Install VM extensions by creating extension policies
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
This document describes how to create VM extension policies, which let youautomatically install and manage extensions on a fleet of Compute Engine virtualmachines (VMs). By defining a policy, you can ensure that specificextensions are installed and maintained on any VMs that match criteria youspecify, such as VM labels.
Before you begin
- Install the beta component by running the following command:
gcloudcomponentsinstallbeta
- Review the basics aboutVM Extension Manager.
- ReviewVM Extension Manager quotas.
- Enable the Compute Engine API in your Google Cloud project if it's not already enabled.
- Ensure that your VM runsthe guest agent version
20241209.01or later. - To view debug logs for VM Extension Manager events,configure the log settings for the guest agent.
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
Required IAM roles
To get the permission that you need to create an extension policy, ask your administrator to grant you theVM Extension Policy Admin (roles/compute.vmExtensionPolicyAdmin) IAM role. For more information about granting roles, seeManage access to projects, folders, and organizations.
This predefined role contains the compute.vmExtensionPolicies.create permission, which is required to create an extension policy.
You might also be able to get this permission withcustom roles or otherpredefined roles.
For more information about IAM roles and permissions inCompute Engine, seeCompute Engine roles and permissions.
Policy priority and conflict resolution
When multiple policies apply to the same VM, VM Extension Manager usespolicy priority to resolve conflicts.
When two policies conflict for the same extension, the policy with the higherpriority takes precedence. Priority values range from 0 to 65535, where a lowernumber signifies a higher priority. The default priority is 1000. If multiplepolicies have the same priority, VM Extension Manager applies the mostrecently updated policy to the VMs. Deleting a policy does not remove the extension if alower-priority policy still applies to the VM.
Create a global VM extension policy
You can create a global VM extension policy to install extensions on VMs acrossmultiple zones within your project according to a rollout plan.A global VM extension policy isn't directly applied to VMs; instead,as the policy rolls out, VM Extension Manager createspolicies in each zone based on the rollout plan. These policiesthen manage extension installation on VMs within their respective zones.
You can either use the gcloud or theglobalVmExtensionPolicies.insert method to create global extension policies.
About rollout plans
Global VM extension policies use rollout plans to manage the deployment ofextensions across different locations. You can use one of the predefined rolloutplans or create a custom rollout plan.
Predefined rollout plans
slow_rollout: Rolls out the policy over five days. Slow rollout is the default rollout plan.fast_rollout: Rolls out the policy immediately to all zones.
Custom rollout plans
You can create custom rollout plans by using therolloutPlans.insert method.For example, the following JSON defines a rollout plan namedtest-rollout-planthat targets two zones:
{"name":"test-rollout-plan","waves":[{"selectors":[{"locationSelector":{"includedLocations":["us-central1-a","us-west1-a"]}}],"validation":{"type":"time","timeBasedValidationMetadata":{"waitDuration":"0s"}},"orchestrationOptions":{"maxConcurrentResourcesPerLocation":"10","maxConcurrentLocations":"10"}}]}
You can then use this custom rollout plan whencreating a global policy, as shown in Example 2.
