Create workstation clusters using a Shared VPC
To create workstation clusters using a Shared VPC, follow these steps.
Begin by retrieving or creating the management service account for the service. If you don't have a service account and need to create one, use the following command:
gcloud beta services identity create --service=workstations.googleapis.com \ --project=$PROJECT_IDReplace
$PROJECT_IDwith your project ID. You can find the project ID through the Google Cloud console by clicking on the project name in the Google Cloud menu bar and finding the ID in the Project name and ID dialog that opens.Grant the workstations management service account
roles/compute.networkUserrole on the Shared VPC's host project. Refer to the Note in the previous step to see the form of the management service account. To follow the principle of least privilege, use IAM conditions to apply this role on only the Shared VPC network and subnet. For example:resource.name == "projects/$SHARED_VPC_HOST_PROJECT/global/networks/$NETWORK" || resource.name == "projects/$SHARED_VPC_HOST_PROJECT/regions/$LOCATION/subnetworks/$SUBNETWORK"When you create your workstation cluster in the Google Cloud console, specify the Shared VPC network and subnetwork. This step is only possible if the subnet is shared with the user using the console. For more information, see Provision Shared VPC.
For general information about Shared VPC access, see Shared VPC.
When you create a workstation cluster, Cloud Workstations associates the cluster with a particular subnet and all workstations are placed in that subnet. To enable VPC Flow Logs, make sure that you turn on logging for that subnet. For more information, see Enable VPC Flow Logs for an existing subnet.
What's next
- Troubleshoot policy and access problems
- Configure VPC Service Controls and private clusters
- Enable VPC Flow Logs