Create an instance from a custom image

This document explains how to create a Compute Engine instance from acustom image thatexists only in your project.

An instance contains a bootloader, a boot file system, and an OS image. You can createcustom images from source disks, images, snapshots, or images stored inCloud Storage and use these images to create instances. By default,a custom image belongs only to the project in which it was created.

Before you begin

Required roles

To get the permissions that you need to create an instance from a custom image, ask your administrator to grant you theCompute Instance Admin (v1) (roles/compute.instanceAdmin.v1) IAM role on the project. For more information about granting roles, seeManage access to projects, folders, and organizations.

This predefined role contains the permissions required to create an instance from a custom image. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to create an instance from a custom image:

  • compute.instances.create on the project
  • To use a custom image to create the instance: compute.images.useReadOnly on the image

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Create an instance from a custom image

If you don't already have a custom image, you must firstcreate a custom image.

Note: You must have access to the custom image to use it when youcreate an instance. By default, you have access to all custom imagesin your project. However, if your project has a definedlist oftrusted images,you can use only the images on that list to create an instance.

To create an instance from a custom image, follow these steps:

Console

  1. In the Google Cloud console, go to theCreate an instance page.

    Go to Create an instance

    If prompted, select your project and clickContinue.

    TheCreate an instance page appears and displays theMachine configuration pane.

  2. In theMachine configuration pane, do the following:

    1. In theName field, specify a name for your instance. For moreinformation, seeResource naming convention.

    2. Optional: In theZone field, select a zone for this instance.

      The default selection isAny. If you don't change this defaultselection, then Google automatically chooses a zone for you based onmachine type and availability.

    3. Select the machine family for your instance. The Google Cloud consolethen displays the machine series that are available for yourselected machine family. The following machine family options areavailable:

      • General purpose
      • Compute optimized
      • Memory optimized
      • Storage optimized
      • GPUs

    4. In theSeries column, select the machine series for yourinstance.

      If you selectedGPUs as the machine family in the previous step,then select theGPU type that you want. The machine series isthen automatically selected for the selected GPU type.

    5. In theMachine type section, select the machine type for yourinstance.

  3. In the navigation menu, clickOS and storage. In theOperating system and storage pane that appears, configure your bootdisk by doing the following:

    1. ClickChange. TheBoot disk pane appears and displays thePublic images tab.
    2. ClickCustom images. TheCustom images tab appears.
    3. To select the image project, clickChange, and then select theproject that contains the image.
    4. In theImage list, select the image that you want to import.
    5. In theBoot disk type list, select the type of the boot disk.
    6. In theSize (GB) field, specify the size of the boot disk.
    7. Optional: For Hyperdisk Balanced boot disks, specify values for theProvisioned IOPS andProvisioned throughput fields.
    8. Optional: For advanced configuration options, expand theShow advanced configurations section.
    9. To confirm your boot disk options and return to theOperating system and storage pane, clickSelect.

  4. In the navigation menu, clickNetworking. In theNetworking panethat appears, do the following:

    1. Go to theFirewall section.

    2. To permit HTTP or HTTPS traffic to the instance, selectAllow HTTP traffic orAllow HTTPS traffic.

      The Compute Engine adds a network tag to your instance andcreates the corresponding ingress firewall rule that allows allincoming traffic ontcp:80 (HTTP) ortcp:443 (HTTPS). Thenetwork tag associates the firewall rule with the instance. For moreinformation, seeFirewall rules overviewin the Cloud Next Generation Firewall documentation.

  5. Optional: Specify other configuration options. For more information, seeConfiguration options during instance creation.

  6. To create and start the instance, clickCreate.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Run thegcloud compute instances create commandto create an instance with a custom image:

    gcloud compute instances createVM_NAME \    --image-projectIMAGE_PROJECT \IMAGE_FLAG \    --subnetSUBNET

    Replace the following:

Terraform

To generate the Terraform code, you can use theEquivalent code component in the Google Cloud console.
  1. In the Google Cloud console, go to theVM instances page.

    Go to VM Instances

  2. ClickCreate instance.
  3. Specify the parameters you want.
  4. At the top or bottom of the page, clickEquivalent code, and then click theTerraform tab to view the Terraform code.

