehub.googleapis.com ^ serviceusage.googleapis.com ^ stackdriver.googleapis.com ^ monitoring.googleapis.com ^ logging.googleapis.com
Enabling anthos.googleapis.com
might incur charges. See the
Pricing guide for details.
Log in and set SDK properties
The gkeadm
command-line tool uses your SDK account
and SDK project
properties to create service accounts and to populate
fields in your cluster configuration files. So it is important that you set
these properties before you run gkeadm
to create an admin workstation.
Log in with any Google Account. This sets your SDK account
property:
gcloud auth login
Next, set your SDK project
property:
gcloud config set project PROJECT_ID
Verify that your SDK account
and project
properties are set correctly:
gcloud config list
The output shows the values of your SDK account
and SDK project
properties.
For example:
[core] account = my-name@google.com disable_usage_reporting = False project = my-project-123 Your active configuration is: [default]
Grant roles to your SDK account
The Google Account that is set as your SDK account
property must have these
IAM roles so that gkeadm
can create and
manage service accounts for you:
resourcemanager.projectIamAdmin
serviceusage.serviceUsageAdmin
iam.serviceAccountCreator
iam.serviceAccountKeyAdmin
To grant roles, you must have certain permissions on your Google Cloud project. For details, see Granting, changing, and revoking access to resources.
If you have the required permissions, you can grant the roles yourself. Otherwise, someone else in your organization must grant the roles for you.
To grant the roles:
Linux and macOS
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:ACCOUNT" \ --role="roles/resourcemanager.projectIamAdmin" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:ACCOUNT" \ --role="roles/serviceusage.serviceUsageAdmin" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:ACCOUNT" \ --role="roles/iam.serviceAccountCreator" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:ACCOUNT" \ --role="roles/iam.serviceAccountKeyAdmin"
Windows
gcloud projects add-iam-policy-binding PROJECT_ID ^ --member="user:ACCOUNT" ^ --role="roles/resourcemanager.projectIamAdmin" gcloud projects add-iam-policy-binding PROJECT_ID ^ --member="user:ACCOUNT" ^ --role="roles/serviceusage.serviceUsageAdmin" gcloud projects add-iam-policy-binding PROJECT_ID ^ --member="user:ACCOUNT" ^ --role="roles/iam.serviceAccountCreator" gcloud projects add-iam-policy-binding PROJECT_ID ^ --member="user:ACCOUNT" ^ --role="roles/iam.serviceAccountKeyAdmin"
Replace the following:
PROJECT_ID
: the value of your SDKproject
propertyACCOUNT
: the value of your SDKaccount
property.
What's next
Create a service account (quickstart)