Become a GCP Master: Get Comfortable with the gcloud CLI
Become a GCP power user by learning how to use the gcloud CLI for almost any tasks you need to achieve in GCP
When working with Google Cloud Platform (GCP), the gcloud CLI gives us so much power at our fingertips through our terminal.
There’s a little learning curve to getting started, but once you’re familiar with the basics, you’ll never need to manually click through the console to create or deploy any services to GCP.
We’ll walk through the authentication process and some common situations where you can save yourself time by using the CLI.
Process
I. Installing gcloud CLI
Depending on your OS, there’s different installation instructions.
On Windows, you need to download the installer and follow the on-screen instructions. For Ubuntu, everything can be done via the terminal.
The full instructions by OS are listed in the documentation here.
II. Check the Version
With gcloud installed, we can check the version of the SDK. We’ll be using version 404.0.0 for this article.
gcloud --version
Output:
Google Cloud SDK 404.0.0
alpha 2022.09.23
beta 2022.09.23
bq 2.0.78
bundled-python3-unix 3.9.12
cloud-build-local 0.5.2
core 2022.09.23
gcloud-crc32c 1.0.0
gsutil 5.14
III. Authentication as User
Once the CLI is installed, the first time you need to authenticate, you can follow the “Get Started” workflow by typing:
gcloud init
This will run through some basic configuration settings (like setting your project ID and location/region) and authenticate through the browser as your user account.
At this point, gcloud commands can be executed against your project ID, acting as the account authenticated during init
.
Sometimes, we want to swap accounts and we can do that using the command:
gcloud auth login
This goes through the browser authentication flow again, leaving you logged in as the new account.
IV. Authentication as Service Account
There’s an additional method for logging in, and that is to act as a service-account. For this option, we need to have a key-file in .json
format.
gcloud auth activate-service-account <INSERT_SERVICE_ACCOUNT_EMAIL> \
--key-file=<INSERT_PATH_TO_KEY_FILE>
After running this, we’ll be able to run gcloud commands as the service-account. This is one way to test permissions when you’re developing by logging in directly as the service account.
If we want to go back to our user account, we can type:
gcloud config set account <INSERT_ACCOUNT>
V. Impersonating Service Accounts
Depending on the use-case, there’s actually another method of running commands as a service account, the --impersonate-service-account
flag. This flag is one of the gcloud wide flags, i.e. ones that can be run with any command in the gcloud CLI.
For example, the following command would attempt to create the bucket my-bucket
while running the operation as the service account.
gcloud storage buckets create gs://my-bucket \
--impersonate-service-account=<INSERT_SERVICE_ACCOUNT_EMAIL>
The benefit to using this method is that we don’t need to create/download a .json
file that contains the service account credentials. The only prerequisite is that we have the iam.serviceAccounts.getAccessToken
permission, which is available in the roles/iam.servieAccountTokenCreator
role.
Obviously, having to type --impersonate-service-account
and the email after each command we want to run can get a bit tiresome, but thankfully, there’s a config variable that we can change to set a default value.
gcloud config set auth/impersonate_service_account <INSERT_SERVICE_ACCOUNT>
If we want to test some commands as a service account we can set this value and then go about using the CLI as we want to, and if we want to unset the value, simply run:
gcloud config unset auth/impersonate_service_account
VI. Application Default Login
There is one other option when authenticating, and this is the application-default
mechanism.
This is a useful tool when developing locally with client libraries (for example in Python) that require authentication to Google Cloud.
For example, using the google.cloud.bigquery
module in Python, specifying a Client
needs some credentials, but if you run the application-default
login, it automatically sets the necessary environment variable GOOGLE_APPLICATION_DEFAULT
so that you don’t have to specify anything.
To set this, just run the command:
gcloud auth application-default login
Common Use-Cases
Role Assignment
Instead of having to go into the console, navigate to IAM, select a user and then add specific roles for them, you can use the below command to achieve the same result:
gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member user:<INSERT_USER> OR serviceAccount:<INSERT_SERVICE_ACCOUNT> \
--role <INSERT_ROLE>
Creating Service Accounts
Best practice is that we create new service accounts for any new pipelines we’re buildings or apps/projects. It becomes quite annoying to have to keep creating them in the UI and assigning roles, but with gcloud it’s really easy.
gcloud iam service-accounts create NAME --description=DESCRIPTION \
--display-name=DISPLAY_NAME
We can take this one step further by also creating a key for the service account and downloading it directly to our machine.
gcloud iam service-accounts keys create <PATH_TO_KEY_FILE> \
--iam-account=<INSERT_SERVICE_ACCOUNT_EMAIL>
Create a Google Cloud Storage Bucket
In the same vein as service accounts, we often need to create new storage buckets for every new project we begin working on, so being able to do this programmatically from our terminal (which is where we spend most of our time) becomes really useful.
gcloud storage buckets create gs://<INSERT_BUCKET_NAME> \
--location=<INSERT_LOCATION>
Using the Help Flag
The CLI has a really useful set of documentation to support it. For any command (at any level), you can add the --help
flag to bring up the documentation for the command to see which arguments it accepts and what the syntax needs to be.
gcloud storage buckets create --help
The output shows you the general syntax of the command, along with optional arguments and examples.
With this knowledge, you can quickly learn how to do almost anything with gcloud.
Cheat Sheet
The gcloud CLI documentation has a cheat sheet that gives a list of useful paths to some common use cases you may be trying to achieve, the link is here.
Closing Thoughts 💭
Hopefully, this article has given a brief introduction into the gcloud CLI, how to install, authenticate and some basic commands to get you going.
I’ve also outlined the best way to get familiar with particular use cases yourself.
I’ll keep this updated with any new features that appear in the CLI that I find particularly useful (as and when I find them).
Feel free to drop me a follow on both Medium and LinkedIn for more similar content, and reach out with any questions; I love connecting to new people :)
Lastly, if you have any requests or ideas of other things I could run through in a similar tutorial format, drop them in the comments down below, and I’ll work out which topics I can cover!