AgentSkillsCN

gcloud

Google Cloud Platform CLI(gcloud、gcloud storage、bq)。适用于管理 GCP 资源、部署至 Cloud Run/Cloud Functions/GKE/App Engine、操作 Cloud Storage、BigQuery、IAM、Compute Engine、Cloud SQL、Pub/Sub、Secret Manager、Artifact Registry、Cloud Build、Cloud Scheduler、Cloud Tasks、Vertex AI、VPC/网络、DNS、日志/监控,或任何 GCP 服务时使用。此外还涵盖:身份验证、项目/配置管理、CI/CD 集成、无服务器部署、容器注册表、Docker 推送至 GCP、密钥管理、Workload Identity Federation,以及基础设施自动化。

SKILL.md
--- frontmatter
name: gcloud
description: >-
  Google Cloud Platform CLI (gcloud, gcloud storage, bq).
  Use when: managing GCP resources, deploying to Cloud Run/Cloud Functions/GKE/App Engine,
  working with Cloud Storage, BigQuery, IAM, Compute Engine, Cloud SQL, Pub/Sub,
  Secret Manager, Artifact Registry, Cloud Build, Cloud Scheduler, Cloud Tasks,
  Vertex AI, VPC/networking, DNS, logging/monitoring, or any GCP service.
  Also covers: authentication, project/config management, CI/CD integration,
  serverless deployments, container registry, docker push to GCP, managing secrets,
  Workload Identity Federation, and infrastructure automation.

gcloud — Google Cloud Platform CLI

Command-line interface for managing Google Cloud resources. Covers gcloud, gcloud storage (replaces gsutil), and bq (BigQuery).

Platform Notes (Windows + Git Bash)

  • Install: scoop install gcloud (preferred) or GoogleCloudSDKInstaller.exe
  • If installed via scoop, gcloud components install may not work — use scoop to manage
  • Config: %APPDATA%/gcloud/ (PowerShell) or ~/.config/gcloud/ (Git Bash)
  • Service account keys: store in $TEMP or project .secrets/, never commit
  • Python: gcloud requires Python; scoop install handles this automatically

⚠️ Path Translation Gotcha

Git Bash auto-translates /-prefixed args, breaking some gcloud commands:

bash
# FIX — disable MSYS path conversion:
export MSYS_NO_PATHCONV=1

# Or per-command:
MSYS_NO_PATHCONV=1 gcloud projects add-iam-policy-binding my-project ...

⚠️ Cost: Commands that create resources (instances, clusters, databases) incur GCP charges. Always confirm project and region before creating.

Agent Safety Model

Operations classified by risk. Follow this model for all gcloud commands.

LevelGateExamples
READProceed autonomouslylist, describe, get, logs read, config list, gcloud storage ls
WRITEConfirm with user; note cost if billablecreate, deploy, update, enable, gcloud storage cp (upload)
DESTRUCTIVEAlways confirm; show what's affecteddelete, rm, gsutil rm -r, bq rm -r, rsync -d, IAM removal
EXPENSIVEConfirm + state approximate costGKE clusters ($70+/mo), SQL instances ($8-400/mo), VMs (~$5-2k/mo)
SECURITYConfirm + explain impact--allow-unauthenticated, firewall rules, IAM owner/editor grants
FORBIDDENRefuse; escalate to humangcloud iam service-accounts keys create, gcloud projects delete, passwords in CLI args

Rules:

  • Never combine --quiet with destructive operations — it suppresses the only safety gate
  • Never put passwords/secrets as command-line arguments — visible in process list & shell history
  • Always use --format=json for machine-parseable output (agents can't reliably parse tables)
  • When in doubt, treat as DESTRUCTIVE

Command Structure

code
gcloud [RELEASE_LEVEL] COMPONENT ENTITY OPERATION [ARGS] [FLAGS]

Key global flags: --project, --format, --filter, --limit, --quiet, --verbosity, --async

Service Reference

ServiceFileKey Commands
Auth & Configauth.mdLogin, ADC, impersonation, config profiles
IAM & Projectsiam.mdProjects, APIs, service accounts, Secret Manager
Compute & Networkingcompute.mdVMs, SSH, firewall, VPC, DNS, static IPs
Serverlessserverless.mdCloud Run, Functions, App Engine, Scheduler, Tasks
Storage & Artifactsstorage.mdgcloud storage, Artifact Registry
Datadata.mdCloud SQL, BigQuery (bq), Pub/Sub
Automation & CI/CDautomation.mdScripting, output formats, filtering, GitHub Actions, operations

Read the per-service file for full command reference.

Pre-Flight Checks

Before working with any GCP service:

bash
# 1. Correct project?
gcloud config get-value project

# 2. Default region set?
gcloud config get-value compute/region

# 3. Required API enabled? (most APIs are disabled by default)
gcloud services list --filter="name:run.googleapis.com" --format="value(name)" | grep -q run || \
  gcloud services enable run.googleapis.com

# 4. Billing enabled?
gcloud billing projects describe $(gcloud config get-value project) --format="value(billingEnabled)"

If you hit PERMISSION_DENIED: ... API has not been enabled, enable the API mentioned in the error and retry.

Troubleshooting

ProblemDiagnosisFix
Auth failuregcloud auth listgcloud auth login or check key file
Permission deniedCheck IAM (see iam.md)Grant correct role
API not enabledError message says which APIgcloud services enable API_NAME
Quota exceededgcloud compute project-info describeRequest increase in Console
Wrong projectgcloud config get-value projectgcloud config set project X
Wrong regiongcloud config get-value compute/regionSet correct region; related resources must match
Config confusiongcloud config configurations listCheck active config, override with --project
Slow commandsLarge result setUse --filter, --limit, --format=value
bash
# Debug mode
gcloud compute instances list --verbosity=debug

# Full environment info
gcloud info

Quick Reference

TaskCommand
Logingcloud auth login
Set projectgcloud config set project PROJECT_ID
Current projectgcloud config get-value project
Enable APIgcloud services enable API.googleapis.com
List anythinggcloud COMPONENT list --format=json
Describe anythinggcloud COMPONENT describe NAME --format=json
JSON output--format=json
Single value--format="value(field)"
Filter--filter="field=value"
Quiet ⚠️--quiet — suppresses ALL prompts including delete confirmations
Helpgcloud COMPONENT --help