Last active
September 26, 2025 13:50
-
Star
(1,094)
You must be signed in to star a gist -
Fork
(575)
You must be signed in to fork a gist
-
-
Save pydevops/cffbd3c694d599c6ca18342d3625af97 to your computer and use it in GitHub Desktop.
Revisions
-
pydevops revised this gist
Oct 20, 2021 . 1 changed file with 28 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,6 +45,7 @@ * [0.17.6. forwarding-rules](#0176-forwarding-rules) * [0.17.7. address](#0177-address) * [0.17.8. private service access](#0178-private-service-access) * [0.17.9. shared vpc](#0179-shared-vpc) * [0.18. interconnect](#018-interconnect) * [0.19. GCP managed ssl certificates](#019-gcp-managed-ssl-certificates) * [0.20. Cloud logging](#020-cloud-logging) @@ -157,6 +158,15 @@ export PROJECT=$(gcloud info --format='value(config.project)') ## 0.6. projects ```bash # create a project gcloud projects create ${PROJECT_ID} --organization=${ORGANIZATION_ID} --folder=${FOLDER_ID} # link the project with a given billing account gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ACCOUNT_ID} # delete a project gcloud projects delete --quiet ${PROJECT_ID} # various way to get project_id PROJECT_ID=$(gcloud config get-value core/project 2>/dev/null) PROJECT_ID=$(gcloud config list project --format='value(core.project)') @@ -734,6 +744,23 @@ Useful for services like Cloud SQL and Redis, peering between a custom VPC to a gcloud services vpc-peerings list --network=my-vpc ``` ### 0.17.9. shared vpc ```bash # Enable shared-vpc in '${NETWORK_PROJECT_ID}' gcloud services enable --project ${NETWORK_PROJECT_ID} compute.googleapis.com gcloud compute shared-vpc enable ${NETWORK_PROJECT_ID} # Associate a service project with '${NETWORK_PROJECT_ID}' gcloud services enable --project ${PLATFORM_PROJECT_ID} compute.googleapis.com gcloud compute firewall-rules delete --project ${PLATFORM_PROJECT_ID} --quiet default-allow-icmp default-allow-internal default-allow-rdp default-allow-ssh gcloud compute networks delete --project ${PLATFORM_PROJECT_ID} --quiet default gcloud compute shared-vpc associated-projects add ${PLATFORM_PROJECT_ID} --host-project ${NETWORK_PROJECT_ID} ## Disassociate a service project from host project. gcloud compute shared-vpc associated-projects remove ${PLATFORM_PROJECT_ID} --host-project ${NETWORK_PROJECT_ID} ``` ## 0.18. interconnect ```bash @@ -1010,4 +1037,4 @@ gcloud auth configure-docker ${GCP_REGION}-docker.pkg.dev ```bash brew install bat gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat -l json ``` -
Jun 25, 2021 . 1 changed file with 79 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,8 +58,8 @@ * [0.25.1. create a GKE cluster with label and query it later](#0251-create-a-gke-cluster-with-label-and-query-it-later) * [0.26. Cloud SQL](#026-cloud-sql) * [0.27. Cloud Run](#027-cloud-run) * [0.28 Artifact registry](#028-artifact-registry) * [0.29. Machine Learning](#029-machine-learning) ## 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) @@ -139,6 +139,9 @@ gcloud auth application-default print-access-token # Service Account: to authenticate with a user identity (via a web flow) but using the credentials as a proxy for a service account. gcloud auth activate-service-account --key-file=sa_key.json # use GOOGLE_APPLICATION_CREDENTIALS pointing to JSON key export GCP_REGION="us-east1" gcloud auth configure-docker ${GCP_REGION}-docker.pkg.dev ``` kubectl uses OAuth token generated by @@ -359,6 +362,19 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=_BRANCH_NAME=foo,_ # override built in TAG_NAME gcloud builds submit --config=cloudbuild.yaml --substitutions=TAG_NAME=v1.0.1 # cloud build with artifact registry export GCP_REGION="us-east1" export TEST_IMAGE="us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0" export IMAGE_NAME="hello-app" export REPO_NAME=team1 export TAG_NAME="tag1" docker pull $TEST_IMAGE docker tag $TEST_IMAGE \ ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG_NAME} docker push ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG_NAME} # build / push image to artifact registry (using local Dockerfile) gcloud builds submit --tag ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG} ``` ### 0.13.1. Cloud build trigger GCE rolling replace/start @@ -771,8 +787,8 @@ gcloud services enable sourcerepo.googleapis.com ```bash function enable-service() { SERVICE=$1 if [[ $(gcloud services list --format="value(config.name)" \ --filter="config.name:$SERVICE" 