The sample code's REST API is described
using theOpenAPI specification. The
tutorial also shows you how to create anAPI
keyand use it when sending requests
to the API.
The tutorial uses prebuilt container images of the sample code and
ESPv2, which are stored inArtifact Registry.
To generate a cost estimate based on your projected usage,
use thepricing calculator.
New Google Cloud users might be eligible for afree trial.
When you finish the tasks that are described in this document, you can avoid
continued billing by deleting the resources that you created. For more information, seeClean up.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,create an accountto evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Make a note of the Google Cloud project ID, because it's needed later.
Creating a container cluster
You must create a container cluster on GKE for the sample
API backend code to run on. The cluster needs anIP aliasto usecontainer native load balancing.
To create a container cluster with an IP alias for the sample API:
The above example command creates a cluster,espv2-demo-cluster, with
an auto-provisioned subnetwork in zoneus-central1-a.
Make a note of the cluster name and zone because they are needed when you
authenticatekubectlto the container cluster.
Installing and configuring required software
In this tutorial, you install the gcloud CLI so that you can use
theGoogle Cloud CLIto manage your project.
You usekubectlto run commands against GKE
clusters. You also need a way to test the API.
In the following procedure, if you already have the required
software installed, continue with the next step.
Linux and macOS users: This tutorial provides an example of usingcurl, which typically comes pre-installed on your operating system.
If you don't havecurl, you can download it from thecurlReleases and downloads page.
Windows users: This tutorial provides an example usingInvoke-WebRequest, which is
supported in PowerShell 3.0 and later.
Update the gcloud CLI and install the Endpoints components:
gcloud components update
Make sure that the Google Cloud CLI (gcloud) is authorized to access
your data and services on Google Cloud:
gcloud auth login
In the new browser tab that opens, select an account.
Set the default project to your project ID:
gcloud config set projectYOUR_PROJECT_ID
ReplaceYOUR_PROJECT_IDwith your project ID.
If you have other Google Cloud projects, and you want to usegcloudto manage them, seeManaging gcloud CLI
configurations.
Installkubectl:
gcloud components install kubectl
Acquire new user credentials to use for Application Default Credentials.
The user credentials are needed to authorizekubectl.
gcloud auth application-default login
In the new browser tab that opens, select an account.
Downloading the sample code
To help you get up and running quickly, sample code is provided in several
languages.
To download the sample code to your local machine:
Java
To clone or download the sample API:
Clone the sample app repository to your local machine:
The configuration sample displays the lines near thehostfield, which you need to modify. To deploy theopenapi.yamlfile
to Endpoints, the complete OpenAPI document is required.
The exampleopenapi.yamlfile contains a section for configuring
authentication that isn't needed for this tutorial. You don't need to
configure the lines withYOUR-SERVICE-ACCOUNT-EMAILandYOUR-CLIENT-ID.
OpenAPI is a language-agnostic specification. The sameopenapi.yamlfile is in thegetting-startedsample in each language GitHub
repository for convenience.
In thehostfield, replace the text with the
Endpoints service name, which should be in the following format:
Note thatecho-api.endpoints.YOUR_PROJECT_ID.cloud.googis the Endpoints service name. It isn't the fully qualified
domain name (FQDN) that you use for sending requests to the API.
For information about the fields in the OpenAPI document that
Endpoints requires, seeConfiguring
Endpoints.
After you finish all the following configuration steps such that you can
successfully send requests to the sample API using an IP address, seeConfiguring Endpoints DNSfor information on how
to configureecho-api.endpoints.YOUR_PROJECT_ID.cloud.googto be the
FQDN.
Make sure you are in theendpoints/getting-starteddirectory.
Upload the configuration and create a managed service:
gcloud endpoints services deploy openapi.yaml
Thegcloudcommand then calls the Service Management
API to create a managed service with the name that you specified in thehostfield of theopenapi.yamlfile.
Service Management configures the service according to the
settings in theopenapi.yamlfile. When you make changes toopenapi.yaml, you must redeploy the file to update the
Endpoints service.
As it is creating and configuring the service, Service Management
outputs information to the terminal. You can safely ignore the warnings about
the paths in theopenapi.yamlfile not requiring an API key.
When it finishes configuring the service, Service Management displays a
message with the service configuration ID and the service name, similar to the
following:
Service Configuration [2017-02-13r0] uploaded for service [echo-api.endpoints.example-project-12345.cloud.goog]
In the preceding example,2017-02-13r0is the service
configuration ID, andecho-api.endpoints.example-project-12345.cloud.googis the
Endpoints service. The service configuration ID consists of a
date stamp followed by a revision number. If you deploy theopenapi.yamlfile again on the same day, the revision
number is incremented in the service configuration ID. You can view
the Endpoints service configuration on theEndpoints>Servicespage in the Google Cloud console.
