Google Cloud CLI Expert Skill
A unified tool to manage Google Cloud resources from the terminal. This guide focuses on gcloud CLI patterns, practical examples, and production deployment workflows.
Contents
- •Quick Start
- •When Not to Use
- •Decision Trees
- •Global Flags
- •Environment Variables
- •Workflows
- •Reference Files
- •Scripts
- •Troubleshooting
- •Best Practices
- •Common Mistakes
- •Pre-Deployment Checklist
Quick Start
# Verify installation gcloud --version # Interactive login gcloud auth login # Set default project and region gcloud config set project PROJECT_ID gcloud config set compute/region us-central1 # Verify identity gcloud auth list gcloud config list
When Not to Use
- •Terraform/Pulumi — This skill covers gcloud CLI, not Infrastructure as Code tools
- •GCP Console UI — CLI-focused; use GCP documentation for console walkthroughs
- •AWS/Azure CLI — Use mastering-aws-cli or azure-cli skills instead
- •Client libraries — For Python/Go/Java SDK code, use programming documentation
- •Kubernetes kubectl — For K8s cluster operations, use kubectl documentation
Decision Trees
Compute & Containers
Need compute? ├── Serverless containers ──────────► Cloud Run (references/cloud-run-deployment.md) ├── Virtual machines ───────────────► GCE (gcloud compute instances) ├── Kubernetes ─────────────────────► GKE (gcloud container clusters) └── Serverless functions ───────────► Cloud Functions (gcloud functions)
Data & Databases
Need database? ├── PostgreSQL (managed) ───────────► AlloyDB (references/alloydb-management.md) ├── MySQL/PostgreSQL/SQL Server ────► Cloud SQL (gcloud sql instances) ├── NoSQL document ─────────────────► Firestore (references/firebase-management.md) └── NoSQL key-value ────────────────► Bigtable (gcloud bigtable)
Networking
Need networking? ├── Custom VPC/subnets ─────────────► VPC (references/vpc-networking.md) ├── Cloud Run → private DB ─────────► VPC Connector (references/vpc-networking.md) ├── Private Google API access ──────► Private Service Connect └── Firewall rules ─────────────────► VPC Firewall (references/vpc-networking.md)
Security & Identity
Need security/access? ├── Users, roles, policies ─────────► IAM (references/iam-permissions.md) ├── GitHub Actions → GCP ───────────► WIF (references/authentication.md) ├── Secrets & credentials ──────────► Secret Manager (references/secret-manager.md) └── Service accounts ───────────────► SA (references/iam-permissions.md)
Build & Deploy
Need CI/CD? ├── GitHub Actions ─────────────────► WIF + deploy (references/cicd-integration.md) ├── Container builds ───────────────► Cloud Build (references/cicd-integration.md) ├── Container registry ─────────────► Artifact Registry (references/cicd-integration.md) └── Deployment automation ──────────► Scripting (references/scripting-patterns.md)
Global Flags
| Flag | Description |
|---|---|
--project=PROJECT_ID | Override default project |
--region=REGION | Specify region (e.g., us-central1) |
--zone=ZONE | Specify zone (e.g., us-central1-a) |
--format=FORMAT | Output: json, yaml, table, value(FIELD) |
--filter=EXPRESSION | Filter results (e.g., status=RUNNING) |
--quiet | Disable prompts (critical for CI/CD) |
--verbosity=debug | Enable debug output |
--log-http | Show HTTP request/response |
Environment Variables
| Variable | Purpose | Example |
|---|---|---|
CLOUDSDK_CORE_PROJECT | Default project | my-project |
CLOUDSDK_COMPUTE_REGION | Default region | us-central1 |
CLOUDSDK_COMPUTE_ZONE | Default zone | us-central1-a |
CLOUDSDK_CORE_DISABLE_PROMPTS | Non-interactive mode | 1 |
GOOGLE_APPLICATION_CREDENTIALS | SA key file path | /path/to/key.json |
CLOUDSDK_CORE_VERBOSITY | Log level | debug |
Workflows
Installation
macOS (recommended):
brew install --cask google-cloud-sdk gcloud init
For other platforms: references/installation-macos.md, references/installation-linux.md, references/installation-windows.md
Authentication
# User login (interactive) gcloud auth login # Service account (automation) gcloud auth activate-service-account --key-file=key.json # Application Default Credentials gcloud auth application-default login # Impersonation (recommended over keys) gcloud config set auth/impersonate_service_account SA@PROJECT.iam.gserviceaccount.com
For WIF, impersonation patterns, and ADC details, see references/authentication.md.
