gcloud beta compute machine-images create - create a Compute Engine machine image


gcloud beta compute machine-images create IMAGE --source-instance=SOURCE_INSTANCE [--csek-key-file=FILE] [--description=DESCRIPTION] [--guest-flush] [--no-require-csek-key-create] [--source-disk-csek-key=[PROPERTY=VALUE,...]] [--source-instance-zone=SOURCE_INSTANCE_ZONE] [--storage-location=LOCATION] [--kms-key=KMS_KEY : --kms-keyring=KMS_KEYRING --kms-location=KMS_LOCATION --kms-project=KMS_PROJECT] [GCLOUD_WIDE_FLAG ...]


(BETA) Create a Compute Engine machine image.


To create a machine image, run:

$ gcloud beta compute machine-images create my-machine-image \ --source-instance=example-source \ --source-instance-zone=us-central1-a



Name of the machineImage to create.



The source instance to create a machine image from.



Path to a Customer-Supplied Encryption Key (CSEK) key file that maps Compute Engine machine images to user managed keys to be used when creating, mounting, or taking snapshots of disks.

If you pass - as value of the flag, the CSEK is read from stdin. See for more details.


Specifies a text description of the machine image.


Create an application-consistent machine image by informing the OS to prepare for the snapshot process.


Refuse to create machine images not protected by a user managed key in the key file when --csek-key-file is given. This behavior is enabled by default to prevent incorrect gcloud invocations from accidentally creating machine images with no user managed key. Disabling the check allows creation of some machine images without a matching Customer-Supplied Encryption Key in the supplied --csek-key-file. See for more details. Enabled by default, use --no-require-csek-key-create to disable.


Customer-supplied encryption key of the disk attached to the source instance. Required if the source disk is protected by a customer-supplied encryption key. This flag can be repeated to specify multiple attached disks.


URL of the disk attached to the source instance. This can be a full or valid partial URL


path to customer-supplied encryption key.


Zone of the instance to operate on. If not specified and the compute/zone property isn't set, you might be prompted to select a zone (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/zone property:

$ gcloud config set compute/zone ZONE

A list of zones can be fetched by running:

$ gcloud compute zones list

To unset the property, run:

$ gcloud config unset compute/zone

Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.


Google Cloud Storage location, either regional or multi-regional, where machine image's content is to be stored. If absent, a nearby regional or multi-regional location is chosen automatically.

Key resource - The Cloud KMS (Key Management Service) cryptokey that will be

used to protect the machine image. The arguments in this group can be used to specify the attributes of this resource.


ID of the key or fully qualified identifier for the key. To set the kms-key attribute:

  • provide the argument --kms-key on the command line.

This flag argument must be specified if any of the other arguments in this group are specified.


The KMS keyring of the key. To set the kms-keyring attribute:

  • provide the argument --kms-key on the command line with a fully specified name;

  • provide the argument --kms-keyring on the command line.


The Cloud location for the key. To set the kms-location attribute:

  • provide the argument --kms-key on the command line with a fully specified name;

  • provide the argument --kms-location on the command line.


The Cloud project for the key. To set the kms-project attribute:

  • provide the argument --kms-key on the command line with a fully specified name;

  • provide the argument --kms-project on the command line;

  • set the property core/project.


These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.


This command is currently in beta and might change without notice. These variants are also available:

$ gcloud compute machine-images create

$ gcloud alpha compute machine-images create