Stay organized with collectionsSave and categorize content based on your preferences.
This page explains how to create a Google Distributed Cloud (GDC) air-gapped project for
grouping your resources together within an organization. Projects provide a
lifecycle and policy boundary for resources, allowing for multiple groups of
users to manage GDC resources separately.
This page is for audiences such as IT administrators, security engineers, and
network administrators within the platform administrator group, who are
responsible for managing resources within their organization. For more information,
seeAudiences for GDC air-gapped documentation.
Before you begin
To get the permissions needed to create a project, ask your Organization
IAM Admin to grant you the Project Creator role (project-creator).
Before you create a project, review the information Google Distributed Cloud (GDC) air-gapped
uses to identify your project:
Project name: A human-readable name for your project.
The project name isn't used by any GDC APIs. You can
edit the project name at any time during or after project creation. Project
names don't need to be unique.
Projects have the following name requirements:
4 to 30 characters in length.
Contains letters, numbers, single quotes, hyphens, spaces, or exclamation points.
Project ID: A globally unique identifier for your project.
A project ID is a unique string used to differentiate your project from all
others in GDC. You can only modify the project ID
when you're creating the project.
Project IDs have the following requirements:
6 to 30 characters in length.
Contains lowercase letters, numbers, and hyphens.
Starts with a letter.
Must not start with the prefixg-, such asg-project.
Must not end with a hyphen.
Must not end with the string-clusteror-system. The-systemsuffix is reserved for
projects created by GDC.
Must not be in use or previously used; this includes deleted projects.
Don't include sensitive information in your project name, project ID, or other
resource names. The project ID is used in the name of many other
GDC resources, and any reference to the project or
related resources exposes the project ID and resource name.
Create a new project
You can create a project to provide logical grouping of service resources. For
example, you can create separate projects to hold resources for development,
test, and production environments.
To get the permissions that you need to create a project, ask your Organization
IAM Admin to grant you the Project Creator role. For more information on
granting permissions, see theAssign a role binding to the service identitysection.
Console
To create a new project using the GDC console, complete the
following steps:
In the navigation menu, clickProjects.
ClickAdd project.
In theProject namefield, enter a project name.
ClickContinue.
Optional: Configure your project's networking capabilities. Clear theEnable data exfiltration protectioncheckbox to disable all egress
traffic to other projects inside your organization.
ClickContinue.
In theReviewsection, review the summary and clickCreate.
To verify the new project is available, a message is displayed in the
console:ProjectPROJECT_NAMEsuccessfully created.
Link your new projectwith a billing account. To track project resource costs, you must have
an associated billing account linked to your project.
gdcloud
To create a new project using the gdcloud CLI, complete the
following steps:
Ensure you have the gdcloud CLI installed. For more
information, see the gdcloud CLIOverviewpage.
To create a project, run:
gdcloudprojectscreatePROJECT_ID
ReplacePROJECT_IDwith the unique identifier for
your new project.
To verify the new project is available, run:
gdcloudprojectslist
Link your new projectwith a billing account. To track project resource costs, you must have
an associated billing account linked to your project.
API
To create a new project using the API directly, complete the following
steps:
Set an environment variable for the global management API server
kubeconfig file:
exportKUBECONFIG=GLOBAL_API_SERVER_KUBECONFIG
If you don't have the global management API server kubeconfig file,generate one.
ReplaceGLOBAL_API_SERVER_KUBECONFIGwith the path to
the global management API server's kubeconfig file. If you don't have this
kubeconfig file,generate one.
In a Terraform configuration file, such asmain.tf, insert the
following code snippet:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eProjects group resources within an organization, establishing a lifecycle and policy boundary.\u003c/p\u003e\n"],["\u003cp\u003eEach project requires a unique Project ID, which must be 6-30 characters long, contain lowercase letters, numbers, and hyphens, start with a letter, and not end with a hyphen, \u003ccode\u003e-cluster\u003c/code\u003e, or \u003ccode\u003e-system\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eProject names are human-readable, can be edited anytime, do not need to be unique, and must be between 4 to 30 characters in length.\u003c/p\u003e\n"],["\u003cp\u003eYou can create projects using the GDC console, the gdcloud CLI, directly via the API, or with Terraform.\u003c/p\u003e\n"],["\u003cp\u003eAfter creating a project, it is necessary to link it to a billing account to monitor project resource costs.\u003c/p\u003e\n"]]],[],null,["# Create a project\n\nThis page explains how to create a Google Distributed Cloud (GDC) air-gapped project for\ngrouping your resources together within an organization. Projects provide a\nlifecycle and policy boundary for resources, allowing for multiple groups of\nusers to manage GDC resources separately.\n\nThis page is for audiences such as IT administrators, security engineers, and\nnetwork administrators within the platform administrator group, who are\nresponsible for managing resources within their organization. For more information,\nsee [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nBefore you begin\n----------------\n\nTo get the permissions needed to create a project, ask your Organization\nIAM Admin to grant you the Project Creator role (`project-creator`).\n\nBefore you create a project, review the information Google Distributed Cloud (GDC) air-gapped\nuses to identify your project:\n\n- **Project name**: A human-readable name for your project.\n\n The project name isn't used by any GDC APIs. You can\n edit the project name at any time during or after project creation. Project\n names don't need to be unique.\n\n Projects have the following name requirements:\n - 4 to 30 characters in length.\n - Contains letters, numbers, single quotes, hyphens, spaces, or exclamation points.\n- **Project ID**: A globally unique identifier for your project.\n\n A project ID is a unique string used to differentiate your project from all\n others in GDC. You can only modify the project ID\n when you're creating the project.