2>&1) != \ "$SERVICE" ]]; then echo "Enabling $SERVICE" gcloud services enable $SERVICE @@ -927,26 +943,71 @@ gcloud run services list # get endpoint url for a service gcloud run services describe <service_name> --format="get(status.url)" export SA_NAME="cloud-scheduler-runner" export SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" # create service account gcloud iam service-accounts create $SA_NAME \ --display-name "${SA_NAME}" # add sa binding to cloud run app gcloud run services add-iam-policy-binding $APP_DIR \ --platform managed \ --region $GCP_REGION \ --member=serviceAccount:$SA_EMAIL \ --role=roles/run.invoker # fetch the service URL export APP="helloworld" export SVC_URL=$(gcloud run services describe $APP --platform managed --region $GCP_REGION --format="value(status.url)") # create the job to hit URL every 1 minute gcloud scheduler jobs create http test-job --schedule "*/1 * * * *" \ --http-method=GET \ --uri=$SVC_URL \ --oidc-service-account-email=$SA_EMAIL \ --oidc-token-audience=$SVC_URL export GCP_REGION="us-east1" export SERVICE_NAME="hello-service" # deploy app to Cloud Run gcloud run deploy $SERVICE_NAME \ --platform managed \ --region $GCP_REGION \ --allow-unauthenticated \ --image ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG_NAME} # confirm service is running gcloud run services list \ --platform managed \ --region $GCP_REGION # test URL export SVC_URL=$(gcloud run services describe $SERVICE_NAME --platform managed --region $GCP_REGION --format="value(status.url)") curl -X GET $SVC_URL # Hello, world! # Version: 1.0.0 # Hostname: localhost ``` ## 0.28 Artifact registry ```bash export REPO_NAME=team1 export GCP_REGION="us-east1" gcloud artifacts repositories create $REPO_NAME \ --repository-format=docker \ --location=$GCP_REGION \ --description="Docker repository" # configure auth gcloud auth configure-docker ${GCP_REGION}-docker.pkg.dev ``` ## 0.29. Machine Learning ```bash brew install bat gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat -l json ``` -
Jun 25, 2021 . 1 changed file with 209 additions and 166 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,26 +1,25 @@ * [0.1. References](#01-references) * [0.2. Other cheatsheets](#02-other-cheatsheets) * [0.3. Manage multiple gcloud config configurations](#03-manage-multiple-gcloud-config-configurations) * [0.3.1. Switch gcloud context with gcloud config](#031-switch-gcloud-context-with-gcloud-config) * [0.4. Credentials](#04-credentials) * [0.5. info](#05-info) * [0.6. projects](#06-projects) * [0.7. zones & regions](#07-zones--regions) * [0.8. Organization](#08-organization) * [0.9. billing](#09-billing) * [0.10. IAM](#010-iam) * [0.11. service account](#011-service-account) * [0.11.1. as an identity](#0111-as-an-identity) * [0.11.2. service account as a resource](#0112-service-account-as-a-resource) * [0.11.3. GCS bucket level](#0113-gcs-bucket-level) * [0.12. App engine](#012-app-engine) * [0.13. Cloud Build](#013-cloud-build) * [0.13.1. Cloud build trigger GCE rolling replace/start](#0131-cloud-build-trigger-gce-rolling-replacestart) * [0.14. KMS](#014-kms) * [0.15. Secret Manager](#015-secret-manager) * [0.16. Compute Engine](#016-compute-engine) * [0.16.1. gcloud command for creating an instance](#0161-gcloud-command-for-creating-an-instance) * [0.16.2. list compute images](#0162-list-compute-images) * [0.16.3. list an instance](#0163-list-an-instance) * [0.16.4. move instance](#0164-move-instance) @@ -37,31 +36,31 @@ * [0.16.15. MIG with startup and shutdown scripts](#01615-mig-with-startup-and-shutdown-scripts) * [0.16.16. disk snapshot](#01616-disk-snapshot) * [0.16.17. regional disk](#01617-regional-disk) * [0.17. Networking](#017-networking) * [0.17.1. network and subnets](#0171-network-and-subnets) * [0.17.2. route](#0172-route) * [0.17.3. firewall rules](#0173-firewall-rules) * [0.17.4. Network LB](#0174-network-lb) * [0.17.5. Global LB](#0175-global-lb) * [0.17.6. forwarding-rules](#0176-forwarding-rules) * [0.17.7. address](#0177-address) * [0.17.8. private service access](#0178-private-service-access) * [0.18. interconnect](#018-interconnect) * [0.19. GCP managed ssl certificates](#019-gcp-managed-ssl-certificates) * [0.20. Cloud logging](#020-cloud-logging) * [0.21. Service](#021-service) * [0.21.1. list service available](#0211-list-service-available) * [0.21.2. Enable Service](#0212-enable-service) * [0.22. Client libraries you can use to connect to Google