- NAME
- 
- gcloud container aws clusters create - create an Anthos cluster on AWS
 
- SYNOPSIS
- 
- 
gcloud container aws clusters create(CLUSTER:--location=LOCATION)--aws-region=AWS_REGION--cluster-version=CLUSTER_VERSION--config-encryption-kms-key-arn=CONFIG_ENCRYPTION_KMS_KEY_ARN--database-encryption-kms-key-arn=DATABASE_ENCRYPTION_KMS_KEY_ARN--fleet-project=FLEET_PROJECT--iam-instance-profile=IAM_INSTANCE_PROFILE--pod-address-cidr-blocks=POD_ADDRESS_CIDR_BLOCKS--role-arn=ROLE_ARN--service-address-cidr-blocks=SERVICE_ADDRESS_CIDR_BLOCKS--subnet-ids=[SUBNET_ID,…]--vpc-id=VPC_ID[--admin-groups=[GROUP,…]] [--admin-users=USER,[USER,…]] [--annotations=ANNOTATION,[ANNOTATION,…]] [--async] [--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE] [--description=DESCRIPTION] [--disable-per-node-pool-sg-rules] [--enable-managed-prometheus] [--instance-type=INSTANCE_TYPE] [--logging=COMPONENT,[COMPONENT,…]] [--main-volume-iops=MAIN_VOLUME_IOPS] [--main-volume-kms-key-arn=MAIN_VOLUME_KMS_KEY_ARN] [--main-volume-size=MAIN_VOLUME_SIZE] [--main-volume-throughput=MAIN_VOLUME_THROUGHPUT] [--main-volume-type=MAIN_VOLUME_TYPE] [--role-session-name=ROLE_SESSION_NAME] [--root-volume-iops=ROOT_VOLUME_IOPS] [--root-volume-kms-key-arn=ROOT_VOLUME_KMS_KEY_ARN] [--root-volume-size=ROOT_VOLUME_SIZE] [--root-volume-throughput=ROOT_VOLUME_THROUGHPUT] [--root-volume-type=ROOT_VOLUME_TYPE] [--security-group-ids=[SECURITY_GROUP_ID,…]] [--ssh-ec2-key-pair=SSH_EC2_KEY_PAIR] [--tags=TAG,[TAG,…]] [--validate-only] [--proxy-secret-arn=PROXY_SECRET_ARN--proxy-secret-version-id=PROXY_SECRET_VERSION_ID] [GCLOUD_WIDE_FLAG …]
 
- 
- DESCRIPTION
- 
(DEPRECATED)Create an Anthos cluster on AWS.This command is deprecated. See https://cloud.google.com/kubernetes-engine/multi-cloud/docs/aws/deprecations/deprecation-announcement for more details. 
- EXAMPLES
- 
To create a cluster named my-clusterus-west1gcloud container aws clusters create my-cluster --location=us-west1 --aws-region=AWS_REGION --cluster-version=CLUSTER_VERSION --database-encryption-kms-key-arn=KMS_KEY_ARN --iam-instance-profile=IAM_INSTANCE_PROFILE --pod-address-cidr-blocks=POD_ADDRESS_CIDR_BLOCKS --role-arn=ROLE_ARN --service-address-cidr-blocks=SERVICE_ADDRESS_CIDR_BLOCKS --subnet-ids=SUBNET_ID --vpc-id=VPC_ID
- POSITIONAL ARGUMENTS
- 
- 
Cluster resource - cluster to create. The arguments in this group can be used to
specify the attributes of this resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the projectattribute:- 
provide the argument clusteron the command line with a fully specified name;
- 
provide the argument --projecton the command line;
- 
set the property core/project.
 This must be specified. - CLUSTER
- 
ID of the cluster or fully qualified identifier for the cluster.
To set the clusterattribute:- 
provide the argument clusteron the command line.
 This positional argument must be specified if any of the other arguments in this group are specified. 
- 
provide the argument 
- --location=- LOCATION
- 
Google Cloud location for the cluster.
To set the locationattribute:- 
provide the argument clusteron the command line with a fully specified name;
- 
provide the argument --locationon the command line;
- 
set the property container_aws/location.
 
- 
provide the argument 
 
- 
provide the argument 
 
- 
Cluster resource - cluster to create. The arguments in this group can be used to
specify the attributes of this resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
- REQUIRED FLAGS
- 
- --aws-region=- AWS_REGION
- AWS region to deploy the cluster.
- --cluster-version=- CLUSTER_VERSION
- Kubernetes version to use for the cluster.
- --config-encryption-kms-key-arn=- CONFIG_ENCRYPTION_KMS_KEY_ARN
- Amazon Resource Name (ARN) of the AWS KMS key to encrypt the user data.
- --database-encryption-kms-key-arn=- DATABASE_ENCRYPTION_KMS_KEY_ARN
- Amazon Resource Name (ARN) of the AWS KMS key to encrypt the cluster secrets.
- --fleet-project=- FLEET_PROJECT
- ID or number of the Fleet host project where the cluster is registered.
- --iam-instance-profile=- IAM_INSTANCE_PROFILE
- Name or ARN of the IAM instance profile associated with the cluster.
- --pod-address-cidr-blocks=- POD_ADDRESS_CIDR_BLOCKS
- IP address range for the pods in this cluster in CIDR notation (e.g. 10.0.0.0/8).
- --role-arn=- ROLE_ARN
- Amazon Resource Name (ARN) of the IAM role to assume when managing AWS resources.
- --service-address-cidr-blocks=- SERVICE_ADDRESS_CIDR_BLOCKS
- IP address range for the services IPs in CIDR notation (e.g. 10.0.0.0/8).
- --subnet-ids=[- SUBNET_ID,…]
- Subnet ID of an existing VNET to use for the cluster control plane.
- --vpc-id=- VPC_ID
- VPC associated with the cluster.
 
