Create and grant roles to service agents
Preview — triggering service agent creation This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
In Google Cloud, project-level, folder-level, and organization-levelserviceagents are created automatically as you enable and useGoogle Cloud services. Sometimes, these service agents are alsoautomatically granted roles that allow them to create and access resources onyour behalf.
If necessary, you can also ask Google Cloud to create project-level,folder-level, and organization-level service agents for a service before you usethe service. Asking Google Cloud to create service agents lets you grantroles to service agents before you use a service. If a service agent hasn'tbeen created yet, then you can't grant roles to the service agent.
This option is useful if you use one of the following strategies to manage yourallow policies:
- A declarative framework likeTerraform.If your Terraform configuration doesn't include the service agents' roles,then those roles are revoked when you apply your configuration. Bycreating service agents and granting them roles in your Terraformconfiguration, you ensure that these roles aren't revoked.
- A policies-as-code-system that stores copies of your current allowpolicies in a code repository. If you let Google Cloud grant roles toservice agents automatically, those roles appear in your actual allow policy,but not in your stored copy of the allow policy. To resolve thisinconsistency, you might incorrectly revoke these roles. By creating serviceagents and granting them roles proactively, you can help prevent drift betweenyour code repository and your actual allow policies.
After you trigger service agent creation, you must grant the service agents theroles that they are typically granted automatically. If you don't, some servicesmight not function properly. This is because service agents that are created ata user's request aren't automatically granted roles.
Note: To create and grant roles to service agents for service-specificresources, refer to the service's documentation.Before you begin
Enable the Resource Manager API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.Understandservice agents.
Required roles
Triggering service agent creation doesn't require any IAMpermissions. However, you need specific IAM permissions for othertasks on this page:
To get the permission that you need to list available services and their endpoints, ask your administrator to grant you theService Usage Viewer (
roles/serviceusage.serviceUsageViewer) IAM role on the project, folder, or organization that you want to listavailable services for. For more information about granting roles, seeManage access to projects, folders, and organizations.This predefined role contains the
serviceusage.services.listpermission, which is required to list available services and their endpoints.You might also be able to get this permission withcustom roles or otherpredefined roles.
To get the permissions that you need to grant the service agents access, ask your administrator to grant you the following IAM roles on the project, folder, or organization that you're grantingaccess to:
- Grant service agents access to a project:Project IAM Admin (
roles/resourcemanager.projectIamAdmin) - Grant service agents access to a folder:Folder Admin (
roles/resourcemanager.folderAdmin) - Grant service agents access to projects, folders, and organizations:Organization Admin (
roles/resourcemanager.organizationAdmin)
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to grant the service agents access. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to grant the service agents access:
- Grant service agents access to a project:
resourcemanager.projects.getIamPolicyresourcemanager.projects.setIamPolicy
- Grant service agents access to a folder:
resourcemanager.folders.getIamPolicyresourcemanager.folders.setIamPolicy
- Grant service agents access to an organization:
resourcemanager.organizations.getIamPolicyresourcemanager.organizations.setIamPolicy
You might also be able to get these permissions withcustom roles or otherpredefined roles.
- Grant service agents access to a project:Project IAM Admin (
Identify service agents to create
To identify the project-level, folder-level, and organization-level serviceagents that you need to ask Google Cloud to create, do the following:
Make a list of the services that you use and their API endpoints. To viewall available services and their endpoints, use one of the following methods:
Console
Go to theAPI Library page in the Google Cloud console.
The API endpoint is theService name listed in theAdditional details section.
gcloud
The
gcloud services listcommand lists all available services for a project.Before using any of the command data below, make the following replacements:
EXPRESSION: Optional. An expression to filter the results. For example, the following expression filters for all services whose names containgoogleapis.combut don't containsandbox:name~googleapis.comANDname!~sandbox
For a list of filter expressions, see
gcloud topic filters.LIMIT: Optional. The maximum number of results to list. The default isunlimited.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudserviceslist--available--filter='EXPRESSION'--limit=LIMIT
Windows (PowerShell)
gcloudserviceslist--available--filter='EXPRESSION'--limit=LIMIT
Windows (cmd.exe)
Note: If this command uses'for quoting content, replace these single quotes with double quotes. If quoting is nested, use\"to escape the inner quotes.gcloudserviceslist--available--filter='EXPRESSION'--limit=LIMIT
The response contains the names and titles of all available services. The API endpoint is the value in the
NAMEfield.REST
The Service Usage API's
services.listmethod lists all available services for a project.Before using any of the request data, make the following replacements:
RESOURCE_TYPE: The type of resource that you want to list available services for. Useprojects,folders, ororganizations.RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to list available services for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.PAGE_SIZE: Optional. The number of services to include in the response. The default value is 50, and the maximum value is 200. If the number of services is greater than the page size, the response contains a pagination token that you can use to retrieve the next page of results.NEXT_PAGE_TOKEN: Optional. The pagination token returned in an earlier response from this method. If specified, the list of services will start where the previous request ended.
