docs/compute/drivers/gce.rst

Google Compute Engine Driver Documentation
==========================================

`Google Compute Engine`_ gives users the ability to run
large-scale workloads on virtual machines hosted on Google's infrastructure.
It is a part of Google Cloud Platform.

.. figure:: /_static/images/provider_logos/gcp.png
    :align: center
    :width: 500
    :target: https://cloud.google.com/

Google Compute Engine features:

* High-performance virtual machines
* Minute-level billing (10-minute minimum)
* Fast VM provisioning
* Persistent block storage (SSD and standard)
* Native Load Balancing

Connecting to Google Compute Engine
-----------------------------------

Libcloud supports three different methods for authenticating:
`Service Account`_, `Installed Application`_ and `Internal Authentication`_.

Which one should I use?

* Service Accounts are generally better suited for automated systems, cron
  jobs, etc.  They should be used when access to the application/script is
  limited and needs to be able to run with limited intervention.

* Installed Application authentication is often the better choice when
  creating an application that may be used by third-parties interactively. For
  example, a desktop application for managing VMs that would be used by many
  different people with different Google accounts.

* If you are running your code on an instance inside Google Compute Engine,
  the GCE driver will consult the internal metadata service to obtain an
  authorization token. The only value required for this type of
  authorization is your Project ID.

Once you have set up the authentication as described below, you pass the
authentication information to the driver as described in `Examples`_. Also
bear in mind that large clock drift (difference in time) between authenticating
host and google will cause authentication to fail.

Service Account
~~~~~~~~~~~~~~~

To set up Service Account authentication, you will need to download the
corresponding private key file in either the new JSON (preferred) format, or
the legacy P12 format.

1. Go to Google Cloud Console (https://console.cloud.google.com/) and create a
   new project (https://console.cloud.google.com/projectcreate) or re-use an
   existing one.

.. figure:: /_static/images/misc/gce/create_service_account.png
    :align: center
    :width: 500

2. Select the existing or newly created project and go to IAM & Admin ->
   Service Accounts -> Create service account to create a new service account.
   Select "Furnish a new private key" to create and download new private key you will
   use to authenticate.

   a. If you opt for the new preferred JSON format, download the file and
      save it to a secure location.

   b. If you opt to use the legacy P12 format:

      Convert the private key to a .pem file using the following:
      ``openssl pkcs12 -in YOURPRIVKEY.p12 -nodes -nocerts
      | openssl rsa -out PRIV.pem``

      Move the .pem file to a safe location


.. figure:: /_static/images/misc/gce/iam_and_roles.png
    :align: center
    :width: 500

.. figure:: /_static/images/misc/gce/create_service_account.png
    :align: center
    :width: 500

3. You will need the Service Account's "Email Address" and the path to the
   key file for authentication.

.. figure:: /_static/images/misc/gce/view_service_accounts.png
    :align: center
    :width: 500

4. You will also need your "Project ID" (a string, not a numerical value) that
   can be found by clicking on the "Overview" link on the left sidebar.

.. figure:: /_static/images/misc/gce/project_dashboard.png
    :align: center
    :width: 500

5. You will also need to have billing information associated and enabled for
   that project. If billing is not yet enabled for that project an error
   message similar to the one below will be printed when you first run the code
   which uses GCE driver:

.. sourcecode:: python

    libcloud.common.google.GoogleBaseError: {u'domain': u'usageLimits', u'message': u'Access Not Configured. Compute Engine API has not been used in project 1029894677594 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=1029894677594 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.', u'reason': u'accessNotConfigured', u'extendedHelp': u'https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=YYYYYYYY'}

You can simply follow the link in the error message to configure and enable
billing.

Installed Application
~~~~~~~~~~~~~~~~~~~~~

To set up Installed Account authentication:

1. Go to the `Google Developers Console`_
2. Select your project
3. In the left sidebar, go to "APIs & auth"
4. Click on "Credentials" then "Create New Client ID"
5. Select "Installed application" and "Other" then click "Create Client ID"
6. For authentication, you will need the "Client ID" and the "Client Secret"
7. You will also need your "Project ID" (a string, not a numerical value) that
   can be found by clicking on the "Overview" link on the left sidebar.

Internal Authentication
~~~~~~~~~~~~~~~~~~~~~~~

To use GCE's internal metadata service to authenticate, simply specify
your Project ID and let the driver handle the rest. See the
`5. Using GCE Internal Authorization`_ example below.

Accessing Google Cloud services from your Libcloud nodes
--------------------------------------------------------
In order for nodes created with libcloud to be able to access or manage other
Google Cloud Platform services, you will need to specify a list of Service
Account Scopes.  By default libcloud will create nodes that only allow
read-only access to Google Cloud Storage. A few of the examples below
illustrate how to use Service Account Scopes.

Examples
--------

Keep in mind that a lot of the driver methods depend on the zone / location
being set.

For that reason, you are advised to pass ``datacenter`` argument to the driver
constructor. This value should contain a name of the zone where you want your
operations to be performed (e.g. ``us-east1-b``).

Some of the methods allow this value to be overridden on per method invocation
basis - either by specifying ``zone`` or ``location`` method argument.

Additional example code can be found in the "demos" directory of Libcloud here:
https://github.com/apache/libcloud/blob/trunk/demos/gce_demo.py

1. Getting Driver with Service Account authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. literalinclude:: /examples/compute/gce/gce_service_account.py

2. Getting Driver with Installed Application authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. literalinclude:: /examples/compute/gce/gce_installed_application.py

3. Getting Driver using a default Datacenter (Zone)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. literalinclude:: /examples/compute/gce/gce_datacenter.py

4. Specifying Service Account Scopes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. literalinclude:: /examples/compute/gce/gce_service_account_scopes.py

5. Using GCE Internal Authorization
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. literalinclude:: /examples/compute/gce/gce_internal_auth.py

6. Using deploy_node() functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. literalinclude:: /examples/compute/gce/deploy_node.py

API Docs
--------

.. autoclass:: libcloud.compute.drivers.gce.GCENodeDriver
    :members:
    :inherited-members:

.. _`Google Compute Engine`: https://cloud.google.com/products/compute-engine/
.. _`Google Developers Console`: https://cloud.google.com/console