APIs](#022-client-libraries-you-can-use-to-connect-to-google-apis) * [0.23. chaining gcloud commands](#023-chaining-gcloud-commands) * [0.24. one liner to purge GCR images given a date](#024-one-liner-to-purge-gcr-images-given-a-date) * [0.25. GKE](#025-gke) * [0.25.1. create a GKE cluster with label and query it later](#0251-create-a-gke-cluster-with-label-and-query-it-later) * [0.26. Cloud SQL](#026-cloud-sql) * [0.27. Cloud Run](#027-cloud-run) * [0.28. Machine Learning](#028-machine-learning) * [0.29. Deployment Manager](#029-deployment-manager) ## 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters) @@ -74,13 +73,15 @@ * https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ ## 0.2. Other cheatsheets * https://cloud.google.com/sdk/docs/cheatsheet ## 0.3. Manage multiple gcloud config configurations * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/ * https://medium.com/infrastructure-adventures/working-with-multiple-environment-in-gcloud-cli-93b2d4e8cf1e ```bash gcloud config configurations create pythonrocks gcloud config configurations list gcloud config configurations activate pythonrocks @@ -91,7 +92,7 @@ gcloud config set project mygcp-demo ### 0.3.1. Switch gcloud context with gcloud config ```bash gcloud config list gcloud config set account [email protected] gcloud config set project mygcp-demo @@ -120,24 +121,28 @@ fi ``` ## 0.4. Credentials * https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505 * https://medium.com/google-cloud/local-remote-authentication-with-google-cloud-platform-afe3aa017b95 ```bash # List all credentialed accounts. gcloud auth list # to authenticate with a user identity (via web flow) which then authorizes gcloud and other SDK tools to access Google Cloud Platform. gcloud auth login # Display the current account's access token. gcloud auth print-access-token gcloud auth application-default login gcloud auth application-default print-access-token # Service Account: to authenticate with a user identity (via a web flow) but using the credentials as a proxy for a service account. gcloud auth activate-service-account --key-file=sa_key.json # use GOOGLE_APPLICATION_CREDENTIALS pointing to JSON key ``` kubectl uses OAuth token generated by * `gcloud config config-helper --format='value(credential.access_token)'` ## 0.5. info @@ -148,7 +153,7 @@ export PROJECT=$(gcloud info --format='value(config.project)') ## 0.6. projects ```bash # various way to get project_id PROJECT_ID=$(gcloud config get-value core/project 2>/dev/null) PROJECT_ID=$(gcloud config list project --format='value(core.project)') @@ -160,19 +165,33 @@ PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectN PROJECT_NUMBER=$(gcloud projects list --filter="name:${project_name}" --format='value(project_number)') ``` ```bash # get uri e.g. gcloud projects list --uri ``` ## 0.7. zones & regions To return a list of zones given a region ```bash gcloud compute zones list --filter=region:us-central1 # list regions gcloud compute regions list ``` ## 0.8. Organization ```bash gcloud organizations list # for a single org, get its id ORG_ID=$(gcloud organizations list --format 'value(ID)') # list top level projects gcloud projects list --filter "parent.id=$ORG_ID AND parent.type=organization" # list top level folders gcloud resource-manager folders list --organization=$ORG_ID # list sub folders given upper level folder id @@ -194,47 +213,56 @@ gcloud resource-manager folders add-iam-policy-binding ${folder_id} \ ``` ## 0.9. billing ```bash gcloud beta billing accounts list # enable a billing account with a project, assuming the user or service account has "Billing Account User" role. gcloud beta billing projects link ${project_id} \ --billing-account ${ORGANIZATION_BILLING_ACCOUNT} ``` ## 0.10. IAM * https://github.com/darkbitio/gcp-iam-role-permissions ```bash # list roles gcloud iam roles list --filter='etag:AA==' gcloud iam roles describe roles/container.admin gcloud iam list-testable-permissions <uri> e.g gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID gcloud iam list-grantable-roles <uri> e.g. gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$PROJECT_ID/zones/us-central1-a/instances/iowa1 ``` ``` # list custom roles gcloud iam roles list --project $PROJECT_ID # create custom role in the following 2 ways, either on project level (--project [PROJECT_ID]) or org level (--organization [ORGANIZATION_ID]) 1. gcloud iam roles create editor --project $PROJECT_ID --file role-definition.yaml 2. gcloud iam roles create viewer --project $PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu te.instances.list --stage ALPHA ``` ## 0.11. service account * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts) ### 0.11.1. as an identity ```bash export SA_EMAIL=$(gcloud iam service-accounts list \ --filter="displayName:jenkins" --format='value(email)') export PROJECT=$(gcloud info --format='value(config.project)') # create and list sa gcloud iam service-accounts create jenkins --display-name jenkins gcloud iam service-accounts list gcloud iam service-accounts list --filter='email ~ [0-9]*-compute@.