HTTP method and URL:
GET https://serviceusage.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/services?pageSize=PAGE_SIZE&pageToken=NEXT_PAGE_TOKEN
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login, or by usingCloud Shell, which automatically logs you into thegcloudCLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://serviceusage.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/services?pageSize=PAGE_SIZE&pageToken=NEXT_PAGE_TOKEN"PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login. You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://serviceusage.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/services?pageSize=PAGE_SIZE&pageToken=NEXT_PAGE_TOKEN" | Select-Object -Expand ContentThe API endpoint is the value in the
namefield.On theservice agent reference page, search for eachAPI endpoint.
If the endpoint is listed in the table, find all service agents for thatendpoint. Ignore any service agents whose email address contains the
IDENTIFIERplaceholder—those service agents arefor service-specific resources, not projects, folders, or organizations.For each project-level, folder-level, and organization-level service agent,record the following:
- The format of the service agent's email address.
- The role that the service agent is granted, if any.
Trigger service agent creation
After you know which service agents you need to create, you can askGoogle Cloud to create them.
When you ask Google Cloud to create service agents, you provide it witha service and a resource. Then, Google Cloud creates all service agentsfor that service and that resource.
gcloud
For each service that you need to create service agents for, do the following:
Review the service agent email addresses for the service. Use theplaceholders in the email addresses to determine which resources you need tocreate service agents for:
Placeholder Where to create service agents PROJECT_NUMBEREach project where you will use the service FOLDER_NUMBEREach folder where you will use the service ORGANIZATION_NUMBEREach organization where you will use the service Create service agents for each resource.
The
gcloud beta services identity createcommand creates all service agents for the specified API and resource.Before using any of the command data below, make the following replacements:
ENDPOINT: The endpoint of the API that you want to create a service agent for—for example,aiplatform.googleapis.com.RESOURCE_TYPE: The type of resource that you want to create a service agent for. Useproject,folder, ororganization.RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to create a service agent for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.You can create service agents for one resource at a time. If you need to create service agents for multiple resources, run the command once for each resource.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudbetaservicesidentitycreate--service=ENDPOINT\--RESOURCE_TYPE=RESOURCE_ID
Windows (PowerShell)
gcloudbetaservicesidentitycreate--service=ENDPOINT`--RESOURCE_TYPE=RESOURCE_ID
Windows (cmd.exe)
gcloudbetaservicesidentitycreate--service=ENDPOINT^--RESOURCE_TYPE=RESOURCE_ID
The response contains the email address of the service's primary service agent. This email address includes the numeric ID of the project, folder, or organization that you created service agents for.
If the service doesn't have a primary service agent, the response doesn't contain an email address.
The following is an example of a response for a service that has a primary service agent.
Service identity created: service-232332569935@gcp-sa-aiplatform.iam.gserviceaccount.com
Optional: Record the service agent email address in the response, if any.This email address identifies the service'sprimary serviceagent. You can use this identifier to grant roles tothe primary service agent.
Terraform
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands. For more information, see theTerraform provider reference documentation.
For each service that you need to create service agents for, do the following:
Review the service agent email addresses for the service. Use theplaceholders in the email addresses to determine which resources you need tocreate service agents for:
Placeholder Where to create service agents PROJECT_NUMBEREach project where you will use the service FOLDER_NUMBEREach folder where you will use the service ORGANIZATION_NUMBEREach organization where you will use the service Create service agents for each resource. For example, the following codecreates all project-level service agents for AI Platform:
Note: Terraform only supports triggering the creation of project-levelservice agents. To trigger the creation of folder-level andorganization-level service agents, use the Google Cloud CLI or REST API.
data "google_project" "default" {}# Create all project-level aiplatform.googleapis.com service agentsresource "google_project_service_identity" "default" { provider = google-beta project = data.google_project.default.project_id service = "aiplatform.googleapis.com"}REST
For each service that you need to create service agents for, do the following:
Review the service agent email addresses for the service. Use theplaceholders in the email addresses to determine which resources you need tocreate service agents for:
Placeholder Where to create service agents PROJECT_NUMBEREach project where you will use the service FOLDER_NUMBEREach folder where you will use the service ORGANIZATION_NUMBEREach organization where you will use the service Create service agents for each resource.
