This tutorial shows you how to deploy a simple example gRPC
service with the
Extensible Service Proxy V2
(ESPv2) on Google Kubernetes Engine
(GKE). This tutorial
uses the Python version of the
sample. See the
What's next section for gRPC samples in other
The tutorial uses prebuilt container images of the sample code and ESPv2, which are stored in Container Registry. If you are unfamiliar with containers, see the following for more information:
Use the following high-level task list as you work through the tutorial. All tasks are required to successfully send requests to the API.
- Set up a Google Cloud project, and download the required software. See Before you begin.
- Copy and configure files from the
bookstore-grpcsample. See Configuring Endpoints.
- Deploy the Endpoints configuration to create a Endpoints service. See Deploying the Endpoints configuration.
- Create a backend to serve the API and deploy the API. See Deploying the API backend.
- Get the service's external IP address. See Getting the service's external IP address.
- Send a request to the API. See Sending a request to the API.
- Avoid incurring charges to your Google Cloud account. See Clean up.
This tutorial uses the following billable components of Google Cloud:
When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.
Before you begin
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Make a note of the Google Cloud project ID because it is needed later.
- Install and initialize the Cloud SDK.
- Update the Cloud SDK and install the Endpoints
gcloud components update
- Make sure that the Cloud SDK (
gcloud) is authorized to access your data and services on Google Cloud:
gcloud auth loginA new browser tab opens and you are prompted to choose an account.
- Set the default project to your project ID.
gcloud config set project YOUR_PROJECT_ID
Replace YOUR_PROJECT_ID with your project ID.
If you have other Google Cloud projects, and you want to use
gcloudto manage them, see Managing Cloud SDK configurations.
gcloud components install kubectl
- Acquire new user credentials to use as the application's default
credentials. The user credentials are needed to authorize
gcloud auth application-default loginIn the new browser tab that opens, choose an account.
- Follow the steps in the gRPC Python quickstart to install gRPC and the gRPC tools.
sample contains the files that you need to copy locally and configure.
- Create a self-contained protobuf descriptor file from your service
- Save a copy of
bookstore.protofrom the example repository. This file defines the Bookstore service's API.
- Create the following directory:
- Create the descriptor file,
api_descriptor.pb, by using the
protocprotocol buffers compiler. Run the following command in the directory where you saved
python -m grpc_tools.protoc \ --include_imports \ --include_source_info \ --proto_path=. \ --descriptor_set_out=api_descriptor.pb \ --python_out=generated_pb2 \ --grpc_python_out=generated_pb2 \ bookstore.proto
In the preceding command,
--proto_pathis set to the current working directory. In your gRPC build environment, if you use a different directory for
.protoinput files, change
--proto_pathso the compiler searches the directory where you saved
- Save a copy of
- Create a gRPC API configuration YAML file:
- Save a copy of the
api_config.yamlfile. This file defines the gRPC API configuration for the Bookstore service.
- Replace MY_PROJECT_ID in your
api_config.yamlfile with your Google Cloud project ID. For example:
# # Name of the service configuration. # name: bookstore.endpoints.example-project-12345.cloud.goog
Note that the
apis.namefield value in this file exactly matches the fully-qualified API name from the
.protofile; otherwise deployment won't work. The Bookstore service is defined in
endpoints.examples.bookstore. Its fully-qualified API name is
endpoints.examples.bookstore.Bookstore, just as it appears in the
apis: - name: endpoints.examples.bookstore.Bookstore
- Save a copy of the
See Configuring Endpoints for more information.
Deploying the Endpoints configuration
- Make sure you are in the directory where the
api_config.yamlfiles are located.
- Confirm that the default project that the
gcloudcommand-line tool is currently using is the Google Cloud project that you want to deploy the Endpoints configuration to. Validate the project ID returned from the following command to make sure that the service doesn't get created in the wrong project.
gcloud config list project
If you need to change the default project, run the following command:
gcloud config set project YOUR_PROJECT_ID
- Deploy the
proto descriptorfile and the configuration file by using the
gcloud endpoints services deploy api_descriptor.pb api_config.yaml
As it is creating and configuring the service, Service Management outputs information to the terminal. When the deployment completes, a message similar to the following is displayed:
Service Configuration [CONFIG_ID] uploaded for service [bookstore.endpoints.example-project.cloud.goog]
CONFIG_ID is the unique Endpoints service configuration ID created by the deployment. For example:
Service Configuration [2017-02-13r0] uploaded for service [bookstore.endpoints.example-project.cloud.goog]
In the previous example,
2017-02-13r0is the service configuration ID and
bookstore.endpoints.example-project.cloud.googis the service name. The service configuration ID consists of a date stamp followed by a revision number. If you deploy the Endpoints configuration again on the same day, the revision number is incremented in the service configuration ID.
Checking required servicesAt a minimum, Endpoints and ESP require the following Google services to be enabled:
||Service Management API|
||Service Control API|
||Google Cloud Endpoints|
In most cases, the
gcloud endpoints services deploy command enables these
required services. However, the
gcloud command completes successfully but
doesn't enable the required services in the following circumstances:
If you used a third-party application such as Terraform, and you don't include these services.
You deployed the Endpoints configuration to an existing Google Cloud project in which these services were explicitly disabled.
