Set up a host project (Legacy)

This document describes how to set up a host project in App Hub andcreate a multiple-projectboundary.

The host project is a legacy application setup model supported for existingApp Hub users. We recommend defining folder-level boundariesbysetting up an app-enabled folderfor new implementations. Folder-level boundaries provide access to thecomplete set of Application-centric Google Cloud features, such as Application Design Center andGemini Cloud Assist. For a comparison of key differences between theavailable models for application management, seeChoose your application setup model.

Overview of host and service projects

Ahost project is a Google Cloudproject to which you attach other projects that contain the services andworkloads you want to group as App Hub applications. The projects youattach to the host project are calledservice projects. The attachmentof the host project and service projects define a multiple-projectboundary.

A host project can manage its own resources directly by attaching to itself.However, for a single-project setup, we recommend usingthe single-project approach.

Important: The host and service project model in App Hub is distinct from the model used byShared VPC. You cannot use a Shared VPC host project and its attached service projects for App Hub. In App Hub, host and service projects are for logically grouping application components, not for sharing VPC networks.

Before you begin

Before you set up a Google Cloud project as a host project and attach serviceprojects to it, complete the following steps:

  1. Identify the Google Cloud project you want to use as the host project.You can use an existing project orcreate a new project.

  2. Identify the Google Cloud projects that you want to attach to the hostproject as service projects. You must identify all the projects that containthe services and workloads that you intend to register to App Hubapplications. Resources in other projects won't be visible toApp Hub. Service projects have the following requirements:

    • Service projects must be in the sameorganization asthe host project.
    • A service project can only be attached to one host project at a time.
    • A host project can act as a service project for itself to manage its ownresources, but you cannot attach it as a service project to any otherhost project.

Required roles

To get the permissions that you need to attach service projects to the host project, ask your administrator to grant you theApp Hub Admin (roles/apphub.admin) IAM role on the host project and on each service project that you want to attach. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Set up the host project

To configure a Google Cloud project as a host project, follow these steps:

Console

  1. In the Google Cloud console, use the project picker to select your project.

  2. Navigate to theOverview page from App Hub:

    Go to Overview

  3. ClickSet up App Hub.

  4. In theEnable App Hub page, chooseFull setup to create amultiple-project boundary.

  5. Make note of the project name and ID. This information identifies thehost project and you'll use these values to grant access.

  6. Review the list ofAPIs being enabled.Some APIs have associated costs.Learn more about the costs of APIsor click each API to see associated costs.

    Note: This setup process enables several APIs, but only App Hub and Application Monitoring support host projects. Therefore, other enabled APIs might not function as expected in this legacy setup model. For more information, seeFeature support by boundary type.

  7. ClickContinue.

  8. In theDefine boundary tab, verify your project information.

  9. ClickAdd project toadd service projects to your boundaryor add those later.

  10. ClickContinue.

  11. In theGrant access tab, choose the appropriateIAM roles and permissionsfor administrators in the project.For a list of recommended application-centric roles acrossGoogle Cloud products, seeGrant application-centric roles to your users.

  12. In theNew principals box, enter the users, groups, orservice accounts who should have administrator access toapplication-centric tasks in the project.

  13. ClickGrant roles and then clickComplete.

Later, you can grant additional IAM roles to your principalsfrom theIAM page. For more information, seeGrant an IAM role by using the Google Cloud console.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Make sure that the most recent version of Google Cloud CLI is installed:

    gcloudcomponentsupdate

  3. Find the project IDof the Google Cloud project that you want to configure as the hostproject.

  4. Set the host project as the default project for commands:

    gcloudconfigsetprojectHOST_PROJECT_ID

    ReplaceHOST_PROJECT_ID with the ID of theproject you want to configure as the host project.

  5. Enable theApp Hub API in thehost project:

    gcloudservicesenableapphub.googleapis.com\--project=HOST_PROJECT_ID

Add service projects

Add service projects to yourapplication management boundary byattaching them to the host project.

To attach service projects to the host project and create a multiple-projectboundary, follow these steps:

Console

  1. In the Google Cloud console, use the project picker to select the hostproject.

    Go to Welcome

  2. Navigate to theBoundary settings page from App Hub:

    Go to Boundary settings

  3. ClickAdd project.

  4. Select the service projects that you want to attach to the host projectand add to your boundary in one of the following ways:

    • From the list of projects, select the checkboxes for the projectsyou want to attach as service projects.
    • Filter the project names and select their checkboxes.

  5. ClickSelect.

    TheProjects in your boundary table displays the selected serviceprojects. The attachment process might take some time to complete.