Multi-Account Configuration
# Create named configurations gcloud config configurations create dev gcloud config set project dev-project-123 gcloud config set compute/region us-west1 # Switch contexts gcloud config configurations activate prod # Override for single command gcloud --configuration=prod compute instances list
For complete multi-account patterns, see references/multi-account-management.md.
Cloud Run Deployment
Phase 1: Prepare
# Verify project and region gcloud config get-value project gcloud config get-value compute/region
Phase 2: Build & Push (container deployments)
# Build and push to Artifact Registry gcloud builds submit --tag REGION-docker.pkg.dev/PROJECT/REPO/IMAGE:TAG
Phase 3: Deploy (zero-traffic)
# Deploy from source (builds automatically) gcloud run deploy SERVICE --source . --region us-central1 --no-traffic --quiet # Or deploy from container gcloud run deploy SERVICE --image IMAGE --region us-central1 --no-traffic --quiet
Phase 4: Validate & Shift Traffic
# Verify revision is ready gcloud run revisions list --service=SERVICE --region=us-central1 # Shift traffic (full or canary) gcloud run services update-traffic SERVICE --to-latest --region=us-central1 # Or canary: --to-tags canary=10
For VPC connectivity, secrets, and advanced patterns, see references/cloud-run-deployment.md.
IAM Permissions
# Grant project role gcloud projects add-iam-policy-binding PROJECT_ID \ --member="user:user@example.com" \ --role="roles/viewer" # Grant resource role gcloud run services add-iam-policy-binding SERVICE \ --region=REGION \ --member="serviceAccount:sa@PROJECT.iam.gserviceaccount.com" \ --role="roles/run.invoker"
For custom roles and governance, see references/iam-permissions.md.
Secret Manager
# Create secret echo -n "my-secret-value" | gcloud secrets create SECRET_NAME --data-file=- # Access secret gcloud secrets versions access latest --secret=SECRET_NAME # Mount in Cloud Run gcloud run deploy SERVICE --set-secrets="ENV_VAR=SECRET_NAME:latest"
For IAM bindings and rotation, see references/secret-manager.md.
VPC Networking
# Create custom VPC gcloud compute networks create my-vpc --subnet-mode=custom # Create subnet with Private Google Access gcloud compute networks subnets create my-subnet \ --network=my-vpc --region=us-central1 --range=10.0.1.0/24 \ --enable-private-ip-google-access # Create VPC connector for Cloud Run gcloud compute networks vpc-access connectors create my-connector \ --region=us-central1 --network=my-vpc --range=10.8.0.0/28
For firewall rules, peering, and Private Service Connect, see references/vpc-networking.md.
AlloyDB
# Create cluster gcloud alloydb clusters create CLUSTER --region=us-central1 --password=PASSWORD --network=default # Create instance gcloud alloydb instances create INSTANCE --cluster=CLUSTER --region=us-central1 \ --instance-type=PRIMARY --cpu-count=2
For backups and connections, see references/alloydb-management.md.
CI/CD Integration
GitHub Actions with WIF (recommended):
permissions:
id-token: write
contents: read
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
For Cloud Build, multi-environment, and Firebase, see references/cicd-integration.md.
Enable APIs
# Core APIs for Cloud Run deployment
gcloud services enable \
run.googleapis.com \
cloudbuild.googleapis.com \
artifactregistry.googleapis.com \
secretmanager.googleapis.com \
iam.googleapis.com \
iamcredentials.googleapis.com
For complete API list, see references/api-enablement.md.
