This document describes the prerequisites for importing and exporting images on Compute Engine.
You can share virtual machine (VM) instances, virtual disk files, and machine images from other cloud environments or from your on-premises environment by importing and exporting images from Cloud Storage. The following checklist summarizes the requirements that you need to meet before you import and export images:
- Set up access to a Cloud Storage bucket
- Grant required roles to your user account
- Grant required roles to the Cloud Build service account
- Grant required roles to the Compute Engine service account
Before you begin
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
Set up access to a Cloud Storage bucket
You must have access to a Cloud Storage bucket that the import or export tool can use. If you don't have a Cloud Storage bucket, see Create a Cloud Storage bucket.
To set up access to your Cloud Storage bucket, see Grant required roles to your account and Compute Engine service account.
If you're exporting an image, the export tool uploads the image to the Cloud Storage bucket.
If you're importing an image, you must first upload the image to the Cloud Storage bucket. The import tool downloads the file from the Cloud Storage bucket to Compute Engine, and then the tool creates an image in Compute Engine from that disk file.
Grant required IAM roles
The VM image import and export tool requires the following accounts to perform the operation on its behalf:
- User account. The account from which you're running the import and export commands.
- Cloud Build service account. A default Cloud Build service account that is created when the import or export tool enables the Cloud Build API.
- Compute Engine service account. A default or custom Compute Engine service account that is required for the import and export workflow.
Grant required roles to your user account
To import or export images, your user account requires the following roles:
- Storage Admin role (
roles/storage.admin
) - Viewer role (
roles/viewer
) - Project IAM Admin role (
roles/resourcemanager.projectIamAdmin
) - Cloud Build Editor role (
roles/cloudbuild.builds.editor
)
Console
Go to the IAM & Admin page for the project or organization.
Locate your account and click
Edit.In the Select a role list, select the following roles:
- Cloud Storage > Storage Admin
- Project > Viewer
- Resource Manager > Project IAM Admin
- Cloud Build > Cloud Build Editor
Save your changes.
gcloud
In the following steps, you use the gcloud projects add-iam-policy-binding
command to grant the
required roles at the project level.
Grant the
roles/storage.admin
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='MEMBER' \ --role='roles/storage.admin'
Replace the following:
PROJECT_ID
: the Google Cloud project ID for your projectMEMBER
: the account that runs the import and export commands—for example,user:export-user@gmail.com
Grant the
roles/viewer
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='MEMBER' \ --role='roles/viewer'
Grant the
roles/resourcemanager.projectIamAdmin
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='MEMBER' \ --role='roles/resourcemanager.projectIamAdmin'
Grant the
roles/cloudbuild.builds.editor
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='MEMBER' \ --role='roles/cloudbuild.builds.editor'
REST
Read the existing policy with the resource's
getIamPolicy
method. For projects, use theprojects.getIamPolicy
method.POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Replace
PROJECT_ID
with the project ID—for example,my-project-1
.To grant the required roles to your account, edit the policy with a text editor.
For example, to grant the required role to your account
user:export-user@gmail.com
, add the following binding to the policy:{ { "role":"roles/storage.admin", "member":[ "user:export-user@gmail.com" ] } { "roles":"roles/viewer", "member":[ "user:export-user@gmail.com" ] } { "roles":"roles/resourcemanager.projectIamAdmin", "member":[ "user:export-user@gmail.com" ] } { "roles":"roles/cloudbuild.builds.editor", "member":[ "user:export-user@gmail.com" ] } }
To write the updated policy, use the
setIamPolicy
method.For example, to set a policy at the project level, use the
project.setIamPolicy
method. In the body of the request, provide the updated IAM policy from the previous step.POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
Grant required roles to the Cloud Build service account
When you use the Google Cloud console or the gcloud CLI to import or export images for the first time, the tool attempts to enable the Cloud Build API and grant the required roles to the Cloud Build service account.
- Service Account Token Creator role
(
roles/iam.serviceAccountTokenCreator
) - Service Account User role
(
roles/iam.serviceAccountUser
) - Compute Admin role (
roles/compute.admin
)To avoid granting the Compute Admin role, you can create a custom role with the following Compute Engine IAM permissions and grant it to the Cloud Build service account:
- Compute Network User role (
roles/compute.networkUser
)This role is required only when you import or export images that use Shared VPC.
In the Shared VPC project, grant the Compute Network User role to the Cloud Build service account that is located in the project where you import or export images.
However, you can manually grant these roles to ensure that the required permissions are in effect:
Console
After you enable the Cloud Build API, go to the IAM & Admin page for the project or organization.
Locate the Cloud Build service account and click
Edit.If the required roles are not listed, do the following:
- Click Add another role.
In the Select a role list, select the required roles that you want to add:
- Service Account > Service Account Token Creator
- Service Account > Service Account User
Compute Engine > Compute Admin
Alternatively, you can select the Custom role. See Permissions required for the custom role earlier in this document.
Click Save to save the changes.
Optional: If you're importing or exporting images that use Shared VPC, select the Compute Network User role in the Shared VPC project:
- From the project selector at the top of the console, select the Shared VPC host project.
- On the IAM & Admin page, click Grant access.
- In the New principals field, enter the email address of the
Cloud Build service account:
ReplacePROJECT_NUMBER@cloudbuild.gserviceaccount.com'
PROJECT_NUMBER
with the unique number of the project where you import or export images. - In the Select a role list, select Compute Engine > Compute Network User role.
- Click Save to save the changes.
gcloud
In the following steps, you use the gcloud projects add-iam-policy-binding
command to grant the
required roles at the project level.
