Thanks, I hate it.
Getting Started
Install gcloud on MacOS
First install the SDK:
brew install --cask google-cloud-sdk
Once that’s done, you’ll be prompted to make some slight modifications
to your ~/.zshrc file:
echo '\n# Google Cloud' | tee -a ~/.zshrc
echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/
path.zsh.inc' \
| tee -a ~/.zshrc
echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/
completion.zsh.inc' \
| tee -a ~/.zshrc
source ~/.zshrc
Install gcloud on Ubuntu
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg]
https://packages.cloud.google.com/apt cloud-sdk main" \
| sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
sudo apt-get install -y apt-transport-https ca-certificates gnupg
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
| sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
sudo apt-get update && sudo apt-get install -y google-cloud-sdk
One-liner for an Ubuntu docker container
RUN echo \
"deb [signed-by=/usr/share/keyrings/cloud.google.gpg]
http://packages.cloud.google.com/apt cloud-sdk main" \
| tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
&& curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
| apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - \
&& apt-get update -y && apt-get install google-cloud-sdk -y
Resource: https://cloud.google.com/sdk/docs/install#deb
Configure access
Running this will walk you through setting up a configuration with the account, project, and compute region.
gcloud init
Alternatively, you can run some of the commands below to do this manually.
Show configuration info
gcloud info
Login to account
Run this command to get authenticated:
gcloud auth login
This will result in a web browser opening, which you can in turn use to select the proper google account, etc.
Authenticate with User Application Default Credentials
gcloud auth application-default login
This will result in a web browser opening, which you can in turn use to select the proper google account, etc.
Resource: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference
List projects
gcloud projects list
Populate project environment variables
These environment variables are used in a number of gcloud commands. The project
id is set to the first project returned from the API. All other
variables are based on this project id. To change which project
id you get back, you’ll need to tweak the jq slightly.
export PROJECT_ID=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectId')
export PROJECT_NAME=$(gcloud projects list --format="value(name)" --filter="projectId=${PROJECT_ID}")
export PROJECT_NUMBER=$(gcloud projects list --format="value(projectNumber)" --filter="projectId=${PROJECT_ID}")
Alternatively, you can just using jq to set all of them:
export PROJECT_ID=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectId')
export PROJECT_NAME=$(gcloud projects list --format='json' | jq -r '[.[]][0].name')
export PROJECT_NUMBER=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectNumber')
Unset project environment variables
unset {PROJECT_NAME,PROJECT_ID,PROJECT_NUMBER}
Set Project for gcloud
gcloud config set project $PROJECT_ID
Resources: https://stackoverflow.com/questions/64236468/cloud-build-fails-to-deploy-to-google-app-engine-you-do-not-have-permission-to https://www.bram.us/2020/02/13/google-cloud-build-google-cloud-run-fixing-error-gcloud-run-deploy-permission_denied-the-caller-does-not-have-permission
List credentialed accounts
gcloud auth list
Set account for gcloud
gcloud config set account $(gcloud auth list --format="value(account)")
Logs Explorer
View error logs for a particular version of a gae app:
resource.type="gae_app"
resource.labels.version_id="<version name>"
resource.labels.project_id="<project id>"
resource.labels.zone="<the region you're in, for example: us-west-2-1>"
severity=ERROR
Compute
List instances in a project
gcloud compute instances list
SSH into instance
INSTANCE=$(gcloud compute instances list --format="value(name)" \
--filter="string in your instance name")
gcloud compute ssh $INSTANCE
Alternatively, if you want to use plain ssh, simply add your
pubkey for your user to the ~/.ssh/authorized_keys file.
Keep in mind if you’re using IAP, that this won’t work.
