limbuu · April 14, 2020 12:24 · Mar 30, 2020 · Mar 18, 2020 · Mar 18, 2020 · Mar 18, 2020
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -269,8 +269,9 @@ gcloud container clusters list --impersonate-service-account=terraform@${PROJECT
 
 ### GCS bucket level
 ```
+gsutil iam get gs://${BUCKET_NAME}  -p ${PROJECT_ID}
 COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)")
-gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name
+gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://${BUCKET_NAME}
 ```
 
 ### Custom Roles

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -11,7 +11,7 @@ Table of Contents
 * [organization](#organization)
 * [billing](#billing)
 * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource)
-* [service account](#iam-service-account)
+* [service account](#service-account-treat-service-account-as-an-identity)
     * [GCS bucket level](#gcs-bucket-level)
     * [Custom Roles](#custom-roles)
 * [app engine](#app-engine)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -11,7 +11,7 @@ Table of Contents
 * [organization](#organization)
 * [billing](#billing)
 * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource)
-* [IAM service account](#iam-service-account)
+* [service account](#iam-service-account)
     * [GCS bucket level](#gcs-bucket-level)
     * [Custom Roles](#custom-roles)
 * [app engine](#app-engine)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -211,7 +211,7 @@ gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$
 gcloud projects list --uri
 ```
 
-## IAM service account
+## service account: treat service account as an identity
 
 ```
 export SA_EMAIL=$(gcloud iam service-accounts list \
@@ -227,7 +227,7 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
 gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
 
-## project level: treat service account as an identity
+
  gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com"
  
 gcloud projects add-iam-policy-binding $PROJECT  --role roles/storage.admin \

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -227,11 +227,9 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
 gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
 
-## project level: get a list of roles assigned to a given sa such as terraform
- gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com"
-
-# project level: grant roles to a given sa
-gcloud projects get-iam-policy $PROJECT
+## project level: treat service account as an identity
+ gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com"
+ 
 gcloud projects add-iam-policy-binding $PROJECT  --role roles/storage.admin \
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.instanceAdmin.v1 \
@@ -245,9 +243,17 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountA
 ```
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
+# service account:treat service account as a resource
 ```
-# service account level: add role to service account
-gcloud iam service-accounts get-iam-policy <sa_email>
+gcloud iam service-accounts get-iam-policy <sa_email>, eg. 
+gcloud iam service-accounts get-iam-policy secret-accessor-dev@$PROJECT_ID.iam.gserviceaccount.com --project $PROJECT_ID
+bindings:
+- members:
+  - serviceAccount:<project-id>.svc.id.goog[default/secret-accessor-dev]
+  role: roles/iam.workloadIdentityUser
+etag: BwWhFqqv9aQ=
+version: 1
+
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
 * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -341,6 +341,23 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati
   -H "Content-Type:application/json" \
 | jq .plaintext -r | base64 -d    
 ```
+
+## secret manager 
+* https://blog.scalesec.com/gcp-secret-manager-first-look-eaa9b0620da1
+
+```
+# create a secret
+gcloud beta secrets create SECRET_NAME --replication-policy="automatic"
+#create a secret version
+gcloud beta secrets versions add "SECRET_NAME" --data-file="/path/to/file.txt"
+# list
+gcloud beta secrets list
+# read
+gcloud beta secrets versions access latest --secret=my_ssh_private_key
+#update the labels (metadata) of a secret
+gcloud beta secrets update SECRET_NAME --update-labels=KEY=VALUE
+```
+
 ## compute engine
 
 ### gcloud command for creating an instance? 
@@ -492,12 +509,6 @@ Use [gcloud compute operations describe URI] command to check the status of the
  gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
 ```
 
-## secret manager 
-
-```
-gcloud beta secrets list
-gcloud beta secrets versions access latest --secret=my_ssh_private_key
-```
 
