Stay organized with collections
Save and categorize content based on your preferences.
Set up your project and GKE cluster yourself
When you install Cloud Service Mesh using
asmcli, it can
configure your project and your GKE on Google Cloud cluster for
you if you include the --enable_all flag or the more granular
enablement flags.
If you prefer to do the setup yourself rather than having asmcli make the
changes, follow the steps on this page.
If you already have a previous version of Cloud Service Mesh installed, you don't
need to make any changes to your project or cluster before using
asmcli to upgrade to the latest
Cloud Service Mesh version.
By default, asmcli doesn't install the istio-ingressgateway. We
recommend that you deploy and manage the control plane and gateways separately.
Cloud Service Mesh supports auto-injection for gateway deployments, which makes
Cloud Service Mesh upgrades easier. After upgrading Cloud Service Mesh, you restart the
gateways just like your services to pick up the new control plane configuration.
For more information, see
Installing and upgrading gateways.
Click the drop-down list at the top of the page. In the
Select from window that appears, select your project.
The project ID is displayed on the project Dashboard Project info
card.
Create the following environment variables:
Set the workload pool using the project ID:
export WORKLOAD_POOL=PROJECT_ID.svc.id.goog
Set the mesh ID using the project number:
export MESH_ID="proj-PROJECT_NUMBER"
Set the required Identity and Access Management (IAM) roles. If you are a
Project Owner, you have all the necessary permissions to complete
the installation. If you aren't a Project Owner, you need someone who is
to grant you the following specific IAM roles. In the
following command, replace PROJECT_ID with the
project ID from the previous step and GCP_EMAIL_ADDRESS
with the account that you use to sign in to Google Cloud.
ROLES=(
'roles/servicemanagement.admin' \
'roles/serviceusage.serviceUsageAdmin' \
'roles/meshconfig.admin' \
'roles/compute.admin' \
'roles/container.admin' \
'roles/resourcemanager.projectIamAdmin' \
'roles/iam.serviceAccountAdmin' \
'roles/iam.serviceAccountKeyAdmin' \
'roles/gkehub.admin')
for role in "${ROLES[@]}"
do
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "user:GCP_EMAIL_ADDRESS" \
--role="$role"
done
If you include the --enable_all or --enable_gcp_iam_roles flag when
you run asmcli, it sets the required IAM roles for you.
In addition to mesh.googleapis.com, this command also enables the
following APIs:
API
Purpose
Can Be Disabled
meshconfig.googleapis.com
Cloud Service Mesh uses the Mesh Configuration API to relay configuration data from your mesh to Google Cloud. Additionally, enabling the Mesh Configuration API lets access the Cloud Service Mesh pages in the Google Cloud console and to use the Cloud Service Mesh certificate authority.
No
meshca.googleapis.com
Related to Cloud Service Mesh certificate authority used by managed Cloud Service Mesh.
No
container.googleapis.com
Required to create Google Kubernetes Engine (GKE) clusters.
If you include the --enable_all or --enable_apis flag when you run
asmcli, it enables the required APIs for you.
Set up your cluster
If you include the --enable_all flag, or one of the more granular
enablement flags,
asmcli sets up your cluster for you.
Set the default zone or region for the Google Cloud CLI. If
you don't set the default here, be sure to specify either the --zone or
--region option in the gcloud container clusters commands on this page.
If you have a single-zone cluster, set the default zone:
gcloud config set compute/zone CLUSTER_LOCATION
If you have a regional cluster, set the default region:
Initialize your project to ready it for installation. Among other things,
this command creates a service account to let data plane components, such
as the sidecar proxy, securely access your project's data and resources.
In the following command replace FLEET_PROJECT_ID with
the
fleet host project:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Set up your project and GKE cluster yourself\n============================================\n\nWhen you install Cloud Service Mesh using\n[`asmcli`](/service-mesh/v1.19/docs/unified-install/asmcli-overview), it can\nconfigure your project and your GKE on Google Cloud cluster for\nyou if you include the `--enable_all` flag or the more granular\n[enablement flags](/service-mesh/v1.19/docs/unified-install/reference#enablement_flags).\nIf you prefer to do the setup yourself rather than having `asmcli` make the\nchanges, follow the steps on this page.\n\nIf you already have a previous version of Cloud Service Mesh installed, you don't\nneed to make any changes to your project or cluster before using\n[`asmcli` to upgrade](/service-mesh/v1.19/docs/unified-install/upgrade) to the latest\nCloud Service Mesh version.\n\nBy default, `asmcli` doesn't install the `istio-ingressgateway`. We\nrecommend that you deploy and manage the control plane and gateways separately.\nCloud Service Mesh supports auto-injection for gateway deployments, which makes\nCloud Service Mesh upgrades easier. After upgrading Cloud Service Mesh, you restart the\ngateways just like your services to pick up the new control plane configuration.\nFor more information, see\n[Installing and upgrading gateways](/service-mesh/v1.19/docs/gateways).\n| **Warning:** On upgrades, `asmcli` removes the default `istio-ingressgateway` from the `istio-system` namespace. If you need the default `istio-ingressgateway` installed with the in-cluster control plane, include the `--option legacy-default-ingressgateway` argument.\n\nBefore you begin\n----------------\n\n- [Review the prerequisites and requirements](/service-mesh/v1.19/docs/unified-install/anthos-service-mesh-prerequisites)\n- [Plan the installation](/service-mesh/v1.19/docs/unified-install/plan-install) or [the upgrade](/service-mesh/v1.19/docs/unified-install/plan-upgrade)\n- [Install the required tools](/service-mesh/v1.19/docs/unified-install/install-dependent-tools)\n\nSet up your project\n-------------------\n\n1. Get the project ID for the project that the cluster was created in.