Go

Before trying this sample, follow theGo setup instructions in theCompute Engine quickstart using client libraries. For more information, see theCompute EngineGo API reference documentation.

To authenticate to Compute Engine, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

import("context""fmt""io"compute"cloud.google.com/go/compute/apiv1"computepb"cloud.google.com/go/compute/apiv1/computepb""google.golang.org/protobuf/proto")// createInstanceFromCustomImage creates a new VM instance with custom image used as its boot disk.funccreateInstanceFromCustomImage(wio.Writer,projectID,zone,instanceName,customImageLinkstring)error{// projectID := "your_project_id"// zone := "europe-central2-b"// instanceName := "your_instance_name"// customImageLink := "projects/project_name/global/images/image_name"ctx:=context.Background()instancesClient,err:=compute.NewInstancesRESTClient(ctx)iferr!=nil{returnfmt.Errorf("NewInstancesRESTClient: %w",err)}deferinstancesClient.Close()req:=&computepb.InsertInstanceRequest{Project:projectID,Zone:zone,InstanceResource:&computepb.Instance{Name:proto.String(instanceName),Disks:[]*computepb.AttachedDisk{{InitializeParams:&computepb.AttachedDiskInitializeParams{DiskSizeGb:proto.Int64(10),SourceImage:proto.String(customImageLink),DiskType:proto.String(fmt.Sprintf("zones/%s/diskTypes/pd-standard",zone)),},AutoDelete:proto.Bool(true),Boot:proto.Bool(true),Type:proto.String(computepb.AttachedDisk_PERSISTENT.String()),},},MachineType:proto.String(fmt.Sprintf("zones/%s/machineTypes/n1-standard-1",zone)),NetworkInterfaces:[]*computepb.NetworkInterface{{Name:proto.String("global/networks/default"),},},},}op,err:=instancesClient.Insert(ctx,req)iferr!=nil{returnfmt.Errorf("unable to create instance: %w",err)}iferr=op.Wait(ctx);err!=nil{returnfmt.Errorf("unable to wait for the operation: %w",err)}fmt.Fprintf(w,"Instance created\n")returnnil}

Java

Before trying this sample, follow theJava setup instructions in theCompute Engine quickstart using client libraries. For more information, see theCompute EngineJava API reference documentation.

To authenticate to Compute Engine, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

