Thanks, I hate it.

Getting Started

Install gcloud on MacOS

First install the SDK:

brew install --cask google-cloud-sdk

Once that’s done, you’ll be prompted to make some slight modifications to your ~/.zshrc file:

echo '\n# Google Cloud' | tee -a ~/.zshrc
echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/' \
  | tee -a ~/.zshrc
echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/' \
  | tee -a ~/.zshrc
source ~/.zshrc

Install gcloud on Ubuntu

echo "deb [signed-by=/usr/share/keyrings/] cloud-sdk main" \
    | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
sudo apt-get install -y apt-transport-https ca-certificates gnupg
curl \
    | sudo apt-key --keyring /usr/share/keyrings/ add -
sudo apt-get update && sudo apt-get install -y google-cloud-sdk

One-liner for an Ubuntu docker container

RUN echo \
    "deb [signed-by=/usr/share/keyrings/] cloud-sdk main" \
    | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
    && curl \
    | apt-key --keyring /usr/share/keyrings/  add - \
    && apt-get update -y && apt-get install google-cloud-sdk -y


Configure access

Running this will walk you through setting up a configuration with the account, project, and compute region.

gcloud init

Alternatively, you can run some of the commands below to do this manually.

Show configuration info

gcloud info


Login to account

Run this command to get authenticated:

gcloud auth login

This will result in a web browser opening, which you can in turn use to select the proper google account, etc.

Authenticate with User Application Default Credentials

gcloud auth application-default login

This will result in a web browser opening, which you can in turn use to select the proper google account, etc.


List projects

gcloud projects list

Populate project environment variables

These environment variables are used in a number of gcloud commands. The project id is set to the first project returned from the API. All other variables are based on this project id. To change which project id you get back, you’ll need to tweak the jq slightly.

export PROJECT_ID=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectId')
export PROJECT_NAME=$(gcloud projects list --format="value(name)" --filter="projectId=${PROJECT_ID}")
export PROJECT_NUMBER=$(gcloud projects list --format="value(projectNumber)" --filter="projectId=${PROJECT_ID}")

Alternatively, you can just using jq to set all of them:

export PROJECT_ID=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectId')
export PROJECT_NAME=$(gcloud projects list --format='json' | jq -r '[.[]][0].name')
export PROJECT_NUMBER=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectNumber')

Unset project environment variables


Set Project for gcloud

gcloud config set project $PROJECT_ID


List credentialed accounts

gcloud auth list

Set account for gcloud

gcloud config set account $(gcloud auth list --format="value(account)")

Logs Explorer

View error logs for a particular version of a gae app:

resource.labels.version_id="<version name>"
resource.labels.project_id="<project id>""<the region you're in, for example: us-west-2-1>"


List instances in a project

gcloud compute instances list

SSH into instance

INSTANCE=$(gcloud compute instances list --format="value(name)" \
    --filter="string in your instance name")
gcloud compute ssh $INSTANCE

Alternatively, if you want to use plain ssh, simply add your pubkey for your user to the ~/.ssh/authorized_keys file. Keep in mind if you’re using IAP, that this won’t work.

SCP data to instance

gcloud compute scp file.txt user@$INSTANCE:/location/on/remote/system/for/file.txt


Run command over SSH

This particular one will set the proper permissions for the user’s ~/.ssh directory on the remote system.

gcloud compute ssh $INSTANCE --command 'chmod 700 ~/.ssh'


List images

gcloud compute images list

Find particular image

This will search for centos images:

gcloud compute images list --format="value(NAME)" --filter="centos"


App Engine

View App Engine logs

View logs:

gcloud app logs read

Stream logs:

gcloud app logs tail

Stream logs for a particular version:

gcloud app logs tail --version=<the version>



List project permissions

gcloud projects get-iam-policy $PROJECT_ID


List permissions for a particular account

gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" \
    --format='table(bindings.role)' --filter="bindings.members:<the account name>"


Create service account

This particular example will create a service account for terraform:

gcloud iam service-accounts create terraform --description='Terraform account' --display-name='terraform'


List service accounts

gcloud iam service-accounts list


Get service account email based on name filter

This particular example will get the email for a service account with the name terraform:

SVC_ACCT=$(gcloud iam service-accounts list --format="value(email)" --filter="terraform")

Create key for service account

This will create terraform.json for the SVC_ACCT user:

gcloud iam service-accounts keys create terraform.json --iam-account=${SVC_ACCT}

Get key for service account

This could be a used by a member of a service account to get the key for the SVC_ACCT user:

gcloud iam service-accounts keys create terraform.json --iam-account ${SVC_ACCT}

Use a service account

gcloud auth activate-service-account ${SVC_ACCT} --key-file terraform.json

Grant service account a role

This particular example with give a storage account the storage admin role:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member=serviceAccount:${SVC_ACCT} --role=roles/storage.admin

Another example:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member=serviceAccount:${SVC_ACCT} --role=roles/storage.objectAdmin

Grant user a role

gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:${GCP_USER} --role=roles/compute.instanceAdmin.v1

View Roles for service account

gcloud projects get-iam-policy $PROJECT_ID \
    --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:serviceAccount:${SVC_ACCT}"


Use service account json creds

Create and download a key from

Create the GOOGLE_APPLICATION_CREDENTIALS env var that points to the file on disk:

export GOOGLE_APPLICATION_CREDENTIALS=/tmp/project-numbers-numbersandletters.json

Get all members of a role

It’s really gross, but it works:

gcloud asset search-all-iam-policies --project ${PROJECT_ID} \
--query policy:"roles/role.YouWant" \
--flatten="policy[]" --format="json(bindings[0].members)" \
| jq -r '.[].bindings[0].members'



Create bucket

gsutil mb gs://your-bucket-name


Enable Object Versioning on a bucket

gsutil versioning set on gs://your-bucket-name

Check Object Versioning is set on a bucket

gsutil versioning get gs://your-bucket-name


Delete bucket

gsutil rm -r gs://your-bucket-name


Upload data to bucket

gsutil cp file.txt gs://your-bucket-name

Download data from bucket

gsutil cp gs://your-bucket-name/file.txt .



Get name of a network

gcloud compute networks list --format="value(name)" --filter="yournetwork")

Delete a network

gcloud compute networks delete $NETWORK_NAME

List subnets

gcloud compute networks subnets list

Cloud Source Repositories

Create Repository

gcloud source repos create name-of-your-repo

List Repositories

gcloud source repos list

Delete Repository

gcloud source repos delete <repo name>

Push to the master branch

git push google master

Create repo from local directory

gcloud source repos create name-of-your-repo
git init
git config credential.
git add .
git config 'Your Name'
git config
git commit -m 'Initial commit'
git remote add google $(gcloud source repos list --format="value(URL)" --filter="name-of-your-repo")
git push --all google