Reference Files
| Reference | Description | Key Triggers |
|---|---|---|
| Installation (macOS) | Homebrew, Apple Silicon setup | install gcloud, macos |
| Installation (Linux) | apt, dnf/yum, Docker | install gcloud, linux |
| Installation (Windows) | Installer, PowerShell | install gcloud, windows |
| Authentication | OAuth, SA, WIF, impersonation | gcloud auth, wif, service account |
| Multi-Account | Configurations, switching | config, switch project |
| IAM Permissions | Roles, policies, governance | iam, role, permission |
| Cloud Run | Deploy, traffic, secrets | cloud run, deploy |
| Cloud Scheduler | Cron jobs, triggers | scheduler, cron |
| Cloud Storage | Buckets, objects, IAM | storage, gcs, bucket |
| AlloyDB | Clusters, instances | alloydb, postgresql |
| VPC Networking | VPCs, subnets, firewall, connectors | vpc, subnet, firewall |
| Secret Manager | Secrets, versions, IAM | secret, secrets manager |
| CI/CD Integration | GitHub Actions, Cloud Build | github actions, cloud build |
| Scripting Patterns | Error handling, batch ops | script, automation |
| Firebase | Functions, Hosting, Firestore | firebase, firestore |
| API Enablement | Required APIs by service | enable api |
| Verification | Setup verification | verify, check |
| Auth Reset | Credential cleanup | reset auth, revoke |
| Troubleshooting | Debug, logs, common errors | debug, error, logs |
Scripts
| Script | Description |
|---|---|
scripts/verify-gcp-setup.sh | Comprehensive GCP setup verification |
scripts/setup-gcloud-configs.sh | Initialize multi-environment configs |
scripts/switch-gcloud-project.sh | Switch between projects |
scripts/reset-gcloud-auth.sh | Complete auth reset |
scripts/deploy-cloud-run.sh | Cloud Run deployment helper |
scripts/setup-wif-github.sh | WIF setup for GitHub Actions |
Troubleshooting
Quick Debug Commands
# Check configuration gcloud config list gcloud auth list # Enable debug output gcloud COMMAND --verbosity=debug --log-http # View logs gcloud logging read 'resource.type="cloud_run_revision"' --limit=50
Common Errors
| Error | Solution |
|---|---|
PERMISSION_DENIED | Check IAM roles: gcloud projects get-iam-policy PROJECT_ID |
API not enabled | Enable API: gcloud services enable API_NAME |
VPC connector failed | Check connector status, may need recreation |
Container failed to start | Check Cloud Run logs, test locally first |
For complete troubleshooting guide, see references/troubleshooting.md.
Best Practices
| Category | Recommendation |
|---|---|
| Security | Use Workload Identity Federation over service account keys |
| Security | Use Secret Manager for sensitive configuration |
| Scripting | Always use --quiet flag in automation |
| Scripting | Use --format=json or --format=value() for parsing |
| Safety | Use gcloud ... --verbosity=debug to troubleshoot |
| Performance | Use --filter to reduce API response size |
| Regions | Explicitly set region in scripts to avoid surprises |
Common Mistakes
Avoid these anti-patterns:
| Mistake | Problem | Correct Approach |
|---|---|---|
gcloud auth activate-service-account --key-file=key.json | Keys can leak, hard to rotate | Use WIF or impersonation |
gcloud run deploy SERVICE --source . (no region) | Deploys to random default region | Always specify --region |
echo $SECRET in logs | Exposes secrets in CI logs | Use --format=value() quietly |
| Hardcoding project ID in scripts | Breaks portability | Use gcloud config get-value project |
Missing --quiet in CI/CD | Scripts hang on prompts | Always add --quiet for automation |
Using roles/editor or roles/owner | Over-privileged, security risk | Use specific roles like roles/run.admin |
Bad vs Good Examples:
# BAD: No region, no quiet, hardcoded project
gcloud run deploy my-service --source . --project my-project-123
# GOOD: Explicit region, quiet mode, portable
gcloud run deploy my-service \
--source . \
--region="${REGION:-us-central1}" \
--project="$(gcloud config get-value project)" \
--quiet
# BAD: Using service account key file gcloud auth activate-service-account --key-file=key.json # GOOD: Using impersonation (no key file needed) gcloud config set auth/impersonate_service_account deploy-sa@PROJECT.iam.gserviceaccount.com
Pre-Deployment Checklist
Run before every Cloud Run deployment:
[ ] 1. Verify identity: gcloud auth list [ ] 2. Confirm project: gcloud config get-value project [ ] 3. Check APIs enabled: gcloud services list --enabled | grep -E "run|build|artifact" [ ] 4. Verify SA permissions: gcloud projects get-iam-policy PROJECT_ID --filter="bindings.members:SA_EMAIL" [ ] 5. Test locally: docker run -p 8080:8080 IMAGE && curl localhost:8080/health [ ] 6. Check secrets exist: gcloud secrets list --filter="name:SECRET_NAME" [ ] 7. Verify VPC connector (if needed): gcloud compute networks vpc-access connectors describe CONNECTOR --region=REGION [ ] 8. Deploy with --no-traffic first: gcloud run deploy SERVICE --image=IMAGE --no-traffic [ ] 9. Verify revision ready: gcloud run revisions list --service=SERVICE --region=REGION [ ] 10. Shift traffic: gcloud run services update-traffic SERVICE --to-latest --region=REGION