 
 ## Networking

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -35,6 +35,7 @@ Table of Contents
     * [MIG with startup and shutdown scripts](#mig-with-startup-and-shutdown-scripts)
     * [disk snapshot](#disk-snapshot)
     * [regional disk](#regional-disk)
+* [Secret Manager](#secret-manager)
 * [Networking](#networking)
     * [network and subnets](#network-and-subnets)
     * [route](#route)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -491,6 +491,13 @@ Use [gcloud compute operations describe URI] command to check the status of the
  gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
 ```
 
+## secret manager 
+
+```
+gcloud beta secrets list
+gcloud beta secrets versions access latest --secret=my_ssh_private_key
+```
+
 
 ## Networking
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -166,16 +166,25 @@ gcloud compute zones list --filter=region:us-central1
 gcloud compute regions list
 ```
 
-## organization & folder
+## organization
 ```
 ORG_ID=$(gcloud organizations list --format 'value(ID)')
 # list top level folders
 gcloud resource-manager folders list --organization=$ORG_ID
 # list sub folders given upper level folder id
 gcloud resource-manager folders list --organization=$FOLDER_ID
-# grant role to a user
-gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \
-            --member='user:[email protected]' --role='roles/editor'
+
+# grant roles to a user
+ORGANIZATION_ADMIN_ADDRESS='user:[email protected]'
+gcloud resource-manager folders add-iam-policy-binding ${folder_id} \
+  --member=${ORGANIZATION_ADMIN_ADDRESS} \
+  --role=roles/resourcemanager.folderAdmin
+gcloud resource-manager folders add-iam-policy-binding ${folder_id} \
+  --member=${ORGANIZATION_ADMIN_ADDRESS} \
+  --role=roles/storage.admin
+gcloud resource-manager folders add-iam-policy-binding ${folder_id} \
+  --member=${ORGANIZATION_ADMIN_ADDRESS} \
+  --role=roles/billing.projectManager
 ```
 
 ## billing

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -180,8 +180,11 @@ gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \
 
 ## billing
 ```
-gcloud beta billing accounts list
 gcloud organizations list
+gcloud beta billing accounts list
+# link a billing account with a project, assuming the user or svc account has "Billing Account User" role. 
+gcloud beta billing projects link ${project_id} \
+            --billing-account ${ORGANIZATION_BILLING_ACCOUNT}
 ```
 
 ## IAM list permission and roles for a given resource

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -588,7 +588,12 @@ gcloud compute addresses describe https-lb --global --format json
 gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {}  2>/dev/null | sort | uniq -c
 ```
 
+## interconnect 
 
+```
+# list Google Compute Engine interconnect locations
+gcloud compute interconnects locations list
+```
 
 ## GCP managed ssl certificate
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -8,6 +8,7 @@ Table of Contents
 * [info](#info)
 * [projects](#projects)
 * [zones](#zones)
+* [organization](#organization)
 * [billing](#billing)
 * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource)
 * [IAM service account](#iam-service-account)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -165,6 +165,18 @@ gcloud compute zones list --filter=region:us-central1
 gcloud compute regions list
 ```
 
+## organization & folder
+```
+ORG_ID=$(gcloud organizations list --format 'value(ID)')
+# list top level folders
+gcloud resource-manager folders list --organization=$ORG_ID
+# list sub folders given upper level folder id
+gcloud resource-manager folders list --organization=$FOLDER_ID
+# grant role to a user
+gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \
+            --member='user:[email protected]' --role='roles/editor'
+```
+
 ## billing
 ```
 gcloud beta billing accounts list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -117,7 +117,8 @@ fi
 ```
 