Create a global policy
Use thegcloud beta compute global-vm-extension-policies create commandto create a global VM extension policy:
gcloudbetacomputeglobal-vm-extension-policiescreatePOLICY_NAME
--description="DESCRIPTION"
--extensions=EXTENSION_NAME_1,EXTENSION_NAME_2
--version=EXTENSION_NAME_1=VERSION_1,EXTENSION_NAME_2=VERSION_2
--config-from-file=EXTENSION_NAME_1=CONFIG_FILE_PATH_1,EXTENSION_NAME_2=CONFIG_FILE_PATH_2
--inclusion-labels=KEY_1=VALUE_1
--priority=PRIORITY
--rollout-predefined-plan=ROLLOUT_PLAN
--rollout-conflict-behavior=ROLLOUT_CONFLICT_BEHAVIOR
Replace the following:
POLICY_NAME: a name for the VM extension policy.DESCRIPTION: an optional description for the policy.EXTENSION_NAME_1,EXTENSION_NAME_2: a comma-separated list of extensions to add to the policy. You must specify at least one extension. Valid values for the extensions are:ops-agentgoogle-cloud-sap-extensiongoogle-cloud-workload-extension
Note: ForEXTENSION_NAME_1=VERSION_1,EXTENSION_NAME_2=VERSION_2: a comma-separated list of key-value pairs where the key is the extension name and value is the extension version. If you don't specify a version for an extension, VM Extension Manager uses the latest available version and automatically upgrades it when new versions become available.ops-agent, VM Extension Manager supports installing version2.58.0or newer versions. Forgoogle-cloud-sap-extensionandgoogle-cloud-workload-extension, only the latest version is supported.EXTENSION_NAME_1=CONFIG_FILE_PATH_1,EXTENSION_NAME_2=CONFIG_FILE_PATH_2: a comma-separated list of key-value pairs where the key is the extension name and value is the path to the configuration file for that extension. This file is located on the VM where you run thegcloudcommand, not on the VM where you install the extension.Alternatively, to provide the configuration as an inline string, use the
--configflag instead of--config-from-file—for example,EXTENSION_NAME_1="CONFIG_1". You can use either--config-from-fileor--config, but not both in the same command.KEY_1=VALUE_1: a comma-separated list of key-value pairs that define inclusion labels for a selector. VMs must have all specified labels in a selector to be targeted. If you specify--inclusion-labelsmultiple times, the policy targets VMs that matchany of the provided selectors (logical OR). If you omit this flag, the policy targets all VMs in your project across all zones.PRIORITY: an integer that defines the policy's priority. Larger numbers indicate higher priority. The default value is 1000. If multiple policies have the same priority, the policy that was most recently updated is applied to the VMs.ROLLOUT_PLAN: specifyslow_rolloutorfast_rollout. If you need to use a custom rollout plan, use the--rollout-custom-planflag instead of--rollout-predefined-planand specify the plan name, for example:--rollout-custom-plan=projects/PROJECT_NUMBER/locations/global/rolloutPlans/ROLLOUT_PLAN_NAMEReplace the following:
PROJECT_NUMBER: The project where the rollout plan is defined.ROLLOUT_PLAN_NAME: The name of the custom rollout plan you defined.If no rollout plan flag is specified,slow_rolloutis used.
ROLLOUT_CONFLICT_BEHAVIOR: Specifies the behavior when a conflict is detected between a zonal and a global policy. Possible values are:""(empty string): The zonal policy value is used.overwrite: The global policy overwrites the zonal policy.For more details, see the
--rollout-conflict-behaviorflag.
Example 1
The following command creates a policy named
global-test-extension-policythat installstheops-agentextension for projecttest-project.The--config-from-fileflag specifies the path to a local file containing a YAMLconfiguration for the Ops Agent, and--rollout-predefined-planspecifiestheslow_rolloutplan.gcloudbetacomputeglobal-vm-extension-policiescreateglobal-test-extension-policy\--project=test-project\--extensions=ops-agent\--config-from-file=ops-agent="/usr/ops-agent-config.yaml"\--rollout-predefined-plan=slow_rollout
Example 2
The following command creates a policy named
global-test-extension-policy-2thatinstalls theops-agentextension for projecttest-projecton VMs with labelenv=prod. The policy priority is set to500, and the--config-from-fileflag specifies the path to a local filecontaining a YAML configuration for the Ops Agent. The--rollout-custom-planflag specifies a custom rollout plan.gcloudbetacomputeglobal-vm-extension-policiescreateglobal-test-extension-policy-2\--project=test-project\--extensions=ops-agent\--config-from-file=ops-agent="/usr/ops-agent-config.yaml"\--priority=500\--inclusion-labels=env=prod\--rollout-custom-plan=projects/12345678/locations/global/rolloutPlans/test-rollout-plan
Create a zonal VM extension policy
Use one of the following methods to create a zonal VM extension policy. This zonalpolicy defines which extensions to install and on which VMs in a specific zone.
Console
- In the Google Cloud console, go to theVM extension policies page.
- ClickCreate extension policy.
- In theName field, enter a name for the policy.
- Optional: In theDescription field, enter a description for the policy.
- In thePriority field, specify a priority number to resolve conflictsbetween policies. Lower numbers indicate higher priority. The default value is 1000.
- In theZone list, select the zone where you want to apply this policy.
- In theExtensions section, clickAdd extension and do the following for each extension that you want to install on the target VMs:
- From theExtension list, select an extension. SeeSupported extensions.