importcom.google.api.gax.longrunning.OperationFuture;importcom.google.cloud.compute.v1.AttachedDisk;importcom.google.cloud.compute.v1.AttachedDisk.Type;importcom.google.cloud.compute.v1.AttachedDiskInitializeParams;importcom.google.cloud.compute.v1.Image;importcom.google.cloud.compute.v1.ImagesClient;importcom.google.cloud.compute.v1.InsertInstanceRequest;importcom.google.cloud.compute.v1.Instance;importcom.google.cloud.compute.v1.InstancesClient;importcom.google.cloud.compute.v1.NetworkInterface;importcom.google.cloud.compute.v1.Operation;importjava.io.IOException;importjava.util.Vector;importjava.util.concurrent.ExecutionException;importjava.util.concurrent.TimeUnit;importjava.util.concurrent.TimeoutException;publicclassCreateInstancesAdvanced{/**   * Create an AttachedDisk object to be used in VM instance creation. Uses an image as the source   * for the new disk.   *   * @param diskType the type of disk you want to create. This value uses the following format:   * "zones/{zone}/diskTypes/(pd-standard|pd-ssd|pd-balanced|pd-extreme)". For example:   * "zones/us-west3-b/diskTypes/pd-ssd"   * @param diskSizeGb size of the new disk in gigabytes   * @param boot boolean flag indicating whether this disk should be used as a boot disk of an   * instance   * @param sourceImage source image to use when creating this disk. You must have read access to   * this disk. This can be one of the publicly available images or an image from one of your   * projects. This value uses the following format:   * "projects/{project_name}/global/images/{image_name}"   * @return AttachedDisk object configured to be created using the specified image.   */privatestaticAttachedDiskdiskFromImage(StringdiskType,intdiskSizeGb,booleanboot,StringsourceImage){AttachedDiskdisk=AttachedDisk.newBuilder().setBoot(boot)// Remember to set auto_delete to True if you want the disk to be deleted when// you delete your VM instance..setAutoDelete(true).setType(Type.PERSISTENT.toString()).setInitializeParams(AttachedDiskInitializeParams.newBuilder().setSourceImage(sourceImage).setDiskSizeGb(diskSizeGb).setDiskType(diskType).build()).build();returndisk;}/**   * Send an instance creation request to the Compute Engine API and wait for it to complete.   *   * @param project project ID or project number of the Cloud project you want to use.   * @param zone name of the zone to create the instance in. For example: "us-west3-b"   * @param instanceName name of the new virtual machine (VM) instance.   * @param disks a list of compute_v1.AttachedDisk objects describing the disks you want to attach   * to your new instance.   * @param machineType machine type of the VM being created. This value uses the following format:   * "zones/{zone}/machineTypes/{type_name}".   * For example: "zones/europe-west3-c/machineTypes/f1-micro"   * @param network name of the network you want the new instance to use. For example:   * "global/networks/default" represents the network named "default", which is created   * automatically for each project.   * @param subnetwork name of the subnetwork you want the new instance to use. This value uses the   * following format: "regions/{region}/subnetworks/{subnetwork_name}"   * @return Instance object.   */privatestaticInstancecreateWithDisks(Stringproject,Stringzone,StringinstanceName,Vector<AttachedDisk>disks,StringmachineType,Stringnetwork,Stringsubnetwork)throwsIOException,InterruptedException,ExecutionException,TimeoutException{try(InstancesClientinstancesClient=InstancesClient.create()){// Use the network interface provided in the networkName argument.NetworkInterfacenetworkInterface;if(subnetwork!=null){networkInterface=NetworkInterface.newBuilder().setName(network).setSubnetwork(subnetwork).build();}else{networkInterface=NetworkInterface.newBuilder().setName(network).build();}machineType=String.format("zones/%s/machineTypes/%s",zone,machineType);// Bind `instanceName`, `machineType`, `disk`, and `networkInterface` to an instance.InstanceinstanceResource=Instance.newBuilder().setName(instanceName).setMachineType(machineType).addAllDisks(disks).addNetworkInterfaces(networkInterface).build();System.out.printf("Creating instance: %s at %s ",instanceName,zone);// Insert the instance in the specified project and zone.InsertInstanceRequestinsertInstanceRequest=InsertInstanceRequest.newBuilder().setProject(project).setZone(zone).setInstanceResource(instanceResource).build();OperationFuture<Operation,Operation>operation=instancesClient.insertAsync(insertInstanceRequest);// Wait for the operation to complete.Operationresponse=operation.get(3,TimeUnit.MINUTES);if(response.hasError()){System.out.println("Instance creation failed ! ! "+response);returnnull;}System.out.println("Operation Status: "+response.getStatus());returninstancesClient.get(project,zone,instanceName);}}/**   * Create a new VM instance with custom image used as its boot disk.   *   * @param project project ID or project number of the Cloud project you want to use.   * @param zone name of the zone to create the instance in. For example: "us-west3-b"   * @param instanceName name of the new virtual machine (VM) instance.   * @param customImage link to the custom image you want to use in the form of:   * "projects/{project_name}/global/images/{image_name}"   * @return Instance object.   */publicstaticInstancecreateFromCustomImage(Stringproject,Stringzone,StringinstanceName,StringcustomImage)throwsIOException,InterruptedException,ExecutionException,TimeoutException{StringdiskType=String.format("zones/%s/diskTypes/pd-standard",zone);Vector<AttachedDisk>disks=newVector<>();disks.add(diskFromImage(diskType,10,true,customImage));returncreateWithDisks(project,zone,instanceName,disks,"n1-standard-1","global/networks/default",null);}

Node.js

Before trying this sample, follow theNode.js setup instructions in theCompute Engine quickstart using client libraries. For more information, see theCompute EngineNode.js API reference documentation.

