gcloud alpha compute images create

NAME
gcloud alpha compute images create - create Compute Engine images
SYNOPSIS
gcloud alpha compute images create IMAGE_NAME (--source-disk=SOURCE_DISK     | --source-image=SOURCE_IMAGE     | --source-image-family=SOURCE_IMAGE_FAMILY     | --source-snapshot=SOURCE_SNAPSHOT     | --source-uri=SOURCE_URI) [--architecture=ARCHITECTURE] [--csek-key-file=FILE] [--description=DESCRIPTION] [--family=FAMILY] [--forbidden-database-file=[DBX_VALUE,…]] [--force] [--force-create] [--guest-os-features=[GUEST_OS_FEATURE,…]] [--key-exchange-key-file=[KEK_VALUE,…]] [--labels=[KEY=VALUE,…]] [--licenses=[LICENSES,…]] [--platform-key-file=PLATFORM_KEY_FILE] [--no-require-csek-key-create] [--rollout-override=[default_rollout_time=DEFAULT_ROLLOUT_TIME],[location_rollout_policies=LOCATION_ROLLOUT_POLICIES]] [--signature-database-file=[DB_VALUE,…]] [--source-disk-project=SOURCE_DISK_PROJECT] [--source-disk-zone=SOURCE_DISK_ZONE] [--source-image-project=SOURCE_IMAGE_PROJECT] [--storage-location=LOCATION] [--user-licenses=[LICENSE,…]] [--kms-key=KMS_KEY : --kms-keyring=KMS_KEYRING --kms-location=KMS_LOCATION --kms-project=KMS_PROJECT] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) gcloud alpha compute images create is used to create custom disk images. The resulting image can be provided during instance or disk creation so that the instance attached to the resulting disks has access to a known set of software or files from the image.

Images can be created from gzipped compressed tarball containing raw disk data, existing disks in any zone, existing images, and existing snapshots inside the same project.

Images are global resources, so they can be used across zones and projects.

To learn more about creating image tarballs, visit https://cloud.google.com/compute/docs/creating-custom-image.

EXAMPLES
To create an image 'my-image' from a disk 'my-disk' in zone 'us-east1-a', run:
gcloud alpha compute images create my-image --source-disk=my-disk --source-disk-zone=us-east1-a

To create an image 'my-image' from a disk 'my-disk' in zone 'us-east1-a' with source disk project 'source-disk-project' run:

gcloud alpha compute images create my-image --source-disk=my-disk --source-disk-zone=us-east1-a --source-disk-project=source-disk-project

To create an image 'my-image' from another image 'source-image' with source image project 'source-image-project', run:

gcloud alpha compute images create my-image --source-image=source-image --source-image-project=source-image-project

To create an image 'my-image' from the latest non-deprecated image in the family 'source-image-family' with source image project 'source-image-project', run:

gcloud alpha compute images create my-image --source-image-family=source-image-family --source-image-project=source-image-project

To create an image 'my-image' from a snapshot 'source-snapshot', run:

gcloud alpha compute images create my-image --source-snapshot=source-snapshot
POSITIONAL ARGUMENTS
IMAGE_NAME
Name of the disk image to create.
REQUIRED FLAGS
Exactly one of these must be specified:
--source-disk=SOURCE_DISK
A source disk to create the image from. The value for this option can be the name of a disk with the zone specified via --source-disk-zone flag.
--source-image=SOURCE_IMAGE
The name of an image to clone. May be used with --source-image-project to clone an image in a different project.
--source-image-family=SOURCE_IMAGE_FAMILY
The family of the source image. This will cause the latest non- deprecated image in the family to be used as the source image. May be used with --source-image-project to refer to an image family in a different project.
--source-snapshot=SOURCE_SNAPSHOT
A source snapshot to create the image from. The value for this option can be the name of a snapshot within the same project as the destination image.
--source-uri=SOURCE_URI
The full Cloud Storage URI where the disk image is stored. This file must be a gzip-compressed tarball whose name ends in .tar.gz. For more information about Cloud Storage URIs, see https://cloud.google.com/storage/docs/request-endpoints#json-api.
OPTIONAL FLAGS
--architecture=ARCHITECTURE
Specifies the architecture or processor type that this image can support. For available processor types on Compute Engine, see https://cloud.google.com/compute/docs/cpu-platforms. ARCHITECTURE must be one of: ARM64, X86_64.
--csek-key-file=FILE
Path to a Customer-Supplied Encryption Key (CSEK) key file that maps Compute Engine images to user managed keys to be used when creating, mounting, or taking snapshots of disks.

If you pass - as value of the flag, the CSEK is read from stdin. See https://cloud.google.com/compute/docs/disks/customer-supplied-encryption for more details.

--description=DESCRIPTION
An optional, textual description for the image being created.
--family=FAMILY
The family of the image. When creating an instance or disk, specifying a family will cause the latest non-deprecated image in the family to be used.
--forbidden-database-file=[DBX_VALUE,…]
Comma-separated list of file paths that point to revoked X.509 certificates in DER format or raw binary files. When you create a Shielded VM instance from this image, these certificates or files are added to the forbidden signature database (dbx).
--force
By default, image creation fails when it is created from a disk that is attached to a running instance. When this flag is used, image creation from disk will proceed even if the disk is in use.
--force-create
(DEPRECATED) DEPRECATED, use --force instead. By default, image creation fails when it is created from a disk that is attached to a running instance. When this flag is used, image creation from disk will proceed even if the disk is in use.

