gcloud compute machine-images import - create a Compute Engine machine image from virtual appliance in OVA/OVF format

gcloud compute machine-images importIMAGE--cmd-deprecated--source-uri=SOURCE_URI[--no-address][--async][--byol][--can-ip-forward][--cloudbuild-service-account=CLOUDBUILD_SERVICE_ACCOUNT][--compute-service-account=COMPUTE_SERVICE_ACCOUNT][--description=DESCRIPTION][--no-guest-environment][--guest-flush][--guest-os-features=[GUEST_OS_FEATURE,…]][--labels=[KEY=VALUE,…]][--log-location=LOG_LOCATION][--machine-type=MACHINE_TYPE][--network=NETWORK][--network-tier=NETWORK_TIER][--os=OS][--no-restart-on-failure][--storage-location=LOCATION][--subnet=SUBNET][--tags=TAG,[TAG,…]][--timeout=TIMEOUT; default="2h"][--zone=ZONE][--custom-cpu=CUSTOM_CPU--custom-memory=CUSTOM_MEMORY :--custom-extensions--custom-vm-type=CUSTOM_VM_TYPE][--scopes=[SCOPE,…]    |--no-scopes][--service-account=SERVICE_ACCOUNT    |--no-service-account][GCLOUD_WIDE_FLAG …]

gcloud compute machine-images import creates Compute Engine machineimage from virtual appliance in OVA/OVF format.

Importing OVF involves:

• Unpacking OVF package (if in OVA format) to Cloud Storage.
• Import disks from OVF to Compute Engine.
• Translate the boot disk to make it bootable in Compute Engine.
• Create a machine image using OVF metadata and imported disks.

Virtual instances, images, machine images, and disks in Compute engine and filesstored on Cloud Storage incur charges. Seehttps://cloud.google.com/compute/docs/images/importing-virtual-disks#resource_cleanup.

IMAGE

Name of the machineImage to import.

--cmd-deprecated

The command you're using is deprecated and will be removed by December 31, 2025.We recommend usinggcloud computemigration image-imports instead. See our official documentation formore information.https://cloud.google.com/migrate/virtual-machines/docs/5.0/migrate/image_import.

--source-uri=SOURCE_URI

Cloud Storage path to one of: OVF descriptor OVA file Directory with OVFpackage. For more information about Cloud Storage URIs, seehttps://cloud.google.com/storage/docs/request-endpoints#json-api.

--no-address

Temporary VMs are created in your project during machine image import. Set thisflag so that these temporary VMs are not assigned external IP addresses.

Note: The machine image import process requires package managers to be installedon the operating system for the virtual disk. These package managers might needto make requests to package repositories that are outside Google Cloud. To allowaccess for these updates, you need to configure Cloud NAT and Private GoogleAccess. For more information, seehttps://cloud.google.com/nat/docs/gce-example#create-natandhttps://cloud.google.com/vpc/docs/private-access-options#pga.

--async

Return immediately, without waiting for the operation in progress to complete.

--byol

Specifies that you want to import an image with an existing license. Importingan image with an existing license is known as bring your own license (BYOL).

--byol can be specified in any of the following ways:

+`--byol--os=rhel-8`:importsaRHEL8imagewithanexistinglicense.+`--os=rhel-8-byol`:importsaRHEL8imagewithanexistinglicense.+`--byol`:detectstheOScontainedonthedisk,andimportstheimagewithanexistinglicense.

For more information about BYOL, see:https://cloud.google.com/compute/docs/nodes/bringing-your-own-licenses

--can-ip-forward

If provided, allows the VMs created from the imported machine image to send andreceive packets with non-matching destination or source IP addresses.

--cloudbuild-service-account=CLOUDBUILD_SERVICE_ACCOUNT

Image import and export tools use Cloud Build to import and export images to andfrom your project. Cloud Build uses a specific service account to execute buildson your behalf. The Cloud Build service account generates an access token forother service accounts and it is also used for authentication when building theartifacts for the image import tool.

Use this flag to to specify a user-managed service account for image import andexport. If you don't specify this flag, Cloud Build runs using your project'sdefault Cloud Build service account. To set this option, specify the emailaddress of the desired user-managed service account. Note: You must specify the--logs-location flag when you set a user-managed service account.

