Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Uploading images to Google Cloud with RHEL image builder

With RHEL image builder, you can build a gce image, provide credentials for your user or Google Cloud service account, and then upload the gce image directly to the Google Cloud environment.

Set up a configuration file with credentials to upload your gce image to Google Cloud by using the RHEL image builder CLI.

Warning

You cannot manually import gce image to Google Cloud, because the image will not boot. You must use either gcloud or RHEL image builder to upload it.

Prerequisites

  • You have a valid Google account and credentials to upload your image to Google Cloud. The credentials can be from a user account or a service account. The account associated with the credentials must have at least the following IAM roles assigned:

    • roles/storage.admin - to create and delete storage objects
    • roles/compute.storageAdmin - to import a VM image to Compute Engine.
  • You have an existing Google Cloud bucket.

Procedure

  1. Use a text editor to create a gcp-config.toml configuration file with the following content: 

    provider = "gcp"
[settings]
bucket = "GOOGLE_CLOUD_BUCKET"
region = "GOOGLE_CLOUD_STORAGE_REGION"
object = "OBJECT_KEY"
credentials = "GOOGLE_CLOUD_CREDENTIALS"
    • GOOGLE_CLOUD_BUCKET points to an existing bucket. It is used to store the intermediate storage object of the image which is being uploaded.
    • GOOGLE_CLOUD_STORAGE_REGION is both a regular Google storage region and a dual or multi region.
    • OBJECT_KEY is the name of an intermediate storage object. It must not exist before the upload, and it is deleted when the upload process is done. If the object name does not end with .tar.gz, the extension is automatically added to the object name.

    • GOOGLE_CLOUD_CREDENTIALS is a Base64-encoded scheme of the credentials JSON file downloaded from Google Cloud. The credentials determine which project the Google Cloud uploads the image to.

      Note

      Specifying GOOGLE_CLOUD_CREDENTIALS in the gcp-config.toml file is optional if you use a different mechanism to authenticate with Google Cloud. For other authentication methods, see Authenticating with Google Cloud.

  2. Retrieve the GOOGLE_CLOUD_CREDENTIALS from the JSON file downloaded from Google Cloud. 

    $ sudo base64 -w 0 cee-gcp-nasa-476a1fa485b7.json

  3. Create a compose with an additional image name and cloud provider profile: 

    $ sudo composer-cli compose start BLUEPRINT-NAME gce IMAGE_KEY gcp-config.toml

    The image build, upload, and cloud registration processes can take up to ten minutes to complete.

Verification

  • Verify that the image status is FINISHED: 

    $ sudo composer-cli compose status

You can use several different types of credentials with RHEL image builder to authenticate with Google Cloud. If RHEL image builder configuration is set to authenticate with Google Cloud using multiple sets of credentials, it uses the credentials in the following order of preference:

  1. Credentials specified with the composer-cli command in the configuration file.
  2. Credentials configured in the osbuild-composer worker configuration.

  3. Application Default Credentials from the Google Cloud SDK library, which tries to automatically find a way to authenticate by using the following options:

    1. If the GOOGLE_APPLICATION_CREDENTIALS environment variable is set, Application Default Credentials tries to load and use credentials from the file pointed to by the variable.

    2. Application Default Credentials tries to authenticate by using the service account attached to the resource that is running the code. For example, Google Compute Engine VM.

      Note

      You must use the Google Cloud credentials to determine which Google Cloud project to upload the image to. Therefore, unless you want to upload all of your images to the same Google Cloud project, you always must specify the credentials in the gcp-config.toml configuration file with the composer-cli command.

You can specify Google Cloud authentication credentials in the upload target configuration gcp-config.toml file. Use a Base64-encoded scheme of the Google account credentials JSON file to save time.

Procedure

  1. Get the encoded content of the Google account credentials file with the path stored in GOOGLE_APPLICATION_CREDENTIALS environment variable, by running the following command: 

    $ base64 -w 0 "${GOOGLE_APPLICATION_CREDENTIALS}"

  2. In the upload target configuration gcp-config.toml file, set the credentials: 

    provider = "gcp"

[settings]
provider = "gcp"

[settings]
credentials = "GOOGLE_CLOUD_CREDENTIALS"

You can configure Google Cloud authentication credentials to be used for Google Cloud globally for all image builds. This way, if you want to import images to the same Google Cloud project, you can use the same credentials for all image uploads to Google Cloud.

Procedure

  • In the /etc/osbuild-worker/osbuild-worker.toml worker configuration, set the following credential value: 

    [gcp]
credentials = "PATH_TO_GOOGLE_CLOUD_ACCOUNT_CREDENTIALS"
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top