{% include "_shared/_delete_tutorial_resources.html" with name="Getting started with gRPC on Kubernetes" %}

Getting started with gRPC on Kubernetes

This tutorial shows you how to deploy a simple example gRPC service with the Extensible Service Proxy (ESP) to a Kubernetes cluster that isn't running on Google Cloud Platform (GCP). The tutorial uses the Python version of the bookstore-grpc sample. See the What's next section for gRPC samples in other languages.

The tutorial uses prebuilt container images of the sample code and ESP, which are stored in Container Registry. If you are unfamiliar with containers, see the following for more information:

For an overview of Cloud Endpoints, see About Endpoints and Endpoints architecture.


Use the following high-level task list as you work through the tutorial. All tasks are required to successfully send requests to the API.

  1. Set up a GCP project, and download the required software. See Before you begin.
  2. Copy and configure files from the bookstore-grpc sample. See Configuring Cloud Endpoints.
  3. Deploy the Endpoints configuration to create an Endpoints service. See Deploying the Endpoints configuration.
  4. Create credentials for your Endpoints service. See Creating credentials for your service.
  5. Create a backend to serve the API and deploy the API. See Deploying the API backend.
  6. Get the service's external IP address. See Getting the service's external IP address.
  7. Send a request to the API. See Sending a request to the API.
  8. Avoid incurring charges to your GCP account. See Clean up.


This tutorial uses the following billable components of Google Cloud Platform:

You can use the pricing calculator to generate a cost estimate based on your projected usage. New GCP users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. See Cleaning up for more detail.

Before you begin

This tutorial assumes that you already have Minikube or a Kubernetes cluster set up. For more information, see the Kubernetes documentation.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a Google Cloud Platform project.

    Go to the Manage resources page

  3. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

  4. Make a note of the GCP project ID because it's needed later.
  5. Install and initialize the Cloud SDK.
  6. Update the Cloud SDK and install the Endpoints components.
    gcloud components update
  7. Make sure that the Cloud SDK (gcloud) is authorized to access your data and services on GCP:
    gcloud auth login
    In the new tab that opens, select an account.
  8. Set the default project to your project ID:
    gcloud config set project

    Replace YOUR_PROJECT_ID with your GCP project ID.

    If you have other GCP projects, and you want to use gcloud to manage them, see Managing Cloud SDK configurations.

  9. Install kubectl:
    gcloud components install kubectl
  10. Acquire new user credentials to use for Application Default Credentials. The user credentials are needed to authorize kubectl.
    gcloud auth application-default login
  11. In the new browser tab that opens, choose an account.
  12. Follow the steps in the gRPC Python Quickstart to install gRPC and the gRPC tools.

Configuring Endpoints

The bookstore-grpc sample contains the files that you need to copy locally and configure.

  1. Create a self-contained protobuf descriptor file from your service .proto file:
    1. Save a copy of bookstore.proto from the example repository. This file defines the Bookstore service's API.
    2. Create the following directory: mkdir generated_pb2
    3. Create the descriptor file, api_descriptor.pb, by using the protoc protocol buffers compiler. Run the following command in the directory where you saved bookstore.proto:
      python -m grpc_tools.protoc \
          --include_imports \
          --include_source_info \
          --proto_path=. \
          --descriptor_set_out=api_descriptor.pb \
          --python_out=generated_pb2 \
          --grpc_python_out=generated_pb2 \

      In the preceding command, --proto_path is set to the current working directory. In your gRPC build environment, if you use a different directory for .proto input files, change --proto_path so the compiler searches the directory where you saved bookstore.proto.

  2. Create a gRPC API configuration YAML file:
    1. Save a copy of the api_config.yamlfile. This file defines the gRPC API configuration for the Bookstore service.
    2. Replace <MY_PROJECT_ID> in your api_config.yaml file with your GCP project ID. For example:
      # Name of the service configuration.
      name: bookstore.endpoints.example-project-12345.cloud.goog

      Note that the apis.name field value in this file exactly matches the fully-qualified API name from the .proto file; otherwise deployment won't work. The Bookstore service is defined in bookstore.proto inside package endpoints.examples.bookstore. Its fully-qualified API name is endpoints.examples.bookstore.Bookstore, just as it appears in the api_config.yaml file.

