Learn how to get started creating a workstation configuration withCloud Workstations.

A workstation configuration acts as a template for the creation of consistentworkstations for multiple developers, and specifies configuration settings suchas machine type, zones, disk size, tools, and preinstalled libraries. Anyoperations performed on a workstation configuration, such as changing themachine type or container image, reflect on each workstation the next time theworkstation starts up.

This section explains the four steps of creating a workstation configuration:

1. Configure basics
2. Define machine settings
3. Customize the environment
4. Add users

---

To follow step-by-step guidance for this task directly in the Google Cloud console, clickGuide me:

Guide me

---

Before you begin

Before you begin using Cloud Workstations, be sure that you have therequired permissions and that you complete these required setup steps.You can skip this section if you've already completed this setup.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

1. Enable the Cloud Workstations API.

   Roles required to enable APIs

   To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

   Enable the API

2. Make sure that you have a Cloud Workstations Admin IAM role on the project so that you can create workstation configurations. To check your IAM roles in the Google Cloud console, go to theIAM page:

   Go to IAM

3. Cloud Workstations are hosted on VMs booted from Compute Engine's preconfigured publicContainer-Optimized OS (COS) images. If theconstraints/compute.trustedimageProjects organization policy constraint is enforced, you mustset image access constraints to allow users to create boot disks fromprojects/cos-cloud or all public images.
4. Optional: Enable the Container File System API to allow faster workstation startup.

   Enable the Container File System API

   For more information, seeReduce workstation startup time with Image streaming.

Configure basics

To configure the basics of a workstation configuration, follow these steps:

1. In the console,navigate toCloud Workstations >Workstation configurations.

   Go to Workstation configurations

2. From theWorkstation configurations page, clickadd_boxCreate.

   

3. In theName field, entertest-configuration as the name of your configuration.

4. Choose the name of your workstation cluster from the list ofClustersand clickContinue.

   If no workstation cluster is available, click thearrow_drop_downexpander arrow, andselectNew Cluster.For more information, see these settings described inCreating a new workstation cluster.

5. ForQuick start workstations, selectEnabled for faster workstationstartup orDisabled for lower cost.

   This value specifies the number of virtual machines (VMs) kept in a pre-startedstate, which enables faster workstation start times. However, your projectis billed for these VMs. Choose a pool size based on the numberof new developers that you anticipate, your use cases, and your budget.If you chooseDisabled, new workstations take longer to start.The defaultQuick start pool size is1.

6. Optional: AddLabels to apply key-value pair labels to the underlyingCompute Engine resources.

7. ClickContinue to progress to theMachine configuration page.

Define machine settings

1. Select aMachine type based on your needs. For example, you might choosee2-standard-4 (4 CPU, 16 GB memory).

2. Select twoZones within the region you selected. Cloud Workstationscreates VM resources and stores data in these zones.

   The zone selection also affects the type of computing resources that areavailable. For example, if you select the N1 machine type and want to useGPUs, be sure to select two zones where the chosen GPU type is listed asavailable in theGPU availability by region and zone table.

3. In theCost savings section, set the amount of time to wait beforeauto-sleep. Leave theAuto-sleep field set toAfter 2 hours of inactivity (default) to automatically shut downworkstations inactive for more than two hours.

4. Optional: In theAdvanced options section, clickexpand_moreExpand More.

   1. To add network tags, enter text in theNetwork tags field.

      Network tags are metadata applied to the underlyingCompute Engine VMs that allow you to makefirewall rules and routes applicable to specific VM instances. InCloud Workstations, you can use network tags to make firewall rules orroutes applicable to all the workstations under a workstationconfiguration.

   2. To turn off public IP addresses, select theDisable public IP addresses checkbox.

      If you disable public IP addresses, you must set upPrivate Google AccessorCloud NAT on your network.If you use Private Google Access and you useprivate.googleapis.com orrestricted.googleapis.com forArtifact Registry, make sure that you set up DNS records fordomains*.pkg.dev.

   3. To turn on nested virtualization, select theEnable nested virtualization checkbox. Nested virtualization letsyou run VM instances inside your workstation.

      Before enabling nested virtualization, consider the following importantconsiderations.

      Cloud Workstations instances are also subject to thesame restrictions as Compute Engine instances:

      • Organization policy: projects, folders, ororganizations might be restricted from creating nested VMs if theDisable VM nested virtualization constraint is enforced inthe organization policy. For more information, see theCompute Engine section,Check whether nested virtualization is allowed.

      • Performance: nested VMs might experience a 10% or greaterdecrease in performance for workloads that are CPU-bound andpossibly greater than a 10% decrease for workloads that areinput or output bound.

      • Machine Type: nested virtualization can only be enabled onworkstation configurations that specify machine types in the N1 orN2 machine series.

   4. To encrypt your data while it is being processed on this VM, select theConfidential VM service checkbox. For more information, seeCreate a Confidential VM instance.

