Prerequisites for using the Guided Deployment Automation tool
This document describes the prerequisites for using the Guided Deployment Automationtool in Workload Manager.
In addition, you must meet the following prerequisites that are specific to theapplication you're deploying:
- Prerequisites for deploying an SAP S/4HANA application
- Prerequisites for deploying a SQL Server workload
| Prerequisite | Description |
|---|---|
| Google Cloud billing account | You must have a Google Cloud account that is part of your organization with active billing. For more information, seeCreate a new billing account. |
| Google Cloud project | A Google Cloud project in which you want to deploy the application. SeeCreate and manage projects. Make sure that the project is linked to the billing account. |
| Enable APIs | Enable the following APIs in your project: During the deployment process, Workload Manager automatically enables additional required APIs if they're not enabled in your project. |
| Grant IAM roles to Workload Manager service account | Workload Manager uses aservice agent that needs to be granted the required roles before you can deploy an application. For more information, see Workload Manager service account. |
| Grant IAM roles to a user-managed service account | Create a service account and grant all the required roles for deploying your application. For more information, seeUser-managed service account. |
| IAM roles and permissions | Users who deploy a workload using the Guided Deployment Automation tool must have or be granted the required roles and permissions to configure the deployment. These users also need permissions to create the necessary service accounts during deployment. For more information, seeIAM roles and permissions. |
| Cloud Build private pool | Optional. If your organization enforces VPC Service Controls perimeter settings for protecting Workload Manager resources and data, then set up a Cloud Build private worker pool to use in your deployment environment. For more information, seeUse a Cloud Build private worker pool. |
| Quotas | Make sure that you have sufficient resource quota in your project to deploy the workload. For more information, seeQuotas. |
Workload Manager service account
The Guided Deployment Automation tool uses aservice agentfor deploying applications.
When you create a deployment, Workload Manager prompts you to grantthe required roles to this service account if they're not already granted.If you don't have the permission to grant these roles, ask an administrator togrant the following roles to the Workload Manager service account beforecreating a deployment.
| Service account | Required roles |
|---|---|
| Service-PROJECT_ID@gcp-sa-workloadmanager.iam.gserviceaccount.com |
|
User-managed service account
Workload Manager uses the service account attached to your deploymentto call other APIs and services for creating resources required for the deployment.
You can either attach an existing service account or create a service accountwhen you configure the deployment. Depending on your application and configuration,Workload Manager prompts you to grant any of the missing roles to yourservice account.
For more information about granting roles to service accounts,seeManage access to service accounts.
IAM roles and permissions
Access control in Workload Manager is controlled usingIdentity and Access Management (IAM). Workload Manager provides a specific set ofpredefined IAM roles where each role contains a set of permissions. IAM lets you adopt thesecurity principle of least privilege,so you grant only the necessary access to your resources.
The following permission is required to enable the Workload Manager APIin the selected project. This task only needs to be performed once in each project.An administrator or another user with the permission can enable the API and after thatother users can access Workload Manager.
| Action | Permission Required | Example Role |
|---|---|---|
| Enable Workload Manager API | serviceusage.services.enable | roles/editorroles/service.Usage.Admin |
Workload Manager also has roles to control who can access the deploymentfeatures and determine who can deploy, manage, and view deployments.Each role has the necessary permissions to perform the stated tasks.
For more information, seeAccess control with IAM.When granting IAM roles to principals, Google recommends that youapply the principle ofleast privilege.
| Role | Deployment task |
|---|---|
| Workload Manager Deployment AdminBeta | Create, modify, deploy, and view deployments. |
| Workload Manager Deployment ViewerBeta | View deployments. |
Use a Cloud Build private worker pool
If your organization enforces VPC Service Controls compliance, then you mustuse a private worker pool for your deployment.
Private pools are hosted in a Google-owned Virtual Private Cloud network called theserviceproducer network. Before creating a private pool,set up a private connectionbetween the service producer network and theVPC network that contains your resources.
To create and use a Cloud Build private pool, follow the instructions inCreate and manage private pools.
Consider the following requirements when you set up a private worker pool to usewith Workload Manager:
- You must use a Cloud Build private worker pool for the deployment.You cannot use the default Cloud Build worker pool. For more information,seeLimitationsin the Cloud Build documentation.
- To download the Terraform configuration, the Cloud Build private poolmust havepublic internet calls enabled.
You must also ensure that the following resources are in the sameVPC Service Controlsservice perimeter:
- Cloud Build private worker pool.
- Workload Manager service account.
- TheCloud Storage bucket that Workload Manager uses for deployment.
Quotas
Google Cloud uses quotas to protect and control the number of resources that aparticular account or organization can use. The supported applications often consume alarge portion of resources. Given the size of the databases and applications,you might experience quota issues during the deployment process.
To avoid quota issues, do the following:
- View your quota values and usage.
- If needed,request a higher quota value or contact your project administrator.
What's next
- Learn how toprepare SAP installation files for deployment.
- Learn how todeploy a SAP S/4HANA workload.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.