To authenticate to Compute Engine, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

/** * TODO(developer): Uncomment and replace these variables before running the sample. */// const projectId = 'YOUR_PROJECT_ID';// const zone = 'europe-central2-b';// const instanceName = 'YOUR_INSTANCE_NAME';// const customImageLink = 'projects/YOUR_PROJECT/global/images/YOUR_IMAGE_NAME';constcompute=require('@google-cloud/compute');// Creates a new VM instance with custom image used as its boot disk.asyncfunctioncreateInstanceFromCustomImage(){constinstancesClient=newcompute.InstancesClient();const[response]=awaitinstancesClient.insert({project:projectId,zone,instanceResource:{name:instanceName,disks:[{initializeParams:{diskSizeGb:'10',sourceImage:customImageLink,diskType:`zones/${zone}/diskTypes/pd-standard`,},autoDelete:true,boot:true,type:'PERSISTENT',},],machineType:`zones/${zone}/machineTypes/n1-standard-1`,networkInterfaces:[{name:'global/networks/default',},],},});letoperation=response.latestResponse;constoperationsClient=newcompute.ZoneOperationsClient();// Wait for the create operation to complete.while(operation.status!=='DONE'){[operation]=awaitoperationsClient.wait({operation:operation.name,project:projectId,zone:operation.zone.split('/').pop(),});}console.log('Instance created.');}createInstanceFromCustomImage();

Python

Before trying this sample, follow thePython setup instructions in theCompute Engine quickstart using client libraries. For more information, see theCompute EnginePython API reference documentation.

To authenticate to Compute Engine, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