   5. To set Shielded VM settings, select the corresponding feature checkbox.Shielded VM features include trusted UEFI firmware and provides optionsfor boot, vTPM, and integrity monitoring.

   6. By default, Cloud Workstations encrypts resources created withthis workstation configuration using aGoogle-owned and Google-managed encryption key.To use acustomer-managed encryption key instead, selectUse customer-managed encryption key (CMEK).

5. ClickContinue to progress to theEnvironment settings page.

Customize the environment

Customize the Cloud Workstations environment by configuring the workstation container image and persistent storage using these steps:

1. Configure the container image by choosing whether to use one of thepreconfigured base images or to provide a reference to acustomized container image that you've created.

   1. To use apreconfigured base image:

      1. Leave the container type set toCode editors on base images.

      2. In theCode editors menu, choose the Cloud WorkstationsBase Editor (Code OSS for Cloud Workstations).If your organization prefers a different IDE, you can also choose from thelist ofpreconfigured IDEs.

      3. Optional: In theService account menu, choose from the list ofservice accounts.

   2. Optional: To use your owncustomized container image instead of one of thepreconfigured base images:

      1. SelectCustom container image.

      2. Specify theContainer image URL.

      3. Click theService account menu and select the service account to beused on VM instances created under workstation configuration. This service account must havepermissions to pull your customized container image (or the image must be publiclyaccessible). For more information, see the description ofserviceAccountinCustomize your development environment.

2. In theStorage settings section, choose preferences for the initial homedirectory and for disk attributes:

   1. To create an empty home directory, selectCreate a blank persistentdisk. To use a disk snapshot for the home directory, chooseCreate a persistent disk from a source disk snapshot.

   2. Set theDisk type of your persistent directory toBalanced,which has higher performance but is more economical thanSSD.

   3. Set theDisk size of your persistent directory. The default is200GB but valid values are10,50,100,200,500, or1000 GB.Choose the disk size that best fits your team's needs.

   4. Set theReclaim policy toDelete orRetain. The default isDelete. This policy determines what happens to thepersistent disk when a workstation is deleted.

      Notes:

      • You can't modify the disk size or disk type after creating aworkstation.
      • ChoosingRetain allows administrators to audit thecontent of workstation home disks after the workstations are deleted,but administrators are responsible for manually deleting the disk.
      • If you choose theRetain option and then deleteyour workstation, your persistent disk won't be deleted. However, if yourecreate your workstation, a new disk will be attached to theworkstation which won't contain the data from the deleted workstation.

        To access the data on the disk, you can follow these steps:

        1. Create a new Compute Engine instance.
        2. Add your persistent disk to the instance.
        3. Mount your disk on your VM.

You can also customize further by following these optional steps:

1. Optional: AddReadiness checks.

   If needed, specify readiness checks to verify that the workstation acceptsrequests at specific paths and ports when starting workstations that areassociated with this workstation configuration.

2. Optional: ExpandAdvanced container options.

   If needed, specify additional parameters for the container image being used.For example, specify a working directory override, user override, commandoverrides, arguments to pass to theentrypoint command, and environmentvariables.

3. ClickContinue to progress to theIAM policy page.

Add users

To allow multiple users to create workstations, add users to your workstationconfiguration:

1. From theIAM Policy page, click theUsers field and enter the emailaddresses of one or more users or Google groups to which you want to giveaccess.This sets up a Cloud Workstations Creator IAM policy for theseusers.

2. Optional: To add Cloud Workstations policy administrator access, expandAdvanced IAM options.

   To grant theroles/workstations.policyAdmin role to workstation creators,select theGrant Policy Admin role to workstation creators checkbox. Thislets the creator of a workstation update the IAM policy ofthe workstation, which grants access to the workstation and its individualports.

   For more information about Cloud Workstations port sharing, see theGrant access to individual Cloud Workstations ports page.

   Note: By default, the creator of a workstation gets theroles/workstations.userrole on the workstation that they create, regardless of theGrant Policy Admin role to workstation creators setting.

3. To create your workstation configuration and add these users to it, clickCreate.

   If you also elected to create a new cluster, cluster creation can take upto 20 minutes.

You've just created your first workstation configuration and added users to it.

To create and launch a workstation based on this configuration, clickNext.

Clean up

If you created a new workstation configuration to learn about Cloud Workstationsand you no longer need the configuration, you can delete it fromthe Google Cloud console:

1. In the Google Cloud console, go toCloud Workstations > Workstation configurations.
2. Select the checkbox beside the workstation configuration that youwant to delete.
3. Click themore_vertMore options menu andselectDelete to delete the selected workstation configuration.

For more about deleting workstations,workstation clusters, and Google Cloud projects,seeDelete resources.

What's next

• Create a workstation using your newlycreated workstation configuration.

• Use theCloud Workstations base editor.

• Customize yourworkstation configuration through the API.

• Createcustomized container images that extend thepreconfigured base imagesprovided by Cloud Workstations.