\n\n ### gcloud\n\n Run the following command: \n\n gcloud projects list\n\n ### Console\n\n 1. Go to the [**Dashboard** page](https://console.cloud.google.com/home) in the\n Google Cloud console.\n\n [Go to the Dashboard page](https://console.cloud.google.com/home)\n 2. Click the drop-down list at the top of the page. In the\n **Select from** window that appears, select your project.\n\n The project ID is displayed on the project Dashboard **Project info**\n card.\n2. Create the following environment variables:\n\n - Set the workload pool using the project ID:\n\n export WORKLOAD_POOL=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog\n\n - Set the mesh ID using the project number:\n\n export MESH_ID=\"proj-\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e\"\n\n3. Set the required Identity and Access Management (IAM) roles. If you are a\n *Project Owner* , you have all the necessary permissions to complete\n the installation. If you aren't a *Project Owner* , you need someone who is\n to grant you the following specific IAM roles. In the\n following command, replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the\n project ID from the previous step and \u003cvar translate=\"no\"\u003eGCP_EMAIL_ADDRESS\u003c/var\u003e\n with the account that you use to sign in to Google Cloud.\n\n ROLES=(\n 'roles/servicemanagement.admin' \\\n 'roles/serviceusage.serviceUsageAdmin' \\\n 'roles/meshconfig.admin' \\\n 'roles/compute.admin' \\\n 'roles/container.admin' \\\n 'roles/resourcemanager.projectIamAdmin' \\\n 'roles/iam.serviceAccountAdmin' \\\n 'roles/iam.serviceAccountKeyAdmin' \\\n 'roles/gkehub.admin')\n for role in \"${ROLES[@]}\"\n do\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member \"user:\u003cvar translate=\"no\"\u003eGCP_EMAIL_ADDRESS\u003c/var\u003e\" \\\n --role=\"$role\"\n done\n\n If you include the `--enable_all` or `--enable_gcp_iam_roles` flag when\n you run `asmcli`, it sets the required IAM roles for you.\n4. Enable the required Google APIs:\n\n gcloud services enable \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n mesh.googleapis.com\n\n In addition to `mesh.googleapis.com`, this command also enables the\n following APIs:\n | **Note:** Some required APIs have transitive dependencies on other APIs.\n\n \u003cbr /\u003e\n\n | **Warning:** Disabling `connectgateway.googleapis.com`, `trafficdirector.googleapis.com`, `networkservices.googleapis.com`, and/or `networksecurity.googleapis.com` causes managed Cloud Service Mesh control plane to stop working. If the fleet does not use managed Cloud Service Mesh on any cluster, then these APIs can be disabled.\n\n Enabling the APIs can take a minute or more to complete. When the APIs\n are enabled, you see output similar to the following: \n\n ```\n Operation \"operations/acf.601db672-88e6-4f98-8ceb-aa3b5725533c\" finished\n successfully.\n ```\n\n If you include the `--enable_all` or `--enable_apis` flag when you run\n `asmcli`, it enables the required APIs for you.\n\nSet up your cluster\n-------------------\n\nIf you include the `--enable_all` flag, or one of the more granular\n[enablement flags](/service-mesh/v1.19/docs/unified-install/reference#enablement_flags),\n`asmcli` sets up your cluster for you.\n\n1. Set the default zone or region for the Google Cloud CLI. If\n you don't set the default here, be sure to specify either the `--zone` or\n `--region` option in the `gcloud container clusters` commands on this page.\n\n - If you have a single-zone cluster, set the default zone:\n\n gcloud config set compute/zone \u003cvar translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e\n\n - If you have a regional cluster, set the default region:\n\n gcloud config set compute/region \u003cvar translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e\n\n2. Enable\n [Workload Identity](/kubernetes-engine/docs/how-to/workload-identity):\n\n gcloud container clusters update \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --workload-pool=${WORKLOAD_POOL}\n\n Enabling Workload Identity can take up to 10 to 15 minutes.\n3. [Register the cluster to the fleet](/anthos/fleet-management/docs/fleet-creation).\n\n4. Initialize your project to ready it for installation. Among other things,\n this command creates a service account to let data plane components, such\n as the sidecar proxy, securely access your project's data and resources.\n In the following command replace \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e with\n the\n [fleet host project](/anthos/multicluster-management/fleets#fleet-host-project):\n\n **Warning:** If your `FLEET_PROJECT_ID` is the same as your `PROJECT_ID`, then remove the `\"FLEET_PROJECT_ID.hub.id.goog\",` from the following command. Otherwise, you will receive an error code due to `INVALID_ARGUMENT`. \n\n curl --request POST \\\n --header \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n --header \"Content-Type: application/json\" \\\n --data '{\"workloadIdentityPools\":[\"\u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e.hub.id.goog\",\"\u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e.svc.id.goog\",\"\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog\"]}' \\\n \"https://meshconfig.googleapis.com/v1alpha1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e:initialize\"\n\n The command responds with empty curly braces: `{}`\n5. Enable\n [Cloud Monitoring and Cloud Logging on GKE](/monitoring/kubernetes-engine):\n\n gcloud container clusters update \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --enable-stackdriver-kubernetes\n\nYour project and cluster are now ready for a new installation using `asmcli`.\n\nWhat's next\n-----------\n\n- [Install dependent tools and validate cluster](/service-mesh/v1.19/docs/unified-install/install-dependent-tools)"]]