 ## auth
-https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505
+* https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505
+* https://medium.com/google-cloud/local-remote-authentication-with-google-cloud-platform-afe3aa017b95
 
 ```
 gcloud auth list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -78,7 +78,6 @@ gcloud config configurations create pythonrocks
 gcloud config configurations list
 gcloud config configurations activate pythonrocks
 gcloud config set core/account [email protected]
-gcloud auth login
 gcloud projects list
 gcloud config set project mygcp-demo
 ```
@@ -118,10 +117,16 @@ fi
 ```
 
 ## auth
+https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505
+
 ```
 gcloud auth list
+# to authenticate with a user identity (via web flow) which then authorizes gcloud and other SDK tools to access Google Cloud Platform.
 gcloud auth login
+# Service Account: to authenticate with a user identity (via a web flow) but using the credentials as a proxy for a service account.
+gcloud auth application-default login 
 gcloud auth activate-service-account --key-file=sa_key.json
+# use GOOGLE_APPLICATION_CREDENTIALS pointing to JSON key
 ```
 
 kubectl uses OAuth token generated by 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -717,6 +717,14 @@ gcloud container clusters describe mycluster --format='get(endpoint)'
 gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip
 ```
 
+### create a GKE cluster with label and query it later
+
+```
+gcloud container clusters create example-cluster --labels env=dev
+gcloud container clusters list --filter resourceLabels.env=dev 
+```
+
+
 ## Cloud Run
 ```
 # deploy a service on Cloud Run in us-central1 and allow unauthenticated user

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -80,17 +80,17 @@ gcloud config configurations activate pythonrocks
 gcloud config set core/account [email protected]
 gcloud auth login
 gcloud projects list
-gcloud config set project dev-193420
+gcloud config set project mygcp-demo
 ```
 
 ### switch gcloud context with gcloud config
 ```
 gcloud config list
-gcloud config set account pythonrocksk8s201702@gmail.com 
-gcloud config set project salt-163215
+gcloud config set account pythonrocks@gmail.com 
+gcloud config set project mygcp-demo
 gcloud config set compute/region us-west1
 gcloud config set compute/zone us-west1-a
-alias demo='gcloud config set account pythonrocksk8s201702@gmail.com && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
+alias demo='gcloud config set account pythonrocks@gmail.com && gcloud config set project mygcp-demo && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
 
 
 cluster=$(gcloud config get-value container/cluster 2> /dev/null)
@@ -140,12 +140,12 @@ export PROJECT=$(gcloud info --format='value(config.project)')
 
 ```
 # various way to get project_id
-PROJECT_ID=$(gcloud config get-value core/project)
+PROJECT_ID=$(gcloud config get-value core/project 2>/dev/null)
 PROJECT_ID=$(gcloud config list project --format='value(core.project)')
 PROJECT_ID=$(gcloud info --format='value(config.project)')
 
 # get project_number given project_id or name
-gcloud projects list --filter="project_id:${project_id}"  --format='value(project_number)'
+gcloud projects list --filter="project_id:${PROJECT_ID}"  --format='value(project_number)'
 gcloud projects list --filter="name:${project_name}"  --format='value(project_number)'
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -195,7 +195,10 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
 gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
 
-# project level: grant roles to sa
+## project level: get a list of roles assigned to a given sa such as terraform
+ gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com"
+
+# project level: grant roles to a given sa
 gcloud projects get-iam-policy $PROJECT
 gcloud projects add-iam-policy-binding $PROJECT  --role roles/storage.admin \
     --member serviceAccount:$SA_EMAIL

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -384,6 +384,18 @@ gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh
 gcloud compute config-ssh
 ```
 
+### Windows RDP reset windows password
+returns the IP and password for creating the RDP connection. 
+```
+gcloud compute reset-windows-password qa-iceberg-instance --user=jdoe
+
+ip_address: 104.199.119.166
+password:   Ks(;_gx7Bf2d.NP
+username:   jode
+```
+
+
+
 ### debugging
 gcloud debugging: `gcloud  compute instances list --log-http`
 [serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -149,11 +149,15 @@ gcloud projects list --filter="project_id:${project_id}"  --format='value(projec
 gcloud projects list --filter="name:${project_name}"  --format='value(project_number)'
 ```
 
-## zones
+## zones & regions
 To return a list of zones given a region
 ```
 gcloud compute zones list --filter=region:us-central1
 ```
+```
+# list regions
+gcloud compute regions list
+```
 
