gcloud workstations configs create

gcloud workstations configs create - create a workstation configuration
gcloud workstations configs create (CONFIG : --cluster=CLUSTER --region=REGION) [--allowed-ports=[ALLOWED_PORTS,…]] [--async] [--boot-disk-size=BOOT_DISK_SIZE; default=50] [--container-args=[CONTAINER_ARGS,…]] [--container-command=[CONTAINER_COMMAND,…]] [--container-env=[CONTAINER_ENV,…]] [--container-run-as-user=CONTAINER_RUN_AS_USER] [--container-working-dir=CONTAINER_WORKING_DIR] [--disable-public-ip-addresses] [--disable-ssh-to-vm] [--disable-tcp-connections] [--enable-audit-agent] [--enable-confidential-compute] [--enable-nested-virtualization] [--enable-ssh-to-vm] [--ephemeral-directory=[PROPERTY=VALUE,…]] [--idle-timeout=IDLE_TIMEOUT; default=7200] [--labels=[LABELS,…]] [--machine-type=MACHINE_TYPE; default="e2-standard-4"] [--max-usable-workstations-count=MAX_USABLE_WORKSTATIONS_COUNT] [--network-tags=[NETWORK_TAGS,…]] [--pd-disk-size=PD_DISK_SIZE; default=200] [--pd-disk-type=PD_DISK_TYPE; default="pd-standard"] [--pd-reclaim-policy=PD_RECLAIM_POLICY; default="delete"] [--pool-size=POOL_SIZE] [--replica-zones=[REPLICA_ZONES,…]] [--running-timeout=RUNNING_TIMEOUT; default=7200] [--service-account=SERVICE_ACCOUNT] [--service-account-scopes=[SERVICE_ACCOUNT_SCOPES,…]] [--shielded-integrity-monitoring] [--shielded-secure-boot] [--shielded-vtpm] [--vm-tags=[VM_TAGS,…]] [--accelerator-count=ACCELERATOR_COUNT : --accelerator-type=ACCELERATOR_TYPE] [--container-custom-image=CONTAINER_CUSTOM_IMAGE     | --container-predefined-image=CONTAINER_PREDEFINED_IMAGE; default="codeoss"] [--kms-key=KMS_KEY : --kms-key-service-account=KMS_KEY_SERVICE_ACCOUNT] [GCLOUD_WIDE_FLAG]
Create a workstation configuration.
To create a configuration with the 'e2-standard-8' machine type and a IntelliJ image, run:
gcloud workstations configs create CONFIG --machine-type=e2-standard-8 --container-predefined-image=intellij

To create a configuration with a Shielded VM instance that enables Secure Boot, virtual trusted platform module (vTPM) and integrity monitoring, run:

gcloud workstations configs create CONFIG --machine-type=e2-standard-4 --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring

To create a configuration with a non-default persistent disk containing 10GB of PD SSD storage, run:

gcloud workstations configs create CONFIG --machine-type=e2-standard-4 --pd-disk-type=pd-ssd --pd-disk-size=10
Config resource - The group of arguments defining a config The arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

  • provide the argument config on the command line with a fully specified name;
  • provide the argument --project on the command line;
  • set the property core/project.

This must be specified.

ID of the config or fully qualified identifier for the config.

To set the config attribute:

  • provide the argument config on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

The cluster for the config.

To set the cluster attribute:

  • provide the argument config on the command line with a fully specified name;
  • provide the argument --cluster on the command line;
  • set the property workstations/cluster.
The region for the config.

To set the region attribute:

  • provide the argument config on the command line with a fully specified name;
  • provide the argument --region on the command line;
  • set the property workstations/region.
A Single or Range of ports externally accessible in the workstation. If not specified defaults to ports 22, 80 and ports 1024-65535.

To specify a single port, both first and last should be same.


gcloud workstations configs create --allowed-ports=first=9000,last=9090
gcloud workstations configs create --allowed-ports=first=80,last=80

Sets allowed_ports value.

Required, Sets first value.
Required, Sets last value.
Shorthand Example:

JSON Example:

--allowed-ports='{"first": int, "last": int}'

File Example:

Return immediately, without waiting for the operation in progress to complete.
--boot-disk-size=BOOT_DISK_SIZE; default=50
Size of the boot disk in GB.
Arguments passed to the entrypoint.


gcloud workstations configs create --container-args=arg_1,arg_2
If set, overrides the default ENTRYPOINT specified by the image.


gcloud workstations configs create --container-command=executable,parameter_1,parameter_2
Environment variables passed to the container.


gcloud workstations configs create --container-env=key1=value1,key2=value2
If set, overrides the USER specified in the image with the given uid.
If set, overrides the default DIR specified by the image.
Default value is false. If set, instances will have no public IP address.
(DEPRECATED) Default value is False. If set, workstations disable SSH connections to the root VM.