from__future__importannotationsimportreimportsysfromtypingimportAnyimportwarningsfromgoogle.api_core.extended_operationimportExtendedOperationfromgoogle.cloudimportcompute_v1defget_image_from_family(project:str,family:str)->compute_v1.Image:"""    Retrieve the newest image that is part of a given family in a project.    Args:        project: project ID or project number of the Cloud project you want to get image from.        family: name of the image family you want to get image from.    Returns:        An Image object.    """image_client=compute_v1.ImagesClient()# List of public operating system (OS) images: https://cloud.google.com/compute/docs/images/os-detailsnewest_image=image_client.get_from_family(project=project,family=family)returnnewest_imagedefdisk_from_image(disk_type:str,disk_size_gb:int,boot:bool,source_image:str,auto_delete:bool=True,)->compute_v1.AttachedDisk:"""    Create an AttachedDisk object to be used in VM instance creation. Uses an image as the    source for the new disk.    Args:         disk_type: the type of disk you want to create. This value uses the following format:            "zones/{zone}/diskTypes/(pd-standard|pd-ssd|pd-balanced|pd-extreme)".            For example: "zones/us-west3-b/diskTypes/pd-ssd"        disk_size_gb: size of the new disk in gigabytes        boot: boolean flag indicating whether this disk should be used as a boot disk of an instance        source_image: source image to use when creating this disk. You must have read access to this disk. This can be one            of the publicly available images or an image from one of your projects.            This value uses the following format: "projects/{project_name}/global/images/{image_name}"        auto_delete: boolean flag indicating whether this disk should be deleted with the VM that uses it    Returns:        AttachedDisk object configured to be created using the specified image.    """boot_disk=compute_v1.AttachedDisk()initialize_params=compute_v1.AttachedDiskInitializeParams()initialize_params.source_image=source_imageinitialize_params.disk_size_gb=disk_size_gbinitialize_params.disk_type=disk_typeboot_disk.initialize_params=initialize_params# Remember to set auto_delete to True if you want the disk to be deleted when you delete# your VM instance.boot_disk.auto_delete=auto_deleteboot_disk.boot=bootreturnboot_diskdefwait_for_extended_operation(operation:ExtendedOperation,verbose_name:str="operation",timeout:int=300)->Any:"""    Waits for the extended (long-running) operation to complete.    If the operation is successful, it will return its result.    If the operation ends with an error, an exception will be raised.    If there were any warnings during the execution of the operation    they will be printed to sys.stderr.    Args:        operation: a long-running operation you want to wait on.        verbose_name: (optional) a more verbose name of the operation,            used only during error and warning reporting.        timeout: how long (in seconds) to wait for operation to finish.            If None, wait indefinitely.    Returns:        Whatever the operation.result() returns.    Raises:        This method will raise the exception received from `operation.exception()`        or RuntimeError if there is no exception set, but there is an `error_code`        set for the `operation`.        In case of an operation taking longer than `timeout` seconds to complete,        a `concurrent.futures.TimeoutError` will be raised.    """result=operation.result(timeout=timeout)ifoperation.error_code:print(f"Error during{verbose_name}: [Code:{operation.error_code}]:{operation.error_message}",file=sys.stderr,flush=True,)print(f"Operation ID:{operation.name}",file=sys.stderr,flush=True)raiseoperation.exception()orRuntimeError(operation.error_message)ifoperation.warnings:print(f"Warnings during{verbose_name}:\n",file=sys.stderr,flush=True)forwarninginoperation.warnings:print(f" -{warning.code}:{warning.message}",file=sys.stderr,flush=True)returnresultdefcreate_instance(project_id:str,zone:str,instance_name:str,disks:list[compute_v1.AttachedDisk],machine_type:str="n1-standard-1",network_link:str="global/networks/default",subnetwork_link:str=None,internal_ip:str=None,external_access:bool=False,external_ipv4:str=None,accelerators:list[compute_v1.AcceleratorConfig]=None,preemptible:bool=False,spot:bool=False,instance_termination_action:str="STOP",custom_hostname:str=None,delete_protection:bool=False,)->compute_v1.Instance:"""    Send an instance creation request to the Compute Engine API and wait for it to complete.    Args:        project_id: project ID or project number of the Cloud project you want to use.        zone: name of the zone to create the instance in. For example: "us-west3-b"        instance_name: name of the new virtual machine (VM) instance.        disks: a list of compute_v1.AttachedDisk objects describing the disks            you want to attach to your new instance.        machine_type: machine type of the VM being created. This value uses the            following format: "zones/{zone}/machineTypes/{type_name}".            For example: "zones/europe-west3-c/machineTypes/f1-micro"        network_link: name of the network you want the new instance to use.            For example: "global/networks/default" represents the network            named "default", which is created automatically for each project.        subnetwork_link: name of the subnetwork you want the new instance to use.            This value uses the following format:            "regions/{region}/subnetworks/{subnetwork_name}"        internal_ip: internal IP address you want to assign to the new instance.            By default, a free address from the pool of available internal IP addresses of            used subnet will be used.        external_access: boolean flag indicating if the instance should have an external IPv4            address assigned.        external_ipv4: external IPv4 address to be assigned to this instance. If you specify            an external IP address, it must live in the same region as the zone of the instance.            This setting requires `external_access` to be set to True to work.        accelerators: a list of AcceleratorConfig objects describing the accelerators that will            be attached to the new instance.        preemptible: boolean value indicating if the new instance should be preemptible            or not. Preemptible VMs have been deprecated and you should now use Spot VMs.        spot: boolean value indicating if the new instance should be a Spot VM or not.        instance_termination_action: What action should be taken once a Spot VM is terminated.            Possible values: "STOP", "DELETE"        custom_hostname: Custom hostname of the new VM instance.            Custom hostnames must conform to RFC 1035 requirements for valid hostnames.        delete_protection: boolean value indicating if the new virtual machine should be            protected against deletion or not.    Returns:        Instance object.    """instance_client=compute_v1.InstancesClient()# Use the network interface provided in the network_link argument.network_interface=compute_v1.NetworkInterface()network_interface.network=network_linkifsubnetwork_link:network_interface.subnetwork=subnetwork_linkifinternal_ip:network_interface.network_i_p=internal_ipifexternal_access:access=compute_v1.AccessConfig()access.type_=compute_v1.AccessConfig.Type.ONE_TO_ONE_NAT.nameaccess.name="External NAT"access.network_tier=access.NetworkTier.PREMIUM.nameifexternal_ipv4:access.nat_i_p=external_ipv4network_interface.access_configs=[access]# Collect information into the Instance object.instance=compute_v1.Instance()instance.network_interfaces=[network_interface]instance.name=instance_nameinstance.disks=disksifre.match(r"^zones/[a-z\d\-]+/machineTypes/[a-z\d\-]+$",machine_type):instance.machine_type=machine_typeelse:instance.machine_type=f"zones/{zone}/machineTypes/{machine_type}"instance.scheduling=compute_v1.Scheduling()ifaccelerators:instance.guest_accelerators=acceleratorsinstance.scheduling.on_host_maintenance=(compute_v1.Scheduling.OnHostMaintenance.TERMINATE.name)ifpreemptible:# Set the preemptible settingwarnings.warn("Preemptible VMs are being replaced by Spot VMs.",DeprecationWarning)instance.scheduling=compute_v1.Scheduling()instance.scheduling.preemptible=Trueifspot:# Set the Spot VM settinginstance.scheduling.provisioning_model=(compute_v1.Scheduling.ProvisioningModel.SPOT.name)instance.scheduling.instance_termination_action=instance_termination_actionifcustom_hostnameisnotNone:# Set the custom hostname for the instanceinstance.hostname=custom_hostnameifdelete_protection:# Set the delete protection bitinstance.deletion_protection=True# Prepare the request to insert an instance.request=compute_v1.InsertInstanceRequest()request.zone=zonerequest.project=project_idrequest.instance_resource=instance# Wait for the create operation to complete.print(f"Creating the{instance_name} instance in{zone}...")operation=instance_client.insert(request=request)wait_for_extended_operation(operation,"instance creation")print(f"Instance{instance_name} created.")returninstance_client.get(project=project_id,zone=zone,instance=instance_name)defcreate_from_custom_image(project_id:str,zone:str,instance_name:str,custom_image_link:str)->compute_v1.Instance:"""    Create a new VM instance with custom image used as its boot disk.    Args:        project_id: project ID or project number of the Cloud project you want to use.        zone: name of the zone to create the instance in. For example: "us-west3-b"        instance_name: name of the new virtual machine (VM) instance.        custom_image_link: link to the custom image you want to use in the form of:            "projects/{project_name}/global/images/{image_name}"    Returns:        Instance object.    """disk_type=f"zones/{zone}/diskTypes/pd-standard"disks=[disk_from_image(disk_type,10,True,custom_image_link,True)]instance=create_instance(project_id,zone,instance_name,disks)returninstance