Grant the
roles/compute.admin
role to the Cloud Build service account. To avoid granting theroles/compute.admin
role, you can create a custom role with the required permissions and then grant that role to the Cloud Build service account. See Permissions required for the custom role earlier in this document.gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com' \ --role='roles/compute.admin'
Replace the following:
PROJECT_ID
: the Google Cloud project ID for your projectPROJECT_NUMBER
: the Google Cloud project number for your project
Grant the
roles/iam.serviceAccountUser
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com' \ --role='roles/iam.serviceAccountUser'
Grant the
roles/iam.serviceAccountTokenCreator
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com' \ --role='roles/iam.serviceAccountTokenCreator'
Optional: If you're exporting or importing images that use Shared VPC, grant the
roles/compute.networkUser
role:gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com' \ --role='roles/compute.networkUser'
Replace the following:
HOST_PROJECT_ID
: the ID of the host project where the Shared VPC is locatedPROJECT_NUMBER
: the unique number of the project where you import or export images
REST
Read the existing policy with the resource's
getIamPolicy
method. For projects, use theprojects.getIamPolicy
method.POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Replace
PROJECT_ID
with the project ID—for example,my-project-1
.To grant the required roles to your account, edit the policy with a text editor.
For example, to grant the required roles to
serviceAccount:12345@cloudbuild.gserviceaccount.com
, add the following binding to the policy:{ { "role":"roles/compute.admin", "member":[ "serviceAccount:12345@cloudbuild.gserviceaccount.com" ] } { "roles":"roles/iam.serviceAccountUser", "member":[ "serviceAccount:12345@cloudbuild.gserviceaccount.com" ] } { "roles":"roles/iam.serviceAccountTokenCreator", "member":[ "serviceAccount:12345@cloudbuild.gserviceaccount.com" ] } }
To avoid granting the
roles/compute.admin
role, you can create a custom role with the required permissions and then grant that role to the Cloud Build service account. See Permissions required for the custom role earlier in this document.Optional: If you're exporting or importing images that use Shared VPC, grant the
roles/compute.networkUser
role in the Shared VPC project.POST https://cloudresourcemanager.googleapis.com/v1/projects/HOST_PROJECT_ID:getIamPolicy
Replace
HOST_PROJECT_ID
with the ID of the Shared VPC project.Add the following IAM binding to the Cloud Build service account:
{ { "roles":"roles/compute.networkUser", "member":[ "serviceAccount:12345@cloudbuild.gserviceaccount.com" ] } }
To write the updated policy, use the
setIamPolicy
method.For example, to set a policy at the project level, use the
project.setIamPolicy
method. In the body of the request, provide the updated IAM policy from the previous step.POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
For more information on managing access to resources, see Granting, changing, and revoking access to resources.
Grant required roles to the Compute Engine service account
When you use the Google Cloud console or the gcloud CLI to import or export images for the first time, the tool attempts to grant the required roles to the default Compute Engine service account.
Depending on your organization policy configuration, the default service account might
automatically be granted the Editor role on your
project. We strongly recommend that you disable the automatic role grant by
enforcing the iam.automaticIamGrantsForDefaultServiceAccounts
organization policy
constraint. If you created your organization after May 3, 2024, this
constraint is enforced by default.
If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.
If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.
Your Compute Engine service account must have the following roles:
- Compute Storage Admin role
(
roles/compute.storageAdmin
): required for both exporting and importing VM images - Storage Object Viewer role
(
roles/storage.objectViewer
): required for importing VM images - Storage Object Admin role
(
roles/storage.objectAdmin
): required for exporting VM images
Console
Go to the IAM & Admin page for the project or organization.
Locate the Compute Engine service account and click
Edit.In the Select a role list, select the following roles:
- Compute Engine > Compute Storage Admin
- Cloud Storage > Storage Object Viewer
- Cloud Storage > Storage Object Admin
Save your changes.
gcloud
In the following steps, you use the gcloud projects add-iam-policy-binding
command to grant the
required roles at the project level.
Grant the
roles/compute.storageAdmin
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com' \ --role='roles/compute.storageAdmin'
If you're importing an image, grant the
roles/storage.objectViewer
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com' \ --role='roles/storage.objectViewer'
If you're exporting an image, grant the
roles/storage.objectAdmin
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com' \ --role='roles/storage.objectAdmin'
REST
Read the existing policy with the resource's
getIamPolicy
method. For projects, use theprojects.getIamPolicy
method.POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
Replace
PROJECT_ID
with the project ID—for example,my-project-1
.To grant the required roles to your account, edit the policy with a text editor.
For example, to grant the required roles to
serviceAccount:12345-compute@developer.gserviceaccount.com
for importing an image, add the following binding to the policy:{ { "role":"roles/compute.storageAdmin", "member":[ "serviceAccount:12345-compute@developer.gserviceaccount.com" ] } { "roles":"roles/storage.objectViewer", "member":[ "serviceAccount:12345-compute@developer.gserviceaccount.com" ] } }
To write the updated policy, use the
setIamPolicy
method.For example, to set a policy at the project level, use the
project.setIamPolicy
method. In the body of the request, provide the updated IAM policy from the previous step.POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
If you don't want to use the default Compute Engine service account,
you can specify a user-managed service account
using the --compute-service-account
flag in the gcloud
import and export
commands. For more information on using custom Compute Engine service
account, see the following resources:
- Importing virtual disks with custom service accounts
- Importing virtual appliances with custom service accounts
- Importing machine images from virtual appliances with custom service accounts
- Exporting custom images with custom service accounts