Grant the required roles
The Cloud Workstations Service
Agent allows
Cloud Workstations perform service duties on your project. When you activated
the Cloud Workstations Service in your project, the service agent was
automatically created. To enable Cloud Workstations to use your Shared VPC
network and subnetwork, grant the Cloud Workstations Service Agent for your
project the Compute Engine Network User
role
(roles/compute.networkUser) on the Shared VPC subnet.
To retrieve the Cloud Workstations Service Agent for your project, use the following command:
gcloud beta services identity create \ --service=workstations.googleapis.com \ --project=WORKSTATIONS_PROJECT_IDReplace
WORKSTATIONS_PROJECT_IDwith the ID of the project where you will create your workstations cluster.The Cloud Workstations Service Agent uses the following format:
service-$WORKSTATIONS_PROJECT_NUMBER@gcp-sa-workstations.iam.gserviceaccount.com.Grant the Cloud Workstations Service Agent the Compute Engine Network User role (
roles/compute.networkUser) role on the Shared VPC subnet.
Create workstation clusters using a Shared VPC
When you create your workstation cluster in the Google Cloud console, specify the Shared VPC network and subnetwork. This step is only possible if the subnet is shared with the user using the console. For more information, see Provision Shared VPC .
For general information about Shared VPC access, see Shared VPC .
When you create a workstation cluster, Cloud Workstations associates the cluster with a particular subnet and all workstations are placed in that subnet. To enable VPC Flow Logs, make sure that you turn on logging for that subnet. For more information, see Enable VPC Flow Logs for an existing subnet.
What's next
- Troubleshoot policy and access problems
- Configure VPC Service Controls and private clusters
- Enable VPC Flow Logs