- OPTIONAL FLAGS
- 
- --admin-groups=[- GROUP,…]
- Groups of users that can perform operations as a cluster administrator.
- --admin-users=- USER,[- USER,…]
- Users that can perform operations as a cluster administrator. If not specified, the value of property core/account is used.
- --annotations=- ANNOTATION,[- ANNOTATION,…]
- Annotations for the cluster.
- --async
- Return immediately, without waiting for the operation in progress to complete.
- --binauthz-evaluation-mode=- BINAUTHZ_EVALUATION_MODE
- 
Set Binary Authorization evaluation mode for this cluster.
BINAUTHZ_EVALUATION_MODEmust be one of:DISABLED,PROJECT_SINGLETON_POLICY_ENFORCE.
- --description=- DESCRIPTION
- Description for the cluster.
- --disable-per-node-pool-sg-rules
- Disable the default per node pool subnet security group rules on the control plane security group. When disabled, at least one security group that allows node pools to send traffic to the control plane on ports TCP/443 and TCP/8132 must be provided.
- --enable-managed-prometheus
- 
Enables managed collection for Managed Service for Prometheus in the cluster.
See https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed#enable-mgdcoll-gke for more info. Managed Prometheus is enabled by default for cluster versions 1.27 or greater, use --no-enable-managed-prometheus to disable. 
- --instance-type=- INSTANCE_TYPE
- AWS EC2 instance type for the control plane's nodes.
- --logging=- COMPONENT,[- COMPONENT,…]
- 
Set the components that have logging enabled.
Examples: gcloud container aws clusters create --logging=SYSTEMgcloud container aws clusters create --logging=SYSTEM,WORKLOADCOMPONENTmust be one of:SYSTEM,WORKLOAD.
- --main-volume-iops=- MAIN_VOLUME_IOPS
- Number of I/O operations per second (IOPS) to provision for the main volume.
- --main-volume-kms-key-arn=- MAIN_VOLUME_KMS_KEY_ARN
- Amazon Resource Name (ARN) of the AWS KMS key to encrypt the main volume.
- --main-volume-size=- MAIN_VOLUME_SIZE
- 
Size of the main volume. The value must be a whole number followed by a size
unit of GBfor gigabyte, orTBfor terabyte. If no size unit is specified, GB is assumed.
- --main-volume-throughput=- MAIN_VOLUME_THROUGHPUT
- Throughput to provision for the main volume, in MiB/s. Only valid if the volume type is GP3. If volume type is GP3 and throughput is not provided, it defaults to 125.
- --main-volume-type=- MAIN_VOLUME_TYPE
- 
Type of the main volume. MAIN_VOLUME_TYPEmust be one of:gp2,gp3.
- --role-session-name=- ROLE_SESSION_NAME
- Identifier for the assumed role session.
- --root-volume-iops=- ROOT_VOLUME_IOPS
- Number of I/O operations per second (IOPS) to provision for the root volume.
- --root-volume-kms-key-arn=- ROOT_VOLUME_KMS_KEY_ARN
- Amazon Resource Name (ARN) of the AWS KMS key to encrypt the root volume.
- --root-volume-size=- ROOT_VOLUME_SIZE
- 
Size of the root volume. The value must be a whole number followed by a size
unit of GBfor gigabyte, orTBfor terabyte. If no size unit is specified, GB is assumed.
- --root-volume-throughput=- ROOT_VOLUME_THROUGHPUT
- Throughput to provision for the root volume, in MiB/s. Only valid if the volume type is GP3. If volume type is GP3 and throughput is not provided, it defaults to 125.
- --root-volume-type=- ROOT_VOLUME_TYPE
- 
Type of the root volume. ROOT_VOLUME_TYPEmust be one of:gp2,gp3.
- --security-group-ids=[- SECURITY_GROUP_ID,…]
- IDs of additional security groups to add to the control plane's nodes.
- --ssh-ec2-key-pair=- SSH_EC2_KEY_PAIR
- Name of the EC2 key pair authorized to login to the control plane's nodes.
- 
Applies the given tags (comma separated) on the cluster. Example:
gcloud container aws clusters create EXAMPLE_CLUSTER --tags=tag1=one,tag2=two
- --validate-only
- Validate the cluster to create, but don't actually perform it.
- 
Proxy config
- --proxy-secret-arn=- PROXY_SECRET_ARN
- 
ARN of the AWS Secrets Manager secret that contains a proxy configuration.
This flag argument must be specified if any of the other arguments in this group are specified. 
- --proxy-secret-version-id=- PROXY_SECRET_VERSION_ID
- 
Version ID string of the AWS Secrets Manager secret that contains a proxy
configuration.
This flag argument must be specified if any of the other arguments in this group are specified. 
 
 
- GCLOUD WIDE FLAGS
- 
These flags are available to all commands: --access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run $ gcloud helpfor details.
- NOTES
- 
This variant is also available:
gcloud alpha container aws clusters create
      gcloud container aws clusters create
  
  
  Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.