GCP Cheatsheet

Thanks, I hate it.

Getting Started

Install gcloud on MacOS

First install the SDK:

brew install --cask google-cloud-sdk

Once that's done, you'll be prompted to make some slight modifications to your ~/.zshrc file:

echo '\n# Google Cloud' | tee -a ~/.zshrc
echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/path.zsh.inc' | tee -a ~/.zshrc
echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/completion.zsh.inc' | tee -a ~/.zshrc
source ~/.zshrc

Install gcloud on Ubuntu

echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
sudo apt-get install -y apt-transport-https ca-certificates gnupg
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
sudo apt-get update && sudo apt-get install -y google-cloud-sdk

One-liner for an Ubuntu docker container

RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg  add - && apt-get update -y && apt-get install google-cloud-sdk -y

Resource: https://cloud.google.com/sdk/docs/install#deb

Configure access

Running this will walk you through setting up a configuration with the account, project, and compute region.

gcloud init

Alternatively, you can run some of the commands below to do this manually.

Show configuration info

gcloud info

Resource: https://medium.com/@tapendradev/how-to-install-gcloud-sdk-on-the-macos-and-start-managing-gcp-through-cli-d14d2c3a8869

Login to account

Run this command to get authenticated:

gcloud auth login

This will result in a web browser opening, which you can in turn use to select the proper google account, etc.

Authenticate with User Application Default Credentials

gcloud auth application-default login

This will result in a web browser opening, which you can in turn use to select the proper google account, etc.

Resource: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference

List projects

gcloud projects list

Populate project environment variables

These environment variables are used in a number of gcloud commands. The project id is set to the first project returned from the API. All other varables are based on this project id. To change which project id you get back, you'll need to tweak the jq slightly.

export PROJECT_ID=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectId')
export PROJECT_NAME=$(gcloud projects list --format="value(name)" --filter="projectId=${PROJECT_ID}")
export PROJECT_NUMBER=$(gcloud projects list --format="value(projectNumber)" --filter="projectId=${PROJECT_ID}")

Alternatively, you can just using jq to set all of them:

export PROJECT_ID=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectId')
export PROJECT_NAME=$(gcloud projects list --format='json' | jq -r '[.[]][0].name')
export PROJECT_NUMBER=$(gcloud projects list --format='json' | jq -r '[.[]][0].projectNumber')

Unset project environment variables

unset {PROJECT_NAME,PROJECT_ID,PROJECT_NUMBER}

Set Project for gcloud

gcloud config set project $PROJECT_ID

Resources:
https://stackoverflow.com/questions/64236468/cloud-build-fails-to-deploy-to-google-app-engine-you-do-not-have-permission-to
https://www.bram.us/2020/02/13/google-cloud-build-google-cloud-run-fixing-error-gcloud-run-deploy-permission_denied-the-caller-does-not-have-permission

List credentialed accounts

gcloud auth list

Set account for gcloud

gcloud config set account $(gcloud auth list --format="value(account)")

Logs Explorer

View error logs for a particular version of a gae app:

resource.type="gae_app"
resource.labels.version_id="<version name>"
resource.labels.project_id="<project id>"
resource.labels.zone="<the region you're in, for example: us-west-2-1>"
severity=ERROR

Compute

List instances in a project

gcloud compute instances list

SSH into instance

INSTANCE=$(gcloud compute instances list --format="value(name)" --filter="string in your instance name")
gcloud compute ssh $INSTANCE

Alternatively, if you want to use plain ssh, simply add your pubkey for your user to the ~/.ssh/authorized_keys file. Keep in mind if you're using IAP, that this won't work.

SCP data to instance

gcloud compute scp file.txt user@$INSTANCE:/location/on/remote/system/for/file.txt

Resource: https://cloud.google.com/sdk/gcloud/reference/compute/scp

Run command over SSH

This particular one will set the proper permissions for the user's ~/.ssh directory on the remote system.

gcloud compute ssh $INSTANCE --command 'chmod 700 ~/.ssh'

Resource: https://cloud.google.com/sdk/gcloud/reference/compute/ssh

List images

gcloud compute images list

Find particular image

This will search for centos images:

gcloud compute images list --format="value(NAME)" --filter="centos" 