 ## billing
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -1,3 +1,60 @@
+Table of Contents
+=================
+* [References](#references)
+* [Other cheatsheets](#other-cheatsheets)
+* [multiple gcloud config configurations](#multiple-gcloud-config-configurations)
+    * [switch gcloud context with gcloud config](#switch-gcloud-context-with-gcloud-config)
+* [auth](#auth)
+* [info](#info)
+* [projects](#projects)
+* [zones](#zones)
+* [billing](#billing)
+* [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource)
+* [IAM service account](#iam-service-account)
+    * [GCS bucket level](#gcs-bucket-level)
+    * [Custom Roles](#custom-roles)
+* [app engine](#app-engine)
+* [cloud build](#cloud-build)
+    * [Cloud build trigger GCE rolling replace/start](#cloud-build-trigger-gce-rolling-replacestart)
+* [kms](#kms)
+* [compute engine](#compute-engine)
+    * [gcloud command for creating an instance?](#gcloud-command-for-creating-an-instance)
+    * [list compute images](#list-compute-images)
+    * [list an instance](#list-an-instance)
+    * [move instance](#move-instance)
+    * [ssh &amp; scp](#ssh--scp)
+    * [SSH via IAP](#ssh-via-iap)
+    * [ssh port forwarding for elasticsearch](#ssh-port-forwarding-for-elasticsearch)
+    * [ssh reverse port forwarding](#ssh-reverse-port-forwarding)
+    * [generate ssh config](#generate-ssh-config)
+    * [debugging](#debugging)
+    * [instance level metadata](#instance-level-metadata)
+    * [project level metadata](#project-level-metadata)
+    * [instances, template, target-pool and instance group](#instances-template-target-pool-and-instance-group)
+    * [MIG with startup and shutdown scripts](#mig-with-startup-and-shutdown-scripts)
+    * [disk snapshot](#disk-snapshot)
+    * [regional disk](#regional-disk)
+* [Networking](#networking)
+    * [network and subnets](#network-and-subnets)
+    * [route](#route)
+    * [firewall rules](#firewall-rules)
+    * [layer 4 network lb](#layer-4-network-lb)
+    * [layer 7 http lb](#layer-7-http-lb)
+    * [forwarding-rules](#forwarding-rules)
+    * [address](#address)
+* [GCP managed ssl certificate](#gcp-managed-ssl-certificate)
+* [StackDriver logging](#stackdriver-logging)
+* [Service](#service)
+    * [list service available](#list-service-available)
+    * [Enable Service](#enable-service)
+* [Client libraries you can use to connect to Google APIs](#client-libraries-you-can-use-to-connect-to-google-apis)
+* [chaining gcloud commands](#chaining-gcloud-commands)
+* [one liner to purge GCR images given a date](#one-liner-to-purge-gcr-images-given-a-date)
+* [GKE](#gke)
+* [Cloud Run](#cloud-run)
+* [Machine Learning](#machine-learning)
+* [Deployment Manager](#deployment-manager)
+
 ## References
 * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html)
 * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections)

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -641,6 +641,18 @@ gcloud container clusters describe mycluster --format='get(endpoint)'
 gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip
 ```
 
+## Cloud Run
+```
+# deploy a service on Cloud Run in us-central1 and allow unauthenticated user
+gcloud beta run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform managed --region us-central1 --allow-unauthenticated
+
+# list services
+gcloud beta run services list
+# get endpoint url for a service
+gcloud beta run services describe <service_name> --format="get(status.url)"
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -119,7 +119,6 @@ gcloud projects list --uri
 ```
 