At a minimum, Endpoints and ESP require the
following Google services to be enabled:
Name
Title
servicemanagement.googleapis.com
Service Management API
servicecontrol.googleapis.com
Service Control API
In most cases, thegcloud endpoints services deploycommand enables these
required services. However, thegcloudcommand completes successfully but
doesn't enable the required services in the following circumstances:
If you used a third-party application such as Terraform, and you don't
include these services.
You deployed the Endpoints configuration to an existing
Google Cloud project in which these services were explicitly disabled.
Use the following command to confirm that the required services are enabled:
gcloud services list
If you do not see the required services listed, enable them:
To determine theENDPOINTS_SERVICE_NAMEyou can either:
After deploying the Endpoints configuration, go to theEndpointspage in the Cloud console. The list of possibleENDPOINTS_SERVICE_NAMEare shown under theService namecolumn.
For OpenAPI, theENDPOINTS_SERVICE_NAMEis what you specified in thehostfield of your OpenAPI spec. For gRPC, theENDPOINTS_SERVICE_NAMEis what you specified in thenamefield of your gRPC Endpoints configuration.
For more information about thegcloudcommands, seegcloudservices.
Deploying the API backend
So far you have deployed the OpenAPI document to Service Management, but
you haven't yet deployed the code that serves the API backend. This section
walks you through deploying prebuilt containers for the sample API and
ESPv2 to the cluster.
Checking required permissions
ESP and ESPv2 calls Google services which use IAM to
verify if the calling identity has enough permissions to access the used IAM
resources. The calling identity is the attached service account deploying ESP
and ESPv2.
When deployed in GKE pod, the attached service account is the node service
account. Usually it is the Compute Engine default service account. Please follow this
permissionrecommendationto choose a proper node service account.
IfWorkload Identityis used, a separate service account other than the node
service account can be used to talk to Google services. You can create a
Kubernetes service account for the pod to run ESP and
ESPv2, create a Google service account and associate the Kubernetes
service account to the Google service account.
Follow thesestepsto associate a Kubernetes service account with a Google service
account. This Google service account is the attached service account.
If the attached service account is theCompute
Engine default service accountof the project and the endpoint service
configuration is deployed in thesame project, the service account should
have enough permissions to access the IAM resources, following IAM roles setup
step can be skipped. Otherwise following IAM roles should be added to the
attached service account.
Add required IAM roles:
This section describes the IAM resources used by ESP and
ESPv2 and the IAM roles required for the attached service account to
access these resources.
Endpoint Service Configuration
ESP and ESPv2 call Service Control
which uses the endpoint service configuration. The endpoint service configuration
is an IAM resource and ESP and ESPv2 need theService Controllerrole to access it.
The IAM role is on the endpoint service configuration, not on the project.
A project may have multiple endpoint service configurations.
Use the following gcloud command to add the role to the attached service
account for the endpoint service configuration.
Where *SERVICE_NAMEis the endpoint service name *SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.comis the attached service account.
Cloud Trace
ESP and ESPv2 callCloud Traceservice to
export Trace to a project. This project is called the tracing
project. In ESP, the tracing project and the project that owns
the endpoint service configuration are the same. In ESPv2, the
tracing project can be specified by the flag--tracing_project_id, and
defaults to the deploying project.
ESP and ESPv2 require theCloud Trace Agentrole to enable Cloud Trace.
Use the following gcloud command to add the role to the attached service
account:
Where *TRACING_PROJECT_IDis the tracing project ID *SERVICE_ACCOUNT_NAME@DEPLOY_PROJECT_ID.iam.gserviceaccount.com
is the attached service account.
For more information, seeWhat are roles and permissions?
Deploying the containers to the cluster
Containersoffer a logical packaging mechanism in which you can
abstract applications from the environment in which they actually run.
You use the following procedure to deploy the sample API and ESPv2
to the cluster.
To deploy the containers to the cluster:
Get cluster credentials and make them available tokubectl:
ReplaceNAMEwith the cluster name andZONEwith the cluster zone.
Deploy a Kubernetes service to the GKE cluster. The
Kubernetes service implements the API.git clonethisrepo,cd getting-started/to folder and edit the Kubernetes configuration fileLANG-deployment.yaml,
and replaceSERVICE_NAMEin the ESPv2
startup options with the name of your service.Java
The--rollout_strategy=managedoption
configures ESPv2 to use the latest deployed service configuration. When you
specify this option, within a minute after you deploy a new service
configuration, ESPv2 detects the change and automatically begins using it. We
recommend that you specify this option instead of providing a specific configuration ID
for ESPv2 to use.
For information about the other ESPv2 options used, seeESPv2 startup options.
