Google Cloud project (quickstart)

This document shows how to set up a Google Cloud project and grant roles to a Google Account.

The instructions here are part of a quickstart. For full instructions on using Google Cloud projects with Google Distributed Cloud, see Using multiple Google Cloud projects.

Before you begin

Read the Google Distributed Cloud overview.

Install Google Cloud CLI.

Choose or create a Google Cloud project

An GKE cluster on VMware must be associated with one or more Google Cloud projects. This quickstart uses only one Google Cloud project. You can use an existing Google Cloud project or you can create a new Google Cloud project. Make a note of your project ID.

Enable services in your Google Cloud project

Your Google Cloud project must have the following services enabled:

anthos.googleapis.com
anthosgke.googleapis.com
anthosaudit.googleapis.com
cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
serviceusage.googleapis.com
stackdriver.googleapis.com
opsconfigmonitoring.googleapis.com
monitoring.googleapis.com
logging.googleapis.com

To enable services in a project, you must have certain permissions on your Google Cloud project. For details, see the required permissions for services.enable in Access control.

If you have the required permissions, you can enable the services yourself. Otherwise, someone else in your organization must enable the services for you.

To enable the required services:

Linux and macOS

gcloud services enable --project=PROJECT_ID \
    anthos.googleapis.com \
    anthosgke.googleapis.com \
    anthosaudit.googleapis.com \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    stackdriver.googleapis.com \
    opsconfigmonitoring.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com

Windows

gcloud services enable --project=PROJECT_ID ^
    anthos.googleapis.com ^
    anthosgke.googleapis.com ^
    anthosaudit.googleapis.com ^
    cloudresourcemanager.googleapis.com ^
    container.googleapis.com ^
    gkeconnect.googleapis.com ^
    gkehub.googleapis.com ^
    serviceusage.googleapis.com ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com

Enabling anthos.googleapis.com might incur charges. See the Pricing guide for details.

Log in and set SDK properties

The gkeadm command-line tool uses your SDK account and SDK project properties to create service accounts and to populate fields in your cluster configuration files. So it is important that you set these properties before you run gkeadm to create an admin workstation.

Log in with any Google Account. This sets your SDK account property:

gcloud auth login

Next, set your SDK project property:

gcloud config set project PROJECT_ID

Verify that your SDK account and project properties are set correctly:

gcloud config list

The output shows the values of your SDK account and SDK project properties. For example:

[core]
account = my-name@google.com
disable_usage_reporting = False
project = my-project-123
Your active configuration is: [default]

Grant roles to your SDK account

The Google Account that is set as your SDK account property must have these IAM roles so that gkeadm can create and manage service accounts for you:

  • resourcemanager.projectIamAdmin
  • serviceusage.serviceUsageAdmin
  • iam.serviceAccountCreator
  • iam.serviceAccountKeyAdmin

To grant roles, you must have certain permissions on your Google Cloud project. For details, see Granting, changing, and revoking access to resources.

If you have the required permissions, you can grant the roles yourself. Otherwise, someone else in your organization must grant the roles for you.

To grant the roles:

Linux and macOS

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/iam.serviceAccountKeyAdmin"

Windows

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/iam.serviceAccountKeyAdmin"

Replace the following:

  • PROJECT_ID: the value of your SDK project property
  • ACCOUNT: the value of your SDK account property.

What's next

Create a service account (quickstart)