        - name: endpoints.examples.bookstore.Bookstore

See Configuring Endpoints for more information.

Deploying the Endpoints configuration

To deploy the Endpoints configuration, you use the gcloud endpoints services deploy command. This command uses Service Infrastructure, Google's foundational services platform, used by Endpoints and other services to create and manage APIs and services.

Checking required services

At a minimum, Endpoints and ESP require the following services:
Name Title
servicemanagement.googleapis.com Service Management API
servicecontrol.googleapis.com Service Control API
endpoints.googleapis.com Google Cloud Endpoints

In most cases, the gcloud endpoints services deploy command enables these required services. However, the gcloud command completes successfully but doesn't enable the required services in the following circumstances:

  • If you used a third-party application such as Terraform, and you don't include these services.

  • You deployed the Endpoints configuration to an existing GCP project in which these services were explicitly disabled.

To confirm that the required services are enabled:

gcloud services list

If you don't see the required services listed, enable them:

gcloud services enable SERVICE_NAME

Replace SERVICE_NAME with the name of the service to enable.

For more information about the gcloud commands, see gcloud services.

  1. Make sure you are in the directory where the api_descriptor.pb and api_config.yaml files are located.
  2. Confirm that the default project that the gcloud command-line tool is currently using is the GCP project that you want to deploy the Endpoints configuration to. Validate the project ID returned from the following command to make sure that the service doesn't get created in the wrong project.
    gcloud config list project

    If you need to change the default project, run the following command:

    gcloud config set project YOUR_PROJECT_ID
  3. Deploy the proto descriptor file and the configuration file by using the gcloud command-line tool:
    gcloud endpoints services deploy api_descriptor.pb api_config.yaml

    As it is creating and configuring the service, Service Management outputs information to the terminal. When it finishes configuring the service, Service Management outputs the service configuration ID and the service name, similar to the following:

    Service Configuration [2017-02-13r0] uploaded for service [bookstore.endpoints.example-project.cloud.goog]

    In the previous example, 2017-02-13r0 is the service configuration ID and bookstore.endpoints.example-project.cloud.goog is the service name. The service configuration ID consists of a date stamp followed by a revision number. If you deploy the Endpoints configuration again on the same day, the revision number is incremented in the service configuration ID.

If you get an error message, see Troubleshooting Endpoints configuration deployment.

See Deploying the Endpoints configuration for additional information.

Creating credentials for your service

To provide management for your API, ESP requires the services in Service Infrastructure. To call these services, ESP must use access tokens. When you deploy ESP to GCP environments, such as GKE or Compute Engine, ESP obtains access tokens for you through the GCP metadata service.

When you deploy ESP to a non-GCP environment, such as your local desktop, an on-premises Kubernetes cluster, or another cloud provider, you must provide ESP with a service account JSON file that contains a private key. ESP uses the service account to generate access tokens to call the services that it needs to manage your API.

You can use either the GCP Console or the gcloud command-line tool to create the service account and private key file and to assign the service account the following roles:


  1. In the GCP Console, open the Service Accounts page .

    Go to the Service Accounts page

  2. Click Select a project.
  3. Select the project that your API was created in and click Open.
  4. Click + Create Service Account.
  5. In the Service account name field, enter the name for your service account.
  6. Click Create.
  7. Click Select a role and select Service Management > Service Controller.
  8. Click + Add another role.
  9. Click Select a role and select Cloud Trace > Cloud Trace Agent.
  10. Click Continue.
  11. Click + Create key.
  12. In the right-side panel, for the Key type, use the default type, JSON.
  13. Click Create.
  14. In the dialog, click Close.
  15. Click Done.

This creates the service account and downloads its private key to a JSON file.


  1. Enter the following to display the project IDs for your GCP projects:

    gcloud projects list
  2. Replace PROJECT_ID in the following command to set the default project to the one that your API is in:

    gcloud config set project PROJECT_ID
  3. Make sure that the Cloud SDK (gcloud) is authorized to access your data and services on GCP:

    gcloud auth login

    If you have more than one account, make sure to choose the account that is in the GCP project that the API is in. If you run gcloud auth list, the account that you selected is shown as the active account for the project.