The Service Usage API's
services.generateServiceIdentitymethod creates all service agents for the specified API and resource.Before using any of the request data, make the following replacements:
RESOURCE_TYPE: The type of resource that you want to create a service agent for. Useprojects,folders, ororganizations.RESOURCE_ID: The ID of the Google Cloud project, folder, or organization that you want to create service agents for. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.You can create service agents for one resource at a time. If you need to create service agents for multiple resources, send one request for each resource.
ENDPOINT: The endpoint of the API that you want to create a service agent for—for example,aiplatform.googleapis.com.
HTTP method and URL:
POST https://serviceusage.googleapis.com/v1beta1/RESOURCE_TYPE/RESOURCE_ID/services/ENDPOINT:generateServiceIdentity
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login, or by usingCloud Shell, which automatically logs you into thegcloudCLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://serviceusage.googleapis.com/v1beta1/RESOURCE_TYPE/RESOURCE_ID/services/ENDPOINT:generateServiceIdentity"PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login. You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://serviceusage.googleapis.com/v1beta1/RESOURCE_TYPE/RESOURCE_ID/services/ENDPOINT:generateServiceIdentity" | Select-Object -Expand ContentOperationindicting the status of your request. To check the status of the operation, use theoperations.getmethod.Finished operations contain the email address of the service's primary service agent. This email address includes the numeric ID of the project, folder, or organization that you created service agents for.
If the service doesn't have a primary service agent, the response doesn't contain an email address.
The following is an example of a finished operation for a service that has a primary service agent.
{ "name": "operations/finished.DONE_OPERATION", "done": true, "response": { "@type": "type.googleapis.com/google.api.serviceusage.v1beta1.ServiceIdentity", "email": "service-232332569935@gcp-sa-aiplatform.iam.gserviceaccount.com", "uniqueId": "112245693826560101651" }}Optional: Record the service agent email address in the response, if any.This email address identifies the service'sprimary serviceagent. You can use this identifier to grant roles tothe primary service agent.
Grant roles to service agents
After Google Cloud creates the necessary service agents for your projects,folders, and organizations, you use the service agents' email addresses togrant them roles.
If you asked Google Cloud to create service agents, you must grant thoseservice agents the roles that they are typically granted automatically. If youdon't, some services might not function properly. This is because service agentsthat are created at a user's request aren't automatically granted roles.
To learn how to identify automatically granted roles, seeIdentify serviceagents to create.
Find the service agent's email address
To find a service agent's email address, do the following:
gcloud
If you have not already, find the service agent's email address format. Thisformat is documented in theservice agent reference.
Replace any placeholders in the email address with the corresponding project,folder, or organization number.
Alternatively, if the service agent is aprimary serviceagent, you can get its email address bytriggeringservice agent creation for the service. The command to trigger serviceagent creation returns the primary service agent's email address.
Terraform
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands. For more information, see theTerraform provider reference documentation.
If you have not already, find the service agent's email address format. Thisformat is documented in theservice agent reference.
Replace any placeholders in the email address with expressions that referencethe appropriate project, folder, or organization number.
For example, consider the following situation:
- The email address format is
service-PROJECT_NUMBER@gcp-sa-aiplatform-cc.iam.gserviceaccount.com - The service agent is for a project labeled
default
In this case, the service agent's email address is as follows:
service-${data.google_project.default.number}@gcp-sa-aiplatform-cc.iam.gserviceaccount.com- The email address format is
Alternatively, if a service agent is the primary service agent for a service,you can get its email address from theemail attribute of thegoogle_project_service_identity resource.
For example, if you have agoogle_project_service_identity block labeleddefault, you can get the email address of the service's primary service agentby using the following expression:
${google_project_service_identity.default.email}REST
If you have not already, find the service agent's email address format. Thisformat is documented in theservice agent reference.
Replace any placeholders in the email address with the corresponding project,folder, or organization number.
Alternatively, if the service agent is aprimary serviceagent, you can get its email address bytriggeringservice agent creation for the service. The command to trigger serviceagent creation returns the primary service agent's email address.
Grant a role to the service agent
After you find the service agent's email address, you can grant it a role justlike you would grant a role to any other principal.
Console
In the Google Cloud console, go to theIAM page.
Select a project, folder, or organization.
ClickGrant Access, thenenter the service agent's email address.
Select a role to grant from the drop-down list.
Optional: Add acondition to the role.
ClickSave. The service agent is granted the role on the resource.
gcloud
Theadd-iam-policy-binding command lets you quickly grant a role to a principal.