At minimum, the specified user-managed service account needs to have thefollowing roles assigned:

• roles/compute.admin
• roles/iam.serviceAccountTokenCreator
• roles/iam.serviceAccountUser

--compute-service-account=COMPUTE_SERVICE_ACCOUNT

A temporary virtual machine instance is created in your project during machineimage import. Machine image import tooling on this temporary instance must beauthenticated.

A Compute Engine service account is an identity attached to an instance. Itsaccess tokens can be accessed through the instance metadata server and can beused to authenticate machine image import tooling on the instance.

To set this option, specify the email address corresponding to the requiredCompute Engine service account. If not provided, the machine image import on thetemporary instance uses the project's default Compute Engine service account.

At a minimum, you need to grant the following roles to the specified Cloud Buildservice account:

• roles/compute.storageAdmin
• roles/storage.objectViewer

--description=DESCRIPTION

Specifies a text description of the machine image.

--guest-environment

The guest environment will be installed on the machine image. Enabled bydefault, use--no-guest-environment to disable.

--guest-flush

Create an application-consistent machine image by informing the OS to preparefor the snapshot process.

--guest-os-features=[GUEST_OS_FEATURE,…]

Enables one or more features for VM instances that use the image for their bootdisks. See the descriptions of supported features at:https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features.GUEST_OS_FEATURE must be (only one value is supported):UEFI_COMPATIBLE.

--labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.

--log-location=LOG_LOCATION

Directory in Cloud Storage to hold build logs. If not set,gs://<project num>.cloudbuild-logs.googleusercontent.com/ iscreated and used.

--machine-type=MACHINE_TYPE

Specifies the machine type used for the instances. To get a list of availablemachine types, run 'gcloud compute machine-types list'. If unspecified, thedefault type is n1-standard-1.

--network=NETWORK

Specifies the network for the VMs that are created from the imported machineimage. If--subnet is also specified, then the subnet must be asubnetwork of network specified by--network. If neither isspecified, thedefault network is used.

--network-tier=NETWORK_TIER

Specifies the network tier that will be used to configure the machine image.NETWORK_TIER must be one of:PREMIUM,STANDARD. The default value isPREMIUM.

--os=OS

Specifies the OS of the machine image being imported.OSmust be one of:centos-7,centos-stream-8,centos-stream-9,debian-10,debian-11,debian-8,debian-9,opensuse-15,rhel-6,rhel-6-byol,rhel-7,rhel-7-byol,rhel-8,rhel-8-byol,rhel-9,rhel-9-byol,rocky-8,rocky-9,sles-12,sles-12-byol,sles-15,sles-15-byol,sles-sap-12,sles-sap-12-byol,sles-sap-15,sles-sap-15-byol,ubuntu-1404,ubuntu-1604,ubuntu-1804,ubuntu-2004,ubuntu-2204,windows-10-x64-byol,windows-10-x86-byol,windows-11-x64-byol,windows-2008r2,windows-2008r2-byol,windows-2012,windows-2012-byol,windows-2012r2,windows-2012r2-byol,windows-2016,windows-2016-byol,windows-2019,windows-2019-byol,windows-2022,windows-2022-byol,windows-7-x64-byol,windows-7-x86-byol,windows-8-x64-byol,windows-8-x86-byol.

--restart-on-failure

The VMs created from the imported machine image are restarted if they areterminated by Compute Engine. This does not affect terminations performed by theuser. Enabled by default, use--no-restart-on-failure to disable.

--storage-location=LOCATION

Google Cloud Storage location, either regional or multi-regional, where machineimage's content is to be stored. If absent, a nearby regional or multi-regionallocation is chosen automatically.

--subnet=SUBNET

Specifies the subnet for the VMs created from the imported machine image. If--network is also specified, the subnet must be a subnetwork of thenetwork specified by--network.

--tags=TAG,[TAG,…]

Specifies a list of tags to apply to the VMs created from the imported machineimage. These tags allow network firewall rules and routes to be applied tospecified VMs. Seegcloud computefirewall-rules create(1) for more details.