\n | **Note:** The namespaces propagated by a project are the same as the project ID.\n\n Project IDs have the following requirements:\n - 6 to 30 characters in length.\n - Contains lowercase letters, numbers, and hyphens.\n - Starts with a letter.\n - Must not start with the prefix `g-`, such as `g-project`.\n - Must not end with a hyphen.\n - Must not end with the string `-cluster` or `-system`. The `-system` suffix is reserved for projects created by GDC.\n - Must not be in use or previously used; this includes deleted projects.\n\nDon't include sensitive information in your project name, project ID, or other\nresource names. The project ID is used in the name of many other\nGDC resources, and any reference to the project or\nrelated resources exposes the project ID and resource name.\n\nCreate a new project\n--------------------\n\nYou can create a project to provide logical grouping of service resources. For\nexample, you can create separate projects to hold resources for development,\ntest, and production environments.\n\nTo get the permissions that you need to create a project, ask your Organization\nIAM Admin to grant you the Project Creator role. For more information on\ngranting permissions, see the\n[Assign a role binding to the service identity](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/service-identity#assign_a_role_binding_to_the_service_identity)\nsection. \n\n### Console\n\nTo create a new project using the GDC console, complete the\nfollowing steps:\n\n1. In the navigation menu, click **Projects**.\n2. Click **Add project**.\n3. In the **Project name** field, enter a project name.\n4. Click **Continue**.\n5. Optional: Configure your project's networking capabilities. Clear the **Enable data exfiltration protection** checkbox to disable all egress traffic to other projects inside your organization.\n6. Click **Continue**.\n7. In the **Review** section, review the summary and click **Create**.\n8. To verify the new project is available, a message is displayed in the console: `Project `\u003cvar class=\"readonly\" translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e`\n successfully created`.\n9. [Link your new project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/billing/manage-billing-accounts#link_a_project) with a billing account. To track project resource costs, you must have an associated billing account linked to your project.\n\n### gdcloud\n\nTo create a new project using the gdcloud CLI, complete the\nfollowing steps:\n\n1. Ensure you have the gdcloud CLI installed. For more\n information, see the gdcloud CLI\n [Overview](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview#download_and_install_the)\n page.\n\n2. To create a project, run:\n\n gdcloud projects create \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the unique identifier for\n your new project.\n | **Important:** The gdcloud CLI does not support attaching a project to a Kubernetes cluster. You must do this in the GDC console after the project is created by following [Attach project to a cluster](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/cluster#attach-project-to-cluster).\n3. To verify the new project is available, run:\n\n gdcloud projects list\n\n4. [Link your new project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/billing/manage-billing-accounts#link_a_project)\n with a billing account. To track project resource costs, you must have\n an associated billing account linked to your project.\n\n### API\n\nTo create a new project using the API directly, complete the following\nsteps:\n\n1. Set an environment variable for the global management API server\n kubeconfig file:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER_KUBECONFIG\u003c/var\u003e\n\n If you don't have the global management API server kubeconfig file,\n [generate one](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in).\n2. Create and apply the `Project` custom resource:\n\n kubectl apply -f --kubeconfig=${KUBECONFIG} - \u003c\u003cEOF\n apiVersion: resourcemanager.global.gdc.goog/v1\n kind: Project\n metadata:\n namespace: platform\n name: \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n EOF\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the unique identifier\n for your new project.\n | **Important:** The `Project` custom resource does not directly support attaching a Kubernetes cluster. You must do this in the GDC console after the project is provisioned by following [Attach project to a cluster](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/cluster#attach-project-to-cluster).\n3. Verify the new project is available:\n\n kubectl --kubeconfig=${KUBECONFIG} get namespaces\n\n4. [Link your new project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/billing/manage-billing-accounts#link_a_project)\n with a billing account. To track project resource costs, you must have\n an associated billing account linked to your project.\n\n### Terraform\n\nTo create a new project using Terraform, complete the following\nsteps:\n\n1. Ensure you have Terraform configured and the appropriate permissions set.\n For more information, see the\n [Configure Terraform](/distributed-cloud/hosted/docs/latest/gdch/resources/configure-terraform) page.\n\n2. In a Terraform configuration file, insert the following code snippet:\n\n provider \"kubernetes\" {\n config_path = \"\u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER_KUBECONFIG\u003c/var\u003e\"\n }\n\n Replace \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER_KUBECONFIG\u003c/var\u003e with the path to\n the global management API server's kubeconfig file. If you don't have this\n kubeconfig file,\n [generate one](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in).\n3. In a Terraform configuration file, such as `main.tf`, insert the\n following code snippet:\n\n resource \"kubernetes_manifest\" \"project-create\" {\n manifest = {\n \"apiVersion\" = \"resourcemanager.global.gdc.goog/v1\"\n \"kind\" = \"Project\"\n \"metadata\" = {\n \"name\" = \"\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\"\n \"namespace\" = \"platform\"\n }\n }\n }\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the unique identifier\n for your new project.\n | **Important:** The `Project` Kubernetes manifest does not directly support attaching a Kubernetes cluster. You must do this in the GDC console after the project is provisioned by following [Attach project to a cluster](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/cluster#attach-project-to-cluster).\n4. Apply the new project using Terraform:\n\n terraform apply\n\n5. [Link your new project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/billing/manage-billing-accounts#link_a_project)\n with a billing account. To track project resource costs, you must have\n an associated billing account linked to your project."]]