- From theVersion list, specify the version number of the extension. Leaveblank to select the latest version.
- For Ops Agent, you can specify version
2.58.0or later. - For Extension for SAP and Extension for Compute workloads, leave the field blank to select the latest version.
- For Ops Agent, you can specify version
- Optional: In theConfig file content field, enter configurationparameters for the extension.
- In theTarget VM instances section, select the VMs for the policy. Toselect VMs with specific labels, clickAdd labels and add the key-value pair.
- ClickCreate.
gcloud
To create a zonal VM extension policy and to roll out the policy to VMs in aspecific zone, use thegcloud beta compute zone-vm-extension-policies create command:
gcloudbetacomputezone-vm-extension-policiescreatePOLICY_NAME\--zone=ZONE\--description="DESCRIPTION"\--extensions=EXTENSION_NAME_1,EXTENSION_NAME_2\--version=EXTENSION_NAME_1=VERSION_1,EXTENSION_NAME_2=VERSION_2\--config-from-file=EXTENSION_NAME_1=CONFIG_FILE_PATH_1,EXTENSION_NAME_2=CONFIG_FILE_PATH_2\--inclusion-labels=KEY_1=VALUE_1\--priority=PRIORITY
Replace the following:
POLICY_NAME: a name for the VM extension policy.ZONE: the zone where this policy applies.DESCRIPTION: an optional description for the policy.EXTENSION_NAME_1,EXTENSION_NAME_2: a comma-separatedlist of extensions to add to the policy. You must specify at least oneextension. Valid values for the extensions are:ops-agentgoogle-cloud-sap-extensiongoogle-cloud-workload-extension
Note: ForEXTENSION_NAME_1=VERSION_1,EXTENSION_NAME_2=VERSION_2:a comma-separated list of key-value pairs where the key is theextension name and value is the extension version. If you don't specify a versionfor an extension, VM Extension Manager uses the latest availableversion and automatically upgrades it when new versions become available.ops-agent, VM Extension Manager supports installingversion2.58.0or newer versions.Forgoogle-cloud-sap-extensionandgoogle-cloud-workload-extension,only the latest version is supported.EXTENSION_NAME_1=CONFIG_FILE_PATH_1,EXTENSION_NAME_2=CONFIG_FILE_PATH_2: a comma-separated list of key-value pairs where the key isthe extension name and value is the path to the configuration file forthat extension. This path is on the VM where you run thegcloudcommand, not on the VM where you install the extension.Alternatively, to provide configuration as inline string, use the
--configflag instead of--config-from-file—for example,EXTENSION_NAME_1="CONFIG_1".You can use either--config-from-fileor--config, but not both inthe same command.KEY_1=VALUE_1: a comma-separated listof key-value pairs that define inclusion labels for a selector. VMs musthave all specified labels in a selector to be targeted. If you specify--inclusion-labelsmultiple times, the policy targets VMs that matchany of the provided selectors (logical OR). If you omit this flag, thepolicy targets all VMs in the specified zone.PRIORITY: an integer from 0 to 65535 that definesthe policy's priority. Lower numbers indicate higher priority. The defaultvalue is 1000.The command fails if a policy with the specified name alreadyexists in the zone.
Example 1
The following command creates a policy namedtest-extension-policy that installstheops-agent extension in zoneus-central1-f for projecttest-project.The--config-from-file flag specifies the path to a local file containing a YAMLconfiguration for the Ops Agent.
gcloudbetacomputezone-vm-extension-policiescreatetest-extension-policy\--project=test-project\--zone=us-central1-f\--extensions=ops-agent\--config-from-file=ops-agent="/usr/ops-agent-config.yaml"
Example 2
The following command creates a policy namedtest-extension-policy-2 thatinstalls theops-agent extension in zoneus-central1-f for projecttest-project on VMs with labelenv=prod. The policy priority is set to500, and the--config-from-file flag specifies the path to a local filecontaining a YAML configuration for the Ops Agent.
gcloudbetacomputezone-vm-extension-policiescreatetest-extension-policy-2\--project=test-project\--zone=us-central1-f\--extensions=ops-agent\--config-from-file=ops-agent="/usr/ops-agent-config.yaml"\--priority=500\--inclusion-labels=env=prod
What's next
- Learn how tomanage VM extensions.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-12 UTC.