The --disable-ssh-to-vm option is deprecated; use --enable-ssh-to-vm instead.

Default value is false. If set, workstations don't allow plain TCP connections.
Whether to enable Linux auditd logging on the workstation. When enabled, a service account must also be specified that has logging.buckets.write permission on the project.
Default value is false. If set, instances will have confidential compute enabled.
Default value is false. If set, instances will have nested virtualization enabled.
Default value is False. If set, workstations enable SSH connections to the root VM.
Ephemeral directory which won't persist across workstation sessions.
--idle-timeout=IDLE_TIMEOUT; default=7200
How long (in seconds) to wait before automatically stopping an instance that hasn't received any user traffic. A value of 0 indicates that this instance should never time out due to idleness.
Labels that are applied to the configuration and propagated to the underlying Compute Engine resources.


gcloud workstations configs create --labels=label1=value1,label2=value2
--machine-type=MACHINE_TYPE; default="e2-standard-4"
Machine type determines the specifications of the Compute Engine machines that the workstations created under this configuration will run on.
Maximum number of workstations under this configuration a user can have workstations.workstation.use permission on.

If not specified, defaults to 0, which indicates a user can have unlimited number of workstations under this configuration.

Network tags to add to the Google Compute Engine machines backing the Workstations.


gcloud workstations configs create --network-tags=tag_1,tag_2
--pd-disk-size=PD_DISK_SIZE; default=200
Size of the persistent directory in GB. PD_DISK_SIZE must be one of: 10, 50, 100, 200, 500, 1000.
--pd-disk-type=PD_DISK_TYPE; default="pd-standard"
Type of the persistent directory. PD_DISK_TYPE must be one of: pd-standard, pd-balanced, pd-ssd.
--pd-reclaim-policy=PD_RECLAIM_POLICY; default="delete"
What should happen to the disk after the Workstation is deleted. PD_RECLAIM_POLICY must be one of:
The persistent disk will be deleted with the Workstation.
The persistent disk will be remain after the workstation is deleted and the administrator must manually delete the disk.
Number of instances to pool for faster Workstation startup.
Specifies the zones the VM and disk resources will be replicated within the region. If set, exactly two zones within the workstation cluster's region must be specified.


gcloud workstations configs create --replica-zones=us-central1-a,us-central1-f
--running-timeout=RUNNING_TIMEOUT; default=7200
How long (in seconds) to wait before automatically stopping a workstation after it started. A value of 0 indicates that workstations using this config should never time out.
Email address of the service account that will be used on VM instances used to support this config. This service account must have permission to pull the specified container image. If not set, VMs will run without a service account, in which case the image must be publicly accessible.
Scopes to grant to the service_account. Various scopes are automatically added based on feature usage. When specified, users of workstations under this configuration must have iam.serviceAccounts.actAs on the service account.
Default value is false. If set, instances will have integrity monitoring enabled.
Default value is false. If set, instances will have Secure Boot enabled.
Default value is false. If set, instances will have vTPM enabled.
Resource manager tags to be bound to the instance. Tag keys and values have the same definition as https://cloud.google.com/resource-manager/docs/tags/tags-overview


gcloud workstations configs create --vm-tags=tagKeys/key1=tagValues/value1,tagKeys/key2=tagValues/value2
Accelerator settings
The number of accelerator cards exposed to the instance.

This flag argument must be specified if any of the other arguments in this group are specified.

The type of accelerator resource to attach to the instance, for example, "nvidia-tesla-p100".
At most one of these can be specified:
A docker image for the workstation. This image must be accessible by the service account configured in this configuration (--service-account). If no service account is defined, this image must be public.
--container-predefined-image=CONTAINER_PREDEFINED_IMAGE; default="codeoss"
Code editor on base images. CONTAINER_PREDEFINED_IMAGE must be one of:
Base image - no IDE
Code OSS
Code OSS + CUDA toolkit
IntelliJ IDEA Ultimate
PyCharm Professional
Encryption key settings
The customer-managed encryption key to use for this config. If not specified, a Google-managed encryption key is used.

This flag argument must be specified if any of the other arguments in this group are specified.

The service account associated with the provided customer-managed encryption key.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

These variants are also available:
gcloud alpha workstations configs create
gcloud beta workstations configs create