Google requires multiple resources for Deeploy to operate successfully. This article outlines which resources are required and how they can be installed. All steps to set up the Google environment contain examples using the
gcloud CLI, but can also be performed using the Google Cloud Console.
Typical Customer Deployment
Typical customer deployments consist of a separate development and production environment. The high-level architecture with the relevant GCP resources is shown below:
Deeploy.ml Core Components
Storage of configuration, parameter & relational data using
Persistent storage of model files using
Storage of Secrets & Certificates using
Set up the cloud resources
In a production environment we advise to manage cloud resources as infrastructure as code in for example Terraform.
Create a service account
First, enable the IAM API (Access Management API) via the IAM Documentation. If you require more information about the use of service accounts in Google, please consult the service account documentation.
To check if your
gcloud environment uses the correct project, execute the command below.
gcloud config get-value project
In case the wrong project is selected, use
gcloud to select your project using the command below.
cloud config set project <PROJECT_ID>
Now you're ready to create a service account for your project. Use the command below to create a service account for your project.
gcloud iam service-accounts create <NAME> \
To make sure your service account is created, the following command can be executed. The display name used to create your service account should appear in the list.
gcloud iam service-accounts list
Since we now have a service account to work with, we can create a key for this service account to start using its functions. This can be done using the command below.
gcloud iam service-accounts keys create <FILE_PATH>.json --iam-account=<NAME>@<PROJECT>.iam.gserviceaccount.com
Once the service-account key is created, the different components can be installed.
A1: Google's Kubernetes Engine
To set up the Google Kubernetes Engine, create a cluster using the command below. For the initial setup, we recommend creating a cluster with at least: 3 e2-standard-2 nodes using the
--num-nodes=1 (1 per zone in the region, so 3 in total) and
--machine-type=e2-standard-2flags. Moreover, we configure a VPC network that we share between all Deeploy GCP cloud resources. You can add the required information for an existing network using the following flags:
--region You can use any zone from Google's list of zones to set up your cluster. If you need to create a new VPC network follow these instructions
gcloud container clusters create <NAME> \
--enable-autoscaling --max-nodes=5 --min-nodes=1
Once your cluster is created, the cluster still has to be added to your
kubeconfig in order to access it locally. We recommend using Lens to get an insight into your cluster.
gcloud container clusters get-credentials <NAME> --zone=<ZONE>
If the cluster is added to your
kubeconfig, consider A1 completed.
S1: Google Cloud SQL for PostgreSQL
To create an instance for our PostgreSQL database, first enable the Cloud SQL Admin API via the button of step 5 in the Cloud SQL Documentation. Create an SQL instance using the command below. We recommend using at least 2 CPUs and a minimum memory limit of 3840MB.
In order to create an internal IP for internal communication with the Kubernetes cluster, we defined the project, network & no-assign-IP flags.
gcloud sql instances create <NAME> \
For production use cases make sure to add configuration for automated backups and high availability.
S2: Google Cloud Storage
To set up Google Cloud Storage, all you have to do is create a bucket for Deeploy to store its data. This can be done using the
gsutil tool, which has already been installed as part of your
gsutil, execute the following command to create a bucket:
gsutil mb gs://<BUCKET_NAME>
Once we created the bucket, Google Cloud Storage has been set up!
We will use the service account created earlier to let Deeploy access the GCS bucket just created. We add permissions to administer the bucket in the following way:
gsutil iam ch serviceAccount:<NAME>@<PROJECT>.iam.gserviceaccount.com:roles/storage.admin gs://<BUCKET_NAME>
S3: Google's Key Management System
We begin by enabling the KMS (Key Management System) API via the button in the KMS Documentation.
gcloud kms keyrings create "<KEYRING_NAME>" --location "<REGION>"
We can now create a key within this keyring using the command below.
gcloud kms keys create "<KEY_NAME>" \
--location "<REGION>" \
--keyring "<KEYRING_NAME>" \
--purpose "asymmetric-encryption" \
To confirm that the key has been created, the following command can be used:
gcloud kms keys list \
--location "<REGION>" \
If the key appears in your keyring, your KMS is set up correctly.
We will use the service account created earlier to let Deeploy access the key just created for encryption. We add permissions to use the key in the following way:
gcloud kms keys add-iam-policy-binding <KEY_NAME> \ --keyring "<KEYRING_NAME>" \ --location <REGION> \ --member serviceAccount:<NAME>@<PROJECT>.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoOperator