Skip to content

01 β€” GCP Project Setup

βœ… This chapter is free. Project creation, API enablement, and service accounts have no cost.

πŸ’³ Requires a billing account. GCP requires a credit card to create a billing account, even to use free-tier services. Link a billing account at console.cloud.google.com/billing. New accounts receive $300 in free credits valid for 90 days β€” enough to run this entire stack for months before paying anything.

What is a GCP Project?

A Google Cloud Platform (GCP) project is an isolated container for all your cloud resources β€” databases, servers, storage buckets, and billing. Everything you create in this guide lives inside one project. You can have multiple projects (e.g. mycoolproject-prod and mycoolproject-staging) with completely separate resources and billing.

What is the gcloud CLI?

gcloud is Google's command-line tool for managing GCP resources. You run it in your local terminal. It talks to GCP's APIs on your behalf. Install it from cloud.google.com/sdk/docs/install.

All commands below run in your local terminal (not inside Django, not inside Docker). Use bash, WSL2, or PowerShell depending on your platform β€” gcloud works identically on all.

Create the project

# Opens a browser to authenticate your local gcloud CLI with your Google account.
# Required once per machine before any other gcloud command will work.
# Result: gcloud prints "You are now logged in as <email>"
gcloud auth login

# Creates a new GCP project named mycoolproject-prod.
# All resources (database, containers, storage) will live inside this project.
# Result: visible at console.cloud.google.com/home/dashboard?project=mycoolproject-prod
gcloud projects create mycoolproject-prod --name="MyCoolProject Prod"

# Sets mycoolproject-prod as the default project for all subsequent gcloud commands.
# Without this you'd need --project=mycoolproject-prod on every command.
gcloud config set project mycoolproject-prod

# Sets the default region so you don't need --region= on every command.
# southamerica-east1 (SΓ£o Paulo) is the closest GCP region to Chile.
gcloud config set run/region southamerica-east1

Region: southamerica-east1 is SΓ£o Paulo β€” the closest GCP region to Chile (~30–60 ms latency to Santiago). All resources in this guide use this region for consistency.

Enable APIs

GCP services are disabled by default β€” you enable only what you need. This is a one-time step per project.

# Enables all GCP APIs this project needs. APIs are disabled by default β€” nothing
# works until you enable it. This is a one-time step per project.
# Result: each API listed at console.cloud.google.com/apis/dashboard
gcloud services enable \
  run.googleapis.com \
  sqladmin.googleapis.com \
  secretmanager.googleapis.com \
  artifactregistry.googleapis.com \
  storage.googleapis.com \
  iamcredentials.googleapis.com

What each API does:

API Enables
run.googleapis.com Cloud Run (runs the Django container)
sqladmin.googleapis.com Cloud SQL (PostgreSQL database)
secretmanager.googleapis.com Secret Manager (credentials storage)
artifactregistry.googleapis.com Artifact Registry (Docker image storage)
storage.googleapis.com Cloud Storage (media + static files)
iamcredentials.googleapis.com Workload Identity (keyless GitHub Actions auth)

Create a Service Account

What is a Service Account?

A service account is an identity for a program (not a person). Instead of your Cloud Run container running as you (the developer), it runs as a dedicated account with only the permissions it needs. This limits the blast radius if the app is ever compromised.

# Creates a service account β€” an identity for the Cloud Run container to run as.
# Using a dedicated account (not your personal account) limits blast radius if compromised.
# Result: visible at console.cloud.google.com/iam-admin/serviceaccounts
gcloud iam service-accounts create mycoolproject-run-sa \

  --display-name="MyCoolProject Cloud Run SA"

This creates the identity mycoolproject-run-sa@mycoolproject-prod.iam.gserviceaccount.com.

What are IAM Roles?

IAM (Identity and Access Management) roles are sets of permissions. You assign roles to identities (users or service accounts). Instead of giving broad admin access, you give only what's needed:

SA="mycoolproject-run-sa@mycoolproject-prod.iam.gserviceaccount.com"

# Grants the service account permission to connect to Cloud SQL via the proxy socket.
# Without this, the container cannot reach the database at runtime.
# Result: visible at console.cloud.google.com/iam-admin/iam (filter by service account)
gcloud projects add-iam-policy-binding mycoolproject-prod \

  --member="serviceAccount:$SA" \
  --role="roles/cloudsql.client"

# Grants permission to read secrets from Secret Manager.
# Without this, Cloud Run can't fetch DATABASE_URL, SECRET_KEY, etc. at startup.
gcloud projects add-iam-policy-binding mycoolproject-prod \

  --member="serviceAccount:$SA" \
  --role="roles/secretmanager.secretAccessor"

# Grants permission to read and write objects in Cloud Storage buckets.
# Needed for collectstatic (write) and serving user-uploaded media files (read).
gcloud projects add-iam-policy-binding mycoolproject-prod \

  --member="serviceAccount:$SA" \
  --role="roles/storage.objectAdmin"

The Cloud Run container will use this service account at runtime β€” it automatically has these permissions without any credentials file.

If your Django app uses Google Login (Gmail), these credentials (GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET) are created and obtained from this same project in the Google Cloud Console (APIs & Services > Credentials).

Once obtained, you should store them securely following the steps in Chapter 04 β€” Secret Manager.