  4. To create a service account, run the following command and replace SERVICE_ACCOUNT_NAME and My Service Account with the name and display name that you want to use:

    gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
      --display-name "My Service Account"

    The command assigns an email address for the service account in the following format:


    This email address is required in the subsequent commands.

  5. Create a service account key file:

    gcloud iam service-accounts keys create ~/service-account-creds.json \
      --iam-account SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
  6. Add the Service Controller role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
        --role roles/servicemanagement.serviceController
  7. Add the Cloud Trace Agent role to enable Stackdriver Trace:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
        --role roles/cloudtrace.agent

See gcloud iam service-accounts for more information about the commands.

Deploying the API backend

So far you have deployed the service configuration to Service Management, but you have not yet deployed the code that serves the API backend. This section walks you through deploying prebuilt containers for the sample API and ESP to Kubernetes.

Providing ESP with the service credentials

ESP, which runs inside a container, needs access to the credentials stored locally in the service-account-creds.json file. To provide ESP with access to the credentials, you create a Kubernetes secret and mount the Kubernetes secret as a Kubernetes volume.

To create the Kubernetes secret and mount the volume:

  1. If you used the GCP Console to create the service account, rename the JSON file to service-account-creds.json. Move it to the same directory where the api_descriptor.pb and api_config.yaml files are located.

  2. Create a Kubernetes secret with the service account credentials:

    kubectl create secret generic service-account-creds \

    On success, you see the message, secret "service-account-creds" created.

The deployment manifest file that you use to deploy the API and ESP to Kubernetes already contains the secret volume, as shown in the following two sections of the file:

  - name: service-account-creds
      secretName: service-account-creds
  - mountPath: /etc/nginx/creds
    name: service-account-creds
    readOnly: true

Configuring the service name and starting the service

ESP needs to know the name of your service to find the configuration that you deployed previously by using the gcloud endpoints services deploy command.

To configure the service name and start the service:

  1. Save a copy of the deployment manifest file, k8s-grpc-bookstore.yaml, to the same directory as service-account-creds.json.

  2. Open k8s-grpc-bookstore.yaml and replace SERVICE_NAME with the name of your Endpoints service. This is the same name that you configured in the name field of the api_config.yaml file.

      - name: esp
        image: gcr.io/endpoints-release/endpoints-runtime:1
        args: [

    The --rollout_strategy=managed option configures ESP to use the latest deployed service configuration. When you specify this option, within a minute after you deploy a new service configuration, ESP detects the change and automatically begins using it. We recommend that you specify this option instead of a specific configuration ID for ESP to use. For more details on the ESP arguments, see ESP startup options.

  3. Start the service to deploy the service on Kubernetes:

    kubectl create -f k8s-grpc-bookstore.yaml

    If you see an error message similar to the following:

    The connection to the server localhost:8080 was refused - did you specify the right host or port?

    This indicates that kubectl isn't properly configured. See Configure kubectl for more information.

Getting the service's external IP address

You need the service's external IP address to send requests to the sample API. It can take a few minutes after you start your service in the container before the external IP address is ready.

  1. View the external IP address:

    kubectl get service
  2. Make a note of the value for EXTERNAL-IP and save it in a SERVER_IP environment variable as it used when sending requests to the sample API.


Sending a request to the API

To send requests to the sample API, you can use a sample gRPC client written in Python.

  1. Clone the git repo where the gRPC client code is hosted:

    git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
  2. Change your working directory:

    cd python-docs-samples/endpoints/bookstore-grpc/
  3. Install dependencies:

    pip install virtualenv
    virtualenv env
    source env/bin/activate
    python -m pip install -r requirements.txt
  4. Send a request to the sample API:

    python bookstore_client.py --host $SERVER_IP --port 80

If you don't get a successful response, see Troubleshooting response errors.

You just deployed and tested an API in Endpoints!

Cleaning up

To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

  1. Delete the API:

    gcloud endpoints services delete SERVICE_NAME

    Replace SERVICE_NAME with the name of your API.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints with gRPC
Need help? Visit our support page.