Flag force-create is deprecated. Use --force instead.

--guest-os-features=[GUEST_OS_FEATURE,…]
Enables one or more features for VM instances that use the image for their boot disks. See the descriptions of supported features at: https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features. GUEST_OS_FEATURE must be one of: BARE_METAL_LINUX_COMPATIBLE, GVNIC, IDPF, MULTI_IP_SUBNET, SEV_CAPABLE, SEV_LIVE_MIGRATABLE, SEV_LIVE_MIGRATABLE_V2, SEV_SNP_CAPABLE, TDX_CAPABLE, UEFI_COMPATIBLE, VIRTIO_SCSI_MULTIQUEUE, WINDOWS.
--key-exchange-key-file=[KEK_VALUE,…]
Comma-separated list of file paths that point to X.509 certificates in DER format or raw binary files. When you create a Shielded VM instance from this image, these certificates or files are used as key exchange keys (KEK).
--labels=[KEY=VALUE,…]
List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.

--licenses=[LICENSES,…]
Comma-separated list of URIs to license resources.
--platform-key-file=PLATFORM_KEY_FILE
File path that points to an X.509 certificate in DER format or raw binary file. When you create a Shielded VM instance from this image, this certificate or raw binary file is used as the platform key (PK).
--require-csek-key-create
Refuse to create images not protected by a user managed key in the key file when --csek-key-file is given. This behavior is enabled by default to prevent incorrect gcloud invocations from accidentally creating images with no user managed key. Disabling the check allows creation of some images without a matching Customer-Supplied Encryption Key in the supplied --csek-key-file. See https://cloud.google.com/compute/docs/disks/customer-supplied-encryption for more details. Enabled by default, use --no-require-csek-key-create to disable.
--rollout-override=[default_rollout_time=DEFAULT_ROLLOUT_TIME],[location_rollout_policies=LOCATION_ROLLOUT_POLICIES]
A rollout policy for the image. A rollout policy is used to restrict the zones where this image is accessible when using a zonal image family reference. When specified, the rollout policy overrides per-zone references to the image through the associated image family. When the rollout policy does not include the user specified zone, or if the zone is rolled out, this image is accessible.
default_rollout_time
  This is an optional RFC3339 timestamp on or after which
  the update is considered rolled out to any zone that is not
  explicitly stated.
location_rollout_policies
  Location based rollout policies to apply to the resource.
  Currently only zone names are supported as the key and must be
  represented as valid URLs, like: zones/us-central1-a.
  The value expects an RFC3339 timestamp on or after which the update
  is considered rolled out to the specified location.
--signature-database-file=[DB_VALUE,…]
Comma-separated list of file paths that point to valid X.509 certificates in DER format or raw binary files. When you create a Shielded VM instance from this image, these certificates or files are added to the signature database (db).
--source-disk-project=SOURCE_DISK_PROJECT
Project name of the source disk. Must also specify --source-disk when using this flag.
--source-disk-zone=SOURCE_DISK_ZONE
Zone of the source disk to operate on. If not specified and the compute/zone property isn't set, you might be prompted to select a zone (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/zone property:

gcloud config set compute/zone ZONE

A list of zones can be fetched by running:

gcloud compute zones list

To unset the property, run:

gcloud config unset compute/zone

Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.

--source-image-project=SOURCE_IMAGE_PROJECT
The project name of the source image. Must also specify either --source-image or --source-image-family when using this flag.
--storage-location=LOCATION
Specifies a Cloud Storage location, either regional or multi-regional, where image content is to be stored. If not specified, the multi-region location closest to the source is chosen automatically.
--user-licenses=[LICENSE,…]
URI for the license resource. For multiple licenses, you can provide a comma-separated list of URIs.
Key resource - The Cloud KMS (Key Management Service) cryptokey that will be used to protect the image. The 'Compute Engine Service Agent' service account must hold permission 'Cloud KMS CryptoKey Encrypter/Decrypter'. The arguments in this group can be used to specify the attributes of this resource.
--kms-key=KMS_KEY
ID of the key or fully qualified identifier for the key.

To set the kms-key attribute:

  • provide the argument --kms-key on the command line.

This flag argument must be specified if any of the other arguments in this group are specified.

--kms-keyring=KMS_KEYRING
The KMS keyring of the key.

To set the kms-keyring attribute:

  • provide the argument --kms-key on the command line with a fully specified name;
  • provide the argument --kms-keyring on the command line.
--kms-location=KMS_LOCATION
The Google Cloud location for the key.

To set the kms-location attribute:

  • provide the argument --kms-key on the command line with a fully specified name;
  • provide the argument --kms-location on the command line.
--kms-project=KMS_PROJECT
The Google Cloud project for the key.

To set the kms-project attribute:

  • provide the argument --kms-key on the command line with a fully specified name;
  • provide the argument --kms-project on the command line;
  • set the property core/project.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
gcloud compute images create
gcloud beta compute images create