Deploying service configurations to Endpoints
If you run a large fleet of Endpoints (more than 100) in the same Google Cloud project, we recommend that you mount the service config for the container instead of
using the--rollout_strategy=managedflag to pull the service config from the Service
Management API.
The Service Management API has a defaultquota. If a large fleet of
ESPv2 proxies uses--rollout_strategy=managed, they
will all poll for the latest service config. The fleet may exceed the quota and thus cause
service config update failures.
Follow the steps below to mount the service config:
To send requests to the API, you need the external IP of the service. It can
take a few minutes after you start your service in the container before the
external IP address is ready.
View the external IP address:
kubectl get ingress
Make a note of the value forEXTERNAL-IP. You use that IP address when you
send a request to the sample API.
Sending a request by using an IP address
Now that the service is running in the container cluster, and you have the
external IP address, you can send requests to the API.
Create an API key and set an environment variable
The sample code requires an API key. To simplify the request, you set an
environment variable for the API key.
In the same Google Cloud project that you used for your API, create an API key on the
API credentials page. If you want to create an API key in a different Google Cloud project,
seeEnabling an API in your Google Cloud project.
On your local computer, paste the API key to assign it to an environment
variable:
In Linux or macOS:export ENDPOINTS_KEY=AIza...
In Windows PowerShell:$Env:ENDPOINTS_KEY="AIza..."
Send the request
Linux or mac OS
Usecurlto send an HTTP request by using theENDPOINTS_KEYenvironment
variable you set previously. ReplaceIP_ADDRESSwith
the external IP address of your instance.
The--dataoption specifies the data to post to the API.
The--headeroption specifies that the data is in JSON format.
PowerShell
UseInvoke-WebRequestto send an HTTP request by using theENDPOINTS_KEYenvironment variable you set previously. ReplaceIP_ADDRESSwith the external IP address of your
instance.
In the previous example, the first two lines end in a backtick. When you paste the
example into PowerShell, make sure there isn't a space following the backticks.
For information about the options used in the example request, seeInvoke-WebRequestin the Microsoft
documentation.
Third-party app
You can use a third-party application such as the Chrome browser
extensionPostmanto send the
request:
SelectPOSTas the HTTP verb.
For the header, select the keycontent-typeand the valueapplication/json.
For the body, enter the following: {"message":"hello world"}
In the URL, use the actual API key rather than the environment variable.
For example: http://192.0.2.0:80/echo?key=AIza...
The API echoes back the message that you send, and responds with the
following:
Because the Endpoints service name for the API is in the.endpoints.YOUR_PROJECT_ID.cloud.googdomain, you can
use it as the fully qualified domain name (FQDN) by making a small
configuration change in youropenapi.yamlfile. This way, you can
send requests to the sample API by usingecho-api.endpoints.YOUR_PROJECT_ID.cloud.googinstead of the IP address.
To configure Endpoints DNS:
Open your OpenAPI configuration file,openapi.yaml, and add thex-google-endpointsproperty at the top level of the file
(not indented or nested) as shown in the following snippet:
When you deploy theopenapi.yamlfile by using the precedinggcloudcommand, Service Management creates a DNS A-record,echo-api.endpoints.my-project-id.cloud.goog, which resolves to the
target IP address,192.0.2.1. It might take a few minutes for the
new DNS configuration to propagate.
Now that you have the DNS record configured for the sample API, send a
request to it by using the FQDN (replaceYOUR_PROJECT_IDwith your project ID) and theENDPOINTS_KEYenvironment variable set
previously:
To avoid incurring charges to your Google Cloud account for the resources used in this
tutorial, either delete the project that contains the resources, or keep the project and
delete the individual resources.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis tutorial guides users through configuring and deploying a sample REST API and Extensible Service Proxy V2 (ESPv2) to a Google Kubernetes Engine (GKE) cluster.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves setting up a Google Cloud project, creating a GKE cluster, installing necessary software, downloading sample code, and configuring the \u003ccode\u003eopenapi.yaml\u003c/code\u003e file to define the API's structure and settings for Cloud Endpoints.\u003c/p\u003e\n"],["\u003cp\u003eUsers will deploy the Endpoints configuration, the API backend, and ESPv2 to the GKE cluster using prebuilt container images and access the API via its external IP address by using an API key for authentication.\u003c/p\u003e\n"],["\u003cp\u003eThe tutorial also demonstrates how to configure a DNS record for the API to enable access using a fully qualified domain name (FQDN) instead of an IP address, as well as enabling users to track API activity and request logs.\u003c/p\u003e\n"],["\u003cp\u003eCleanup instructions are provided to avoid continued billing, and instructions on where to go to get support and learn more are provided.\u003c/p\u003e\n"]]],[],null,[]]
