Google Cloud project (quickstart)

This document shows how to set up a Google Cloud project and grant roles to a Google Account.

The instructions here are part of a quickstart. For full instructions on using Cloud projects with Anthos clusters on VMware (GKE on-prem), see Using multiple Cloud projects.

Before you begin

Read the Anthos clusters on VMware overview.

Install the Google Cloud CLI.

Choose or create a Cloud project

An Anthos cluster on VMware must be associated with one or more Cloud projects. This quickstart uses only one Cloud project. You can use an existing Cloud project or you can create a new Cloud project. Make a note of your project ID.

Enable services in your Cloud project

Your Cloud project must have the following services enabled:

anthos.googleapis.com
anthosgke.googleapis.com
anthosaudit.googleapis.com
cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
serviceusage.googleapis.com
stackdriver.googleapis.com
opsconfigmonitoring.googleapis.com
monitoring.googleapis.com
logging.googleapis.com

To enable services in a project, you must have certain permissions on your Cloud project. For details, see the required permissions for services.enable in Access control.

If you have the required permissions, you can enable the services yourself. Otherwise, someone else in your organization must enable the services for you.

To enable the required services:

Linux and macOS

gcloud services enable --project=PROJECT_ID \
    anthos.googleapis.com \
    anthosgke.googleapis.com \
    anthosaudit.googleapis.com \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    stackdriver.googleapis.com \
    opsconfigmonitoring.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com

Windows

gcloud services enable --project=PROJECT_ID ^
    anthos.googleapis.com ^
    anthosgke.googleapis.com ^
    anthosaudit.googleapis.com ^
    cloudresourcemanager.googleapis.com ^
    container.googleapis.com ^
    gkeconnect.googleapis.com ^
    gkehub.googleapis.com ^
    serviceusage.googleapis.com ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com

Enabling anthos.googleapis.com might incur charges. See the Pricing guide for details.

Log in

The gkeadm command-line tool uses your SDK account property to create service accounts. So it is important that you set your SDK account property before you run gkeadm to create an admin workstation.

Log in with any Google Account. This sets your SDK account property:

gcloud auth login

Verify that your SDK account property is set correctly:

gcloud config list

The output shows the values of your SDK account property. For example:

[core]
account = my-name@google.com
disable_usage_reporting = False
Your active configuration is: [default]

Grant roles to your SDK account

The Google Account that is set as your SDK account property must have these IAM roles so that gkeadm can create and manage service accounts for you:

  • resourcemanager.projectIamAdmin
  • serviceusage.serviceUsageAdmin
  • iam.serviceAccountCreator
  • iam.serviceAccountKeyAdmin

To grant roles, you must have certain permissions on your Cloud project. For details, see Granting, changing, and revoking access to resources.

If you have the required permissions, you can grant the roles yourself. Otherwise, someone else in your organization must grant the roles for you.

To grant the roles:

Linux and macOS

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:ACCOUNT" \
    --role="roles/iam.serviceAccountKeyAdmin"

Windows

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/iam.serviceAccountCreator"

gcloud projects add-iam-policy-binding PROJECT_ID ^
    --member="user:ACCOUNT" ^
    --role="roles/iam.serviceAccountKeyAdmin"

Replace the following:

  • PROJECT_ID: the ID of your Cloud project
  • ACCOUNT: the value of your SDK account property

What's next

Create a service account (quickstart)