 ## IAM service account
-* [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
 ```
 export SA_EMAIL=$(gcloud iam service-accounts list \
@@ -147,11 +146,24 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.securityAdm
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountActor \
     --member serviceAccount:$SA_EMAIL
+```
+* [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
+```
 # service account level: add role to service account
 gcloud iam service-accounts get-iam-policy <sa_email>
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
+* https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
+* https://medium.com/@tanujbolisetty/gcp-impersonate-service-accounts-36eaa247f87c
+* https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d
+* https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken shows the lifetime of the OAuth token of 3600 seconds by default
+
+```
+# user:[email protected] impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com
+gcloud iam service-accounts add-iam-policy-binding  terraform@${PROJECT_ID}.iam.gserviceaccount.com --member=user:[email protected] --role roles/iam.serviceAccountTokenCreator
+gcloud container clusters list --impersonate-service-account=terraform@${PROJECT_ID}.iam.gserviceaccount.com
+```
 
 ### GCS bucket level
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -43,8 +43,6 @@ project=$(gcloud config get-value core/project 2> /dev/null)
 # switch project based on the name
 gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)')
 
-# get the GKE cluster endpoint
-gcloud container clusters describe mycluster --zone $(gcloud config get-value compute/zone) --format='get(endpoint)'
 ```
 
 ```
@@ -616,9 +614,15 @@ gcloud beta container clusters create run-gke \
 
 ```
 # create a VPC native cluster
-gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-alias  --enable-ip-alias --cluster-ipv4-cidr=/16   --services-ipv4-cidr=/22
+gcloud container clusters create k1 \
+--network custom-ip-vpc --subnetwork subnet-alias \
+--enable-ip-alias --cluster-ipv4-cidr=/16   --services-ipv4-cidr=/22
 ```
 
+```
+# get the GKE endpoint
+gcloud container clusters describe mycluster --format='get(endpoint)'
+```
 
 ```
 # generate a ~/.kube/config for private cluster with private endpoint

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -109,7 +109,12 @@ gcloud organizations list
 ## IAM list permission and roles for a given resource
 ```
 gcloud iam list-testable-permissions <uri>
+e.g gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID
+
 gcloud iam list-grantable-roles <uri>
+e.g. 
+gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID
+gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$PROJECT_ID/zones/us-central1-a/instances/iowa1
 
 # get uri e.g.
 gcloud projects list --uri

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -615,6 +615,11 @@ gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-
 ```
 
 
+```
+# generate a ~/.kube/config for private cluster with private endpoint
+gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip
+```
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -278,6 +278,18 @@ gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get node
 
 gcloud compute scp  --recurse ../manifest <instance_name>:
 ```
+
+### SSH via IAP
+* https://cloud.google.com/iap/docs/using-tcp-forwarding
+
+```
+# find out access-config-name's name
+gcloud compute instances describe oregon1
+# remove the external IP
+gcloud compute instances delete-access-config  oregon1 --access-config-name "External NAT"
+# connect via IAP, assuming the IAP is granted to the account used for login. 
+gcloud beta compute ssh oregon1 --tunnel-through-iap
+```
 ### ssh port forwarding for elasticsearch
 ```
 gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -14,6 +14,7 @@
 
 ## multiple gcloud config configurations
 * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
+* https://medium.com/infrastructure-adventures/working-with-multiple-environment-in-gcloud-cli-93b2d4e8cf1e
 
 ```
 gcloud config configurations create pythonrocks

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -606,4 +606,8 @@ gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-
 ```
 brew install bat
 gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat  -l json
-```
+```
+
+## Deployment Manager
+* https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/
+Play with the commands for preview and cancel-preview. 
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -16,11 +16,13 @@
 * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
 
 ```
-$gcloud config configurations list
-NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
-default        False      [email protected]     operator  us-west1-b    us-west1
-someone  True       [email protected]  dev-env     us-west1-b    us-west1
-$gcloud config configurations activate default
+gcloud config configurations create pythonrocks
+gcloud config configurations list
+gcloud config configurations activate pythonrocks
+gcloud config set core/account [email protected]
+gcloud auth login
+gcloud projects list
+gcloud config set project dev-193420
 ```
 
 ### switch gcloud context with gcloud config
No results found