SCP data to instance
gcloud compute scp file.txt user@$INSTANCE:/location/on/remote/system/for/file.txt
Resource: https://cloud.google.com/sdk/gcloud/reference/compute/scp
Run command over SSH
This particular one will set the proper permissions
for the user’s ~/.ssh directory on the remote system.
gcloud compute ssh $INSTANCE --command 'chmod 700 ~/.ssh'
Resource: https://cloud.google.com/sdk/gcloud/reference/compute/ssh
List images
gcloud compute images list
Find particular image
This will search for centos images:
gcloud compute images list --format="value(NAME)" --filter="centos"
Resource: https://cloud.google.com/sdk/gcloud/reference/compute/images/list
App Engine
View App Engine logs
View logs:
gcloud app logs read
Stream logs:
gcloud app logs tail
Stream logs for a particular version:
gcloud app logs tail --version=<the version>
Resource: https://stackoverflow.com/questions/49090343/where-i-can-see-the-logs-in-google-app-engine
IAM
List project permissions
gcloud projects get-iam-policy $PROJECT_ID
Resource: https://stackoverflow.com/questions/47006116/how-do-i-list-and-view-users-permissions-with-gcloud
List permissions for a particular account
gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" \
--format='table(bindings.role)' --filter="bindings.members:<the account name>"
Create service account
This particular example will create a service account for terraform:
gcloud iam service-accounts create terraform --description='Terraform account' --display-name='terraform'
Resource: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/create
List service accounts
gcloud iam service-accounts list
Resource: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
Get service account email based on name filter
This particular example will get the email for a service account with the name terraform:
SVC_ACCT=$(gcloud iam service-accounts list --format="value(email)" --filter="terraform")
Create key for service account
This will create terraform.json for the SVC_ACCT user:
gcloud iam service-accounts keys create terraform.json --iam-account=${SVC_ACCT}
Get key for service account
This could be a used by a member of a service account to get
the key for the SVC_ACCT user:
gcloud iam service-accounts keys create terraform.json --iam-account ${SVC_ACCT}
Use a service account
gcloud auth activate-service-account ${SVC_ACCT} --key-file terraform.json
Grant service account a role
This particular example with give a storage account the storage admin role:
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member=serviceAccount:${SVC_ACCT} --role=roles/storage.admin
Another example:
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member=serviceAccount:${SVC_ACCT} --role=roles/storage.objectAdmin
Grant user a role
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:${GCP_USER} --role=roles/compute.instanceAdmin.v1
View Roles for service account
gcloud projects get-iam-policy $PROJECT_ID \
--flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:serviceAccount:${SVC_ACCT}"
Use service account json creds
Create and download a key from https://console.cloud.google.com/iam-admin/serviceaccounts
Create the GOOGLE_APPLICATION_CREDENTIALS env var that points to the file on disk:
export GOOGLE_APPLICATION_CREDENTIALS=/tmp/project-numbers-numbersandletters.json
Get all members of a role
It’s really gross, but it works:
gcloud asset search-all-iam-policies --project ${PROJECT_ID} \
--query policy:"roles/role.YouWant" \
--flatten="policy[]" --format="json(bindings[0].members)" \
| jq -r '.[].bindings[0].members'
Resource: https://devops.stackexchange.com/questions/11291/how-to-list-all-users-with-specific-role-in-gcp
Storage
Create bucket
gsutil mb gs://your-bucket-name
Resource: https://cloud.google.com/storage/docs/creating-buckets?authuser=2
Enable Object Versioning on a bucket
gsutil versioning set on gs://your-bucket-name
Check Object Versioning is set on a bucket
gsutil versioning get gs://your-bucket-name
Resource: https://cloud.google.com/storage/docs/using-object-versioning#enable
Delete bucket
gsutil rm -r gs://your-bucket-name
Resource: https://cloud.google.com/storage/docs/gsutil/commands/rb
Upload data to bucket
gsutil cp file.txt gs://your-bucket-name
Download data from bucket
gsutil cp gs://your-bucket-name/file.txt .
Resource: https://cloud.google.com/storage/docs/gsutil/commands/cp
Networking
Get name of a network
gcloud compute networks list --format="value(name)" --filter="yournetwork")
Delete a network
gcloud compute networks delete $NETWORK_NAME
List subnets
gcloud compute networks subnets list
Cloud Source Repositories
Create Repository
gcloud source repos create name-of-your-repo
List Repositories
gcloud source repos list
Delete Repository
gcloud source repos delete <repo name>
Push to the master branch
git push google master
Create repo from local directory
gcloud source repos create name-of-your-repo
git init
git config credential.https://source.developers.google.com.helper gcloud.sh
git add .
git config user.name 'Your Name'
git config user.email youremail@yourdomain.com
git commit -m 'Initial commit'
git remote add google $(gcloud source repos list --format="value(URL)" --filter="name-of-your-repo")
git push --all google