GCE uses a service account e-mail address for the identity and a private key as the credential.
To obtain credentials for GCE, use the GCE web page's “APIs & auth -> Credentials” page, creating a “Service Account” of type JSON, then extracting the client_email as the identity and private_key as the credential. For more information, see the jclouds instructions.
An example of the expected format is shown below. Note that when supplying the credential in a properties file, it can either be one long line with \n representing the new line characters, or in YAML it can be split over multiple lines as below:
location:
jclouds:google-compute-engine:
region: us-central1-a
identity: 1234567890-somet1mesArand0mU1Dhere@developer.gserviceaccount.com
credential: |
-----BEGIN RSA PRIVATE KEY-----
abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz
0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmn
opqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+ab
cdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz01
23456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnop
qrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcd
efghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123
456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqr
stuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdef
ghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz012345
6789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrst
uvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefgh
ijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz01234567
89/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuv
wxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghij
klmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789
/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwx
yz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijkl
mnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+
abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz
0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+abcdefghijklmn
opqrstuvwxyz0123456789/+abcdefghijklmnopqrstuvwxyz0123456789/+ab
cdefghijklmnopqrstuvwxyz
-----END RSA PRIVATE KEY-----
It is also possible to have the credential be the path of a local file that contains the key. However, this can make it harder to setup and manage multiple Brooklyn servers (particularly when using high availability mode).
Users are strongly recommended to use externalized configuration for better credential management, for example using Vault.
GCE accounts can have low default quotas.
It is easy to request a quota increase by submitting a quota increase form.
GCE accounts often have a limit to the number of networks that can be created. One work around is to manually create a network with the required open ports, and to refer to that named network in Brooklyn's location configuration.
To create a network, see GCE network instructions.
For example, for dev/demo purposes an “everything” network could be created that opens all ports.
|| Name || everything | || Description || opens all tcp ports | || Source IP Ranges || 0.0.0.0/0 | || Allowed protocols and ports || tcp:0-65535 and udp:0-65535 |
To configure the location to use this, you can include a location configuration option like:
templateOptions: network: https://www.googleapis.com/compute/v1/projects/<project name>/global/networks/everything