Use the following command to confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
gcloud services enable endpoints.googleapis.com
Also enable your Endpoints service:
gcloud services enable ENDPOINTS_SERVICE_NAME
To determine the ENDPOINTS_SERVICE_NAME you can either:
After deploying the Endpoints configuration, go to the Endpoints page in the Cloud Console. The list of possible ENDPOINTS_SERVICE_NAME are shown under the Service name column.
For OpenAPI, the ENDPOINTS_SERVICE_NAME is what you specified in the
hostfield of your OpenAPI spec. For gRPC, the ENDPOINTS_SERVICE_NAME is what you specified in the
namefield of your gRPC Endpoints configuration.
For more information about the
gcloud commands, see
If you get an error message, see Troubleshooting Endpoints configuration deployment.
See Deploying the Endpoints configuration for additional information.
Deploying the API backend
So far you have deployed the service configuration to Service Management, but you haven't yet deployed the code that serves the API backend. This section walks you through creating a GKE cluster to host the API backend and deploying the API.
Creating a container cluster
To create a container cluster for our example:
- In the Google Cloud Console, go to the Kubernetes clusters page.
- Click Create cluster.
- Accept the default settings and click Create. Make a note of the cluster name and zone, as they are needed later in this tutorial.
kubectl to the container cluster
kubectl to create and manager cluster resources, you need to get
cluster credentials and make them available to
kubectl. To do this, run the
following command, replacing NAME with your new cluster
name and ZONE with its cluster zone.
gcloud container clusters get-credentials NAME --zone ZONE
Checking required permissions
Please follow this permission recommendation to choose a proper node service account as the identity to talk to Google services. ESP and ESPv2 need to talk to Google ServiceController and Stackdriver, additional IAM roles are required for the node service account running ESP and ESPv2.
If the node service account is not the Compute Engine default service account, follow next step to add the required IAM roles:
Add required IAM roles:
The following IAM roles are required for the service account used for ESP and ESPv2.
To add the Service Controller and Cloud Trace Agent IAM roles to the service account:
- In the Cloud Console, select the project where your service account was created.
- Open the IAM/Iam page
- Select your service account and click on Edit pin at the right.
- An Edit Permissions panel will open.
- Click + Add another role.
- Click Select a role and select Service Management > Service Controller.
- Click + Add another role.
- Click Select a role and select Cloud Trace > Cloud Trace Agent.
- Click Save.
- You should now see the Service Controller and Cloud Trace Agent roles in the role column for your service account on the IAM page.
Add the Service Controller role:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role roles/servicemanagement.serviceController
Add the Cloud Trace Agent role to enable Cloud Trace:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role roles/cloudtrace.agent
For more information, see What are roles and permissions?
If Workload Identity is used, a separate service account other than the node service account can be used to talk to Google services. You can create a Kubernetes service account for the pod to run ESP and ESPv2, create a Google service account and associate the Kubernetes service account to the Google service account.
Follow these steps to associate a Kubernetes service account with a Google service account.
The Google service account should have above required IAM roles. If not, follow the add required IAM roles step to add them.
Deploying the sample API and ESPv2 to the cluster
To deploy the sample gRPC service to the cluster so that clients can use it:
git clonethis repo and open to edit the grpc-bookstore.yaml deployment manifest file.
- Replace SERVICE_NAME with the name of your
This is the same name that you configured in the
namefield in the
spec: containers: - name: esp image: gcr.io/endpoints-release/endpoints-runtime:2 args: [ "--listener_port=9000", "--service=SERVICE_NAME", "--rollout_strategy=managed", "--backend=grpc://127.0.0.1:8000" ] ports: - containerPort: 9000 - name: bookstore image: gcr.io/endpointsv2/python-grpc-bookstore-server:1 ports: - containerPort: 8000
--rollout_strategy=managedoption configures ESPv2 to use the latest deployed service configuration. When you specify this option, within a minute after you deploy a new service configuration, ESPv2 detects the change and automatically begins using it. We recommend that you specify this option instead of providing a specific configuration ID for ESPv2 to use. For more details on the ESPv2 arguments, see ESPv2 startup options.
spec: containers: - name: esp image: gcr.io/endpoints-release/endpoints-runtime:2 args: [ "--listener_port=9000", "--service=bookstore.endpoints.example-project-12345.cloud.goog", "--rollout_strategy=managed", "--backend=grpc://127.0.0.1:8000" ]
- Start the service:
kubectl create -f grpc-bookstore.yaml
If you get an error message, see Troubleshooting Endpoints in GKE.
Getting the service's external IP address
You need the service's external IP address to send requests to the sample API. It can take a few minutes after you start your service in the container before the external IP address is ready.
View the external IP address:
kubectl get service
Make a note of the value for
EXTERNAL-IPand save it in a SERVER_IP environment variable. The external IP address is used to send requests to the sample API.
Sending a request to the API
To send requests to the sample API, you can use a sample gRPC client written in Python.
Clone the git repo where the gRPC client code is hosted:
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Change your working directory:
pip install virtualenv
python -m pip install -r requirements.txt
Send a request to the sample API:
python bookstore_client.py --host SERVER_IP --port 80
If you don't get a successful response, see Troubleshooting response errors.
You just deployed and tested an API in Endpoints!
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the API:
gcloud endpoints services delete SERVICE_NAME
Replace SERVICE_NAME with the name of your API.
Delete the GKE cluster:
gcloud container clusters delete NAME --zone ZONE