  6. Verify the list of service projects is complete.

gcloud

  1. Find the project IDof each of the Google Cloud projects that you want to configure asservice projects.

  2. Attach each service project:

    gcloudapphubservice-projectsaddSERVICE_PROJECT_ID\--project=HOST_PROJECT_ID

    Replace the following:

    • SERVICE_PROJECT_ID: the ID of the serviceproject to attach.
    • HOST_PROJECT_ID: the ID of the hostproject.

  3. Repeat the previous process for each service project you want to attachto the host project.

Terraform

To attach a service project to a host project using Terraform, usethegoogle_apphub_service_project_attachment resource,for example:

resource"google_apphub_service_project_attachment""example"{service_project_attachment_id=google_project.service_project.project_iddepends_on=[time_sleep.wait_120s]}resource"google_project""service_project"{project_id="project-1"name="Service Project"org_id="123456789"deletion_policy="DELETE"}resource"time_sleep""wait_120s"{depends_on=[google_project.service_project]create_duration="120s"}

To detach a service project from a host project, seeRemove service projects.

Assign App Hub roles and permissions

To grant appropriateApp Hub roles and permissions toApp Hub users in the host project and service projects, follow thesesteps:

Console

  1. In the Google Cloud console, use the project picker to select the hostproject.

    Go to Welcome

  2. Navigate to theIAM page:

    Go to IAM

  3. ClickGrant access.TheGrant access pane opens.

  4. In theNew principals field, enter the email address of theprincipal that you want to grant access to App Hub.

  5. ClickSelect a role and enterApp Hub in theFilter field.

  6. Select theApp Hub IAM roleyou intend to assign to the principal and clickSave.

  7. In each of the App Hub service projects you attached to thehost project, repeat the previous process to grant the same roles to thesame users.

gcloud

  1. Find the project IDof each of the Google Cloud projects that you configured as host andservice projects.

  2. Grant access to principals in the host project:

    gcloudprojectsadd-iam-policy-bindingHOST_PROJECT_ID\--member='user:EMAIL_ADDRESS'\--role='ROLE_NAME'

    Replace the following:

    • HOST_PROJECT_ID: the ID of the hostproject.
    • EMAIL_ADDRESS: the email address of theprincipal who must obtain App Hub access in the hostproject. This value must have the formatusername@yourdomain,for example,my.user@example.com.
    • ROLE_NAME: theApp Hub IAM roleyou want to assign to the principal, for example,roles/apphub.admin.

  3. In each of the App Hub service projects you attached to thehost project, grant the same roles to the same users:

    gcloudprojectsadd-iam-policy-bindingSERVICE_PROJECT_ID\--member='user:EMAIL_ADDRESS'\--role='ROLE_NAME'

    ReplaceSERVICE_PROJECT_ID with the ID ofthe service project you are granting access to.

Set up VPC Service Controls

To protect your applications with a VPC Service Controls perimeter, addyour App Hub host project and service projects to the perimeter beforeyou create your applications. For more information, seeUse VPC Service Controls with App Hub.

Optional: Configure the metrics scope

To view system metrics for applications within your host project inCloud Monitoring, add the attached service projects to the host project'smetrics scope. The host project serves as a scopingproject for time-series data, enabling the charting and monitoring of data. Formore information and configuration instructions, seeConfigure a metrics scope andConfigure a metrics scope by using the API.

Remove service projects

Remove service projects from yourapplication management boundary bydetaching them from the host project.

To detach a service project from a host project, follow these steps:

Console

  1. In the Google Cloud console, use the project picker to select the hostproject.

    Go to Welcome

  2. Navigate to theBoundary settings page from App Hub:

    Go to Boundary settings

  3. Select the checkboxes of the service projects that you want to detachfrom the host project and remove from your boundary.

  4. ClickDetach projects.

    TheProjects in your boundary table refreshes to display only theprojects that remain attached to the host project.

  5. Verify the list of service projects is updated.

gcloud

  1. Find the project IDof each of the service projects that you want to remove from the hostproject.

  2. Remove each service project:

    gcloudapphubservice-projectsremoveSERVICE_PROJECT_ID\--project=HOST_PROJECT_ID

    Replace the following:

    • SERVICE_PROJECT_ID: the ID of the serviceproject to remove.
    • HOST_PROJECT_ID: the ID of the hostproject.

  3. Repeat the previous process for each service project you want to removefrom the host project.

Important: When you remove a service project from a host project, theregistration status of services and workloads from that project that are registered to applications changes todetached.

When you remove a service project from a host project, consider removing it alsofrom the host project's metrics scope if you previouslyconfigured the metrics scope. For more information, seeRemove projects from a metrics scope.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.