Before using any of the command data below, make the following replacements:
RESOURCE_TYPE: The resource type that you want to manage access to. Useprojects,resource-manager folders, ororganizations.RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project. Folder and organization IDs are numeric, like123456789012.PRINCIPAL: An identifier for the principal, or member, which usually has the following form:PRINCIPAL_TYPE:ID. For example,user:my-user@example.comorprincipalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com. For a full list of the values thatPRINCIPALcan have, seePrincipal identifiers.For the principal type
user, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see theoverview of Cloud Identity.ROLE_NAME: The name of the role that you want to revoke. Use one of the following formats:- Predefined roles:
roles/SERVICE.IDENTIFIER - Project-level custom roles:
projects/PROJECT_ID/roles/IDENTIFIER - Organization-level custom roles:
organizations/ORG_ID/roles/IDENTIFIER
For a list of predefined roles, seeUnderstanding roles.
- Predefined roles:
CONDITION: The condition to add to the role binding. If you don't want to add a condition, use the valueNone. For more information about conditions, see theconditions overview.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloudRESOURCE_TYPEadd-iam-policy-bindingRESOURCE_ID\--member=PRINCIPAL--role=ROLE_NAME\--condition=CONDITION
Windows (PowerShell)
gcloudRESOURCE_TYPEadd-iam-policy-bindingRESOURCE_ID`--member=PRINCIPAL--role=ROLE_NAME`--condition=CONDITION
Windows (cmd.exe)
gcloudRESOURCE_TYPEadd-iam-policy-bindingRESOURCE_ID^--member=PRINCIPAL--role=ROLE_NAME^--condition=CONDITION
The response contains the updated IAM policy.
Terraform
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands. For more information, see theTerraform provider reference documentation.
# Grant the AI Platform Custom Code Service Account the Vertex AI Custom# Code Service Agent role (roles/aiplatform.customCodeServiceAgent)resource "google_project_iam_member" "custom_code" { project = data.google_project.default.project_id role = "roles/aiplatform.customCodeServiceAgent" member = "serviceAccount:service-${data.google_project.default.number}@gcp-sa-aiplatform-cc.iam.gserviceaccount.com"}# Grant the primary aiplatform.googleapis.com service agent (AI Platform# Service Agent) the Vertex AI Service Agent role# (roles/aiplatform.serviceAgent)resource "google_project_iam_member" "primary" { project = data.google_project.default.project_id role = "roles/aiplatform.serviceAgent" member = "serviceAccount:${google_project_service_identity.default.email}"}REST
To grant a role with the REST API, use the read-modify-write pattern:
Read the current allow policy by calling
getIamPolicy().The Resource Manager API's
getIamPolicymethod gets a project's, folder's, or organization's allow policy.Before using any of the request data, make the following replacements:
API_VERSION: The API version to use. Forprojects and organizations, usev1. For folders, usev2.RESOURCE_TYPE: The resource type whosepolicy you want to manage. Use the valueprojects,folders, ororganizations.RESOURCE_ID: Your Google Cloudproject, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy
Request JSON body:
{ "options": { "requestedPolicyVersion":POLICY_VERSION }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login, or by usingCloud Shell, which automatically logs you into thegcloudCLI . You can check the currently active account by runninggcloud auth list.Save the request body in a file named
request.json, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login. You can check the currently active account by runninggcloud auth list.Save the request body in a file named
request.json, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Expand ContentAPIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the resource's allow policy. For example:
{ "version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] } ]}Edit the resource's allow policy, either by using a text editor orprogrammatically, to add or remove any principals or role bindings. Forexample, you could add a new role binding, remove an existing role binding,or add or remove principals from an existing role binding.
Write the updated allow policy by calling
setIamPolicy().The Resource Manager API's
setIamPolicymethod sets the policy in the request as the new allow policy for the project, folder, or organization.Before using any of the request data, make the following replacements:
API_VERSION: The API version to use. Forprojects and organizations, usev1. For folders, usev2.RESOURCE_TYPE: The resource type whosepolicy you want to manage. Use the valueprojects,folders, ororganizations.RESOURCE_ID: Your Google Cloudproject, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy
Request JSON body:
{ "policy":POLICY}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login, or by usingCloud Shell, which automatically logs you into thegcloudCLI . You can check the currently active account by runninggcloud auth list.Save the request body in a file named
request.json, and execute the following command:curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy"PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloudCLI with your user account by runninggcloud initorgcloud auth login. You can check the currently active account by runninggcloud auth list.Save the request body in a file named
request.json, and execute the following command:$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy" | Select-Object -Expand ContentAPIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.
What's next
- View a list ofall service agents.
- Explore other ways that you cangrant roles to principals.
- Learn how tocreate user-managed service accounts,which can act as identities for your workloads.
- Learn more aboutbest practices for using Terraform onGoogle Cloud.
- Explore allGoogle Cloud Terraform samples.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.