Resource: https://cloud.google.com/sdk/gcloud/reference/compute/images/list

App Engine

View App Engine logs

View logs:

gcloud app logs read

Stream logs:

gcloud app logs tail

Stream logs for a particular version:

gcloud app logs tail --version=<the version>

Resource: https://stackoverflow.com/questions/49090343/where-i-can-see-the-logs-in-google-app-engine

IAM

List project permissions

gcloud projects get-iam-policy $PROJECT_ID

Resource: https://stackoverflow.com/questions/47006116/how-do-i-list-and-view-users-permissions-with-gcloud

List permissions for a particular account

gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:<the account name>"

Resource: https://stackoverflow.com/questions/47006062/how-do-i-list-the-roles-associated-with-a-gcp-service-account

Create service account

This particular example will create a service account for terraform:

gcloud iam service-accounts create terraform --description='Terraform account' --display-name='terraform'

Resource: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/create

List service accounts

gcloud iam service-accounts list

Resource: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list

Get service account email based on name filter

This particular example will get the email for a service account with the name terraform:

SVC_ACCT=$(gcloud iam service-accounts list --format="value(email)" --filter="terraform")

Create key for service account

This will create terraform.json for the SVC_ACCT user:

gcloud iam service-accounts keys create terraform.json --iam-account=${SVC_ACCT}

Get key for service account

This could be a used by a member of a service account to get the key for the SVC_ACCT user:

gcloud iam service-accounts keys create terraform.json --iam-account ${SVC_ACCT}

Use a service account

gcloud auth activate-service-account ${SVC_ACCT} --key-file terraform.json

Grant service account a role

This particular example with give a storage account the storage admin role:

gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SVC_ACCT} --role=roles/storage.admin

Another example:

gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SVC_ACCT} --role=roles/storage.objectAdmin   

Grant user a role

gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:${GCP_USER} --role=roles/compute.instanceAdmin.v1

View Roles for service account

gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:serviceAccount:${SVC_ACCT}"

Resource: https://stackoverflow.com/questions/42564112/adding-roles-to-service-accounts-on-google-cloud-platform-using-rest-api

Use service account json creds

Create and download a key from https://console.cloud.google.com/iam-admin/serviceaccounts

Create the GOOGLE_APPLICATION_CREDENTIALS env var that points to the file on disk:

export GOOGLE_APPLICATION_CREDENTIALS=/tmp/project-numbers-numbersandletters.json

Get all members of a role

It's really gross, but it works:

gcloud asset search-all-iam-policies --project ${PROJECT_ID} --query policy:"roles/role.YouWant" --flatten="policy[]" --format="json(bindings[0].members)" | jq -r '.[].bindings[0].members'

Resource: https://devops.stackexchange.com/questions/11291/how-to-list-all-users-with-specific-role-in-gcp - mostly got me there, not quite

Storage

Create bucket

gsutil mb gs://your-bucket-name

Resource: https://cloud.google.com/storage/docs/creating-buckets?authuser=2

Enable Object Versioning on a bucket

gsutil versioning set on gs://your-bucket-name

Check Object Versioning is set on a bucket

gsutil versioning get gs://your-bucket-name

Resource: https://cloud.google.com/storage/docs/using-object-versioning#enable

Delete bucket

gsutil rm -r gs://your-bucket-name

Resource: https://cloud.google.com/storage/docs/gsutil/commands/rb

Upload data to bucket

gsutil cp file.txt gs://your-bucket-name

Download data from bucket

gsutil cp gs://your-bucket-name/file.txt .

Resource: https://cloud.google.com/storage/docs/gsutil/commands/cp

Networking

Get name of a network

gcloud compute networks list --format="value(name)" --filter="yournetwork")

Delete a network

gcloud compute networks delete $NETWORK_NAME   

List subnets

gcloud compute networks subnets list   

Cloud Source Repositories

Create Repository

gcloud source repos create name-of-your-repo

List Repositories

gcloud source repos list

Delete Repository

gcloud source repos delete <repo name>

Push to the master branch

git push google master

Create repo from local directory

gcloud source repos create name-of-your-repo
git init
git config credential.https://source.developers.google.com.helper gcloud.sh
git add .
git config user.name 'Your Name'
git config user.email youremail@yourdomain.com
git commit -m 'Initial commit'
git remote add google $(gcloud source repos list --format="value(URL)" --filter="name-of-your-repo")
git push --all google