REST

The process for creating an instance with a custom image in the APIis the same as if you were creating an instance with apublicly available image.

To create the instance from a custom image, use theinstances.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances{   "machineType":"zones/MACHINE_TYPE_ZONE/machineTypes/MACHINE_TYPE",   "name":"VM_NAME",      "disks":[      {         "initializeParams":{            "sourceImage":"projects/IMAGE_PROJECT/global/images/IMAGE"         },         "boot":true      }   ],         "networkInterfaces":[      {         "network":"global/networks/NETWORK_NAME"      }   ],        "shieldedInstanceConfig":{      "enableSecureBoot":"ENABLE_SECURE_BOOT"   }}

Replace the following:

  • PROJECT_ID: ID of the project to create the VM in
  • ZONE: zone to create the VM in
  • MACHINE_TYPE_ZONE: zone containing the machine type to use for the new VM
  • MACHINE_TYPE: machine type,predefined orcustom, for the new VM
  • VM_NAME:name of the new VM
  • IMAGE_PROJECT: name of the project that contains the custom image
  • IMAGE: specify one of the following:
    • IMAGE: name of your custom image. For example,"sourceImage": "projects/my-project-1234/global/images/my-debian-image-v2".
    • IMAGE_FAMILY: if you created your custom images as part of acustom image family, specify that custom image family.

      This creates the VM from the most recent, non-deprecated OS image in your custom image family. For example, if you specify"sourceImage": "projects/my-project-1234/global/images/family/my-debian-family", Compute Engine creates a VM from the latest version of the OS image in the custommy-debian-family image family.

  • NETWORK_NAME: the VPC network that you want to use for the VM. You can specifydefault to use your default network.

  • ENABLE_SECURE_BOOT: Optional: If you chose an image that supportsShielded VM features, Compute Engine, by default, enables thevirtual trusted platform module (vTPM) andintegrity monitoring. Compute Engine does not enableSecure Boot by default.

    If you specifytrue forenableSecureBoot, Compute Engine creates a VM with all three Shielded VM features enabled. After Compute Engine starts your VM, tomodify Shielded VM options, you must stop the VM.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-16 UTC.