To read more about configuring network tags, read this guide:https://cloud.google.com/vpc/docs/add-remove-network-tags

To list VMs with their respective status and tags, run:

gcloudcomputeinstanceslist--format='table(name,status,tags.list())'

To list VMs tagged with a specific tag,tag1, run:

gcloudcomputeinstanceslist--filter='tags:tag1'

--timeout=TIMEOUT; default="2h"

Maximum time an import can last before it fails as "TIMEOUT". For example, ifyou specify2h, the process fails after 2 hours. See $gcloud topic datetimes forinformation about duration formats.

This timeout option has a maximum value of 24 hours.

--zone=ZONE

Zone of the machine image to import. The zone in which to perform the import ofthe machine image. If not specified and thecompute/zone property isn't set, you mightbe prompted to select a zone (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

Custom machine type extensions.

--custom-cpu=CUSTOM_CPU

A whole number value specifying the number of cores that are needed in thecustom machine type.

For some machine types, shared-core values can also be used. For example, for E2machine types, you can specifymicro,small, ormedium.

This flag argument must be specified if any of the other arguments in this groupare specified.

--custom-memory=CUSTOM_MEMORY

A whole number value indicating how much memory is desired in the custom machinetype. A size unit should be provided (eg. 3072MB or 9GB) - if no units arespecified, GB is assumed.

This flag argument must be specified if any of the other arguments in this groupare specified.

--custom-extensions

Use the extended custom machine type.

--custom-vm-type=CUSTOM_VM_TYPE

Specifies a custom machine type. The default isn1. For moreinformation about custom machine types, see:https://cloud.google.com/compute/docs/general-purpose-machines#custom_machine_types

At most one of these can be specified:

--scopes=[SCOPE,…]

If not provided, the machine image will be assigned the default scopes,described below. However, if neither--scopes nor--no-scopes are specified and the project has no default serviceaccount, then the machine image is imported with no scopes. Note that the levelof access that a service account has is determined by a combination of accessscopes and IAM roles so you must configure both access scopes and IAM roles forthe service account to work properly.

SCOPE can be either the full URI of the scope or an alias.Defaultscopes are assigned to all instances. Available aliases are:

Alias	URI
bigquery	https://www.googleapis.com/auth/bigquery
cloud-platform	https://www.googleapis.com/auth/cloud-platform
cloud-source-repos	https://www.googleapis.com/auth/source.full_control
cloud-source-repos-ro	https://www.googleapis.com/auth/source.read_only
compute-ro	https://www.googleapis.com/auth/compute.readonly
compute-rw	https://www.googleapis.com/auth/compute
datastore	https://www.googleapis.com/auth/datastore
default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring.write
	https://www.googleapis.com/auth/pubsub
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
gke-default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
logging-write	https://www.googleapis.com/auth/logging.write
monitoring	https://www.googleapis.com/auth/monitoring
monitoring-read	https://www.googleapis.com/auth/monitoring.read
monitoring-write	https://www.googleapis.com/auth/monitoring.write
pubsub	https://www.googleapis.com/auth/pubsub
service-control	https://www.googleapis.com/auth/servicecontrol
service-management	https://www.googleapis.com/auth/service.management.readonly
sql (deprecated)	https://www.googleapis.com/auth/sqlservice
sql-admin	https://www.googleapis.com/auth/sqlservice.admin
storage-full	https://www.googleapis.com/auth/devstorage.full_control
storage-ro	https://www.googleapis.com/auth/devstorage.read_only
storage-rw	https://www.googleapis.com/auth/devstorage.read_write
taskqueue	https://www.googleapis.com/auth/taskqueue
trace	https://www.googleapis.com/auth/trace.append
userinfo-email	https://www.googleapis.com/auth/userinfo.email

DEPRECATION WARNING:https://www.googleapis.com/auth/sqlserviceaccount scope andsql alias do not provide SQL instance managementcapabilities and have been deprecated. Please, usehttps://www.googleapis.com/auth/sqlservice.adminorsql-admin to manage your Google SQL Service instances.

--no-scopes

Import machine image without scopes

At most one of these can be specified:

--service-account=SERVICE_ACCOUNT

A service account is an identity attached to the machine image. Its accesstokens can be accessed through the instance metadata server and are used toauthenticate applications on the instance. The account can be set using an emailaddress corresponding to the required service account.

If not provided, the machine image will use the project's default serviceaccount.

--no-service-account

Import machine image without service account

Run$gcloud help for details.