*' --format='table(email)' # create & list sa key gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL @@ -267,13 +295,29 @@ gcloud projects add-iam-policy-binding ${PROJECT} \ ``` ### 0.11.2. service account as a resource * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials * https://medium.com/@tanujbolisetty/gcp-impersonate-service-accounts-36eaa247f87c * https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d * https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken shows the lifetime of the OAuth token of 3600 seconds by default ```bash gcloud iam service-accounts get-iam-policy <sa_email>, eg. gcloud iam service-accounts get-iam-policy secret-accessor-dev@$PROJECT_ID.iam.gserviceaccount.com --project $PROJECT_ID bindings: - members: - serviceAccount:<project-id>.svc.id.goog[default/secret-accessor-dev] role: roles/iam.workloadIdentityUser etag: BwWhFqqv9aQ= version: 1 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor' ``` We can impersonate service account from a user or another service account, a short-lived token is used instead of service account key. ```bash # serviceAccount:ansible impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com # ${SA_PROJECT_ID} is the global project storing all the service accounts TF_SA_EMAIL=terraform@${SA_PROJECT_ID}.iam.gserviceaccount.com ANSIBLE_SA_EMAIL="ansible@${SA_PROJECT_ID}.iam.gserviceaccount.com" @@ -285,55 +329,29 @@ gcloud iam service-accounts add-iam-policy-binding ${TF_SA_EMAIL} \ gcloud projects --impersonate-service-account=$TF_SA_EMAIL create $A_PROJECT_ID --name=$A_PROJECT_NAME --folder=$A_FOLDER_ID ``` ```bash # user:[email protected] impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com TF_SA_EMAIL=terraform@your-service-account-project.iam.gserviceaccount.com gcloud iam service-accounts add-iam-policy-binding $TF_SA_EMAIL --member=user:pythonrocks@gmail.com \ --role roles/iam.serviceAccountTokenCreator gcloud container clusters list --impersonate-service-account=terraform@${PROJECT_ID}.iam.gserviceaccount.com ``` ### 0.11.3. GCS bucket level ```bash gsutil iam get gs://${BUCKET_NAME} -p ${PROJECT_ID} COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)") gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://${BUCKET_NAME} ``` ## 0.12. App engine * https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a ## 0.13. Cloud Build ``` # user defined @@ -347,7 +365,7 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=TAG_NAME=v1.0.1 * https://medium.com/google-cloud/continuous-delivery-in-google-cloud-platform-cloud-build-with-compute-engine-a95bf4fd1821 * https://cloud.google.com/compute/docs/instance-groups/updating-managed-instance-groups#performing_a_rolling_replace_or_restart ```bash steps: - name: 'gcr.io/cloud-builders/docker' args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/gcp-cloudbuild-gce-angular', '.' ] @@ -359,10 +377,11 @@ images: ``` ## 0.14. KMS * [cloud-encrypt-with-kms](https://codelabs.developers.google.com/codelabs/cloud-encrypt-with-kms/#0) * [Integrated with cloud build](https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials) ```bash # list all keyrings gcloud kms keyrings list --location global # list all keys in my_key_ring @@ -393,9 +412,8 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati ``` ## 0.15. Secret Manager ```bash # create a secret gcloud secrets create SECRET_NAME --replication-policy="automatic" #create a secret version @@ -410,9 +428,10 @@ gcloud secrets update SECRET_NAME --update-labels=KEY=VALUE ## 0.16. Compute Engine ### 0.16.1. gcloud command for creating an instance from web console ```bash gcloud compute instances create [INSTANCE_NAME] \ --image-family [IMAGE_FAMILY] \ --image-project [IMAGE_PROJECT] \ @@ -422,7 +441,8 @@ gcloud compute instances create micro1 --zone=us-west1-a --machine-type=f1-micro ``` ### 0.16.2. list compute images ```bash gcloud compute images list --filter=name:debian --uri https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109 https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105 @@ -433,11 +453,12 @@ gcloud compute images list --project windows-cloud --no-standard-images gcloud compute images list --project gce-uefi-images --no-standard-images ``` ### 0.16.3. list an instance * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters) * [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys) ```bash gcloud compute instances list --filter="zone:us-central1-a" gcloud compute instances list --project=dev --filter="name~^es" gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)" @@ -449,10 +470,12 @@ gcloud compute instances list --filter='tags.items:(gke-whatever)' ``` ### 0.16.4. move instance `gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c` ### 0.16.5. ssh & scp ```bash #--verbosity=debug is great for debugging, showing the SSH command # the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network) gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes" @@ -461,37 +484,44 @@ gcloud compute scp --recurse ../manifest <instance_name>: ``` ### 0.16.6. SSH via IAP * https://cloud.google.com/iap/docs/using-tcp-forwarding ```bash # find out access-config-name's name gcloud compute instances describe oregon1 # remove the external IP gcloud compute instances delete-access-config oregon1 --access-config-name "External NAT" # connect via IAP, assuming the IAP is granted to the account used for login. gcloud beta compute ssh oregon1 --tunnel-through-iap ``` ### 0.16.7. ssh port forwarding for elasticsearch ```bash gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1" --ssh-flag="-L localhost:9200:localhost:9200" ``` The 2nd `localhost` is relative to elasticsearch-1` ### 0.16.8. ssh reverse port forwarding For example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development. ```bash GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project) gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server" ``` ### 0.16.9. generate ssh config ```bash gcloud compute config-ssh ``` ### 0.16.10. Windows RDP reset windows password returns the IP and password for creating the RDP connection. ```bash gcloud compute reset-windows-password instance --user=jdoe ip_address: 104.199.119.166 @@ -502,24 +532,27 @@ username: jode ### 0.16.11. debugging * `gcloud compute instances list --log-http` * [serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console) ### 0.16.12. instance level metadata ```bash curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google" leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google") ``` ### 0.16.13. project level metadata ```bash gcloud compute project-info describe gcloud compute project-info describe --flatten="commonInstanceMetadata[]" ``` ### 0.16.14. instances, template, target-pool and instance group ```bash cat << EOF > startup.sh #! /bin/bash apt-get update @@ -538,9 +571,10 @@ gcloud compute instance-groups managed create nginx-group \ ``` ### 0.16.15. MIG with startup and shutdown scripts https://cloud.google.com/vpc/docs/special-configurations#multiple-natgateways ```bash gsutil cp gs://nat-gw-template/startup.sh . gcloud compute instance-templates create nat-1 \ @@ -552,32 +586,33 @@ gcloud compute instance-templates create nat-2 \ --metadata-from-file=startup-script=startup.sh --address $nat_2_ip ``` ### 0.16.16. disk snapshot ```bash gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a Use [gcloud compute operations describe URI] command to check the status of the operation(s). ``` ### 0.16.17. regional disk ```bash gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional ``` ## 0.17. Networking ### 0.17.1. network and subnets ```bash gcloud compute networks create privatenet --subnet-mode=custom gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-central1 --range=172.16.0.0/24 gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region=europe-west1 --range=172.20.0.0/20 gcloud compute networks subnets list --sort-by=NETWORK ``` ### 0.17.2. route tag the instances with `no-ip` ```bash gcloud compute instances add-tags existing-instance --tags no-ip gcloud compute routes create no-ip-internet-route \ --network custom-network1 \ @@ -586,10 +621,12 @@ gcloud compute routes create no-ip-internet-route \ --next-hop-instance-zone us-central1-a \ --tags no-ip --priority 800 ``` ### 0.17.3. firewall rules * https://medium.com/@swongra/protect-your-google-cloud-instances-with-firewall-rules-69cce960fba ```bash # allow SSH, RDP and ICMP for the given network gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0 # allow internal from given source range @@ -607,25 +644,25 @@ gcloud compute firewall-rules list \ # sort-by gcloud compute firewall-rules list --sort-by=NETWORK ``` ### 0.17.4. Network LB ```bash gcloud compute firewall-rules create www-firewall --allow tcp:80 gcloud compute forwarding-rules create nginx-lb \ --region us-central1 \ --ports=80 \ --target-pool nginx-pool gcloud compute firewall-rules list --sort-by=NETWORK ``` ### 0.17.5. Global LB * https://cloud.google.com/solutions/scalable-and-resilient-apps ```bash gcloud compute http-health-checks create http-basic-check gcloud compute instance-groups managed \ set-named-ports nginx-group \ @@ -654,14 +691,16 @@ gcloud compute forwarding-rules list ``` ### 0.17.6. forwarding-rules ```bash gcloud compute forwarding-rules list --filter=$(dig +short <dns_name>) gcloud compute forwarding-rules describe my-forwardingrule --region us-central1 gcloud compute forwarding-rules describe my-http-forwardingrule --global ``` ### 0.17.7. address ```bash # get the external IP address of the instance gcloud compute instances describe single-node \ --format='value(networkInterfaces.accessConfigs[0].natIP) @@ -673,30 +712,32 @@ gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute a ``` ### 0.17.8. private service access Useful for services like Cloud SQL and Redis, peering between a custom VPC to a managed VPC by google. ```bash gcloud services vpc-peerings list --network=my-vpc ``` ## 0.18. interconnect ```bash # list Google Compute Engine interconnect locations gcloud compute interconnects locations list ``` ## 0.19. GCP managed ssl certificates ```bash gcloud compute ssl-certificates create example-mydomain --domains example.mydomain.com gcloud compute ssl-certificates list gcloud compute ssl-certificates describe example-mydomain # It takes 30mins+ to provision the TLS, one of conditions is the target-https-proxies needs to be associated with the cert. gcloud beta compute target-https-proxies list ``` ## 0.20. Cloud logging ``` gcloud logging read "timestamp >= \"2018-04-19T00:30:00Z\" and logName=projects/${project_id}/logs/requests and resource.type=http_load_balancer" --format="csv(httpRequest.remoteIp,httpRequest.requestUrl,timestamp)" --project=${project_id} ``` @@ -707,9 +748,9 @@ gcloud logging read "timestamp >= \"2018-04-19T00:30:00Z\" and logName=projects `gcloud services list --available` ### 0.21.2. Enable Service ```bash # chain gcloud services enable cloudapis.googleapis.com && \ cloudresourcemanager.googleapis.com && \ @@ -727,7 +768,7 @@ gcloud services enable storage-component.googleapis.com gcloud services enable sourcerepo.googleapis.com ``` ```bash function enable-service() { SERVICE=$1 if [[ $(gcloud services list --format="value(serviceConfig.name)" \ @@ -744,11 +785,13 @@ enable-service container.googleapis.com ``` ## 0.22. Client libraries you can use to connect to Google APIs * https://medium.com/google-cloud/simple-google-api-auth-samples-for-service-accounts-installed-application-and-appengine-da30ee4648 ## 0.23. chaining gcloud commands ```bash gcloud compute forwarding-rules list --format 'value(NAME)' \ | xargs -I {} gcloud compute forwarding-rules delete {} --region us-west1 -q @@ -766,17 +809,19 @@ gcloud compute routes list --filter="NOT network=default" --format='value(NAME)' ``` ## 0.24. one liner to purge GCR images given a date ```bash DATE=2018-10-01 IMAGE=<project_id>/<image_name> gcloud container images list-tags gcr.io/$IMAGE --limit=unlimited --sort-by=TIMESTAMP \ --filter="NOT tags:* AND timestamp.datetime < '${DATE}'" --format='get(digest)' | \ while read digest;do gcloud container images delete -q --force-delete-tags gcr.io/$IMAGE@$digest ;done ``` ## 0.25. GKE ```bash # create a private cluster gcloud container clusters create private-cluster \ --private-cluster \ --master-ipv4-cidr 172.16.0.16/28 \ --enable-ip-alias \ @@ -790,7 +835,7 @@ gcloud compute networks subnets create my-subnet \ --region us-central1 \ --secondary-range my-svc-range=10.0.32.0/20,my-pod-range=10.4.0.0/14 gcloud container clusters create private-cluster2 \ --private-cluster \ --enable-ip-alias \ --master-ipv4-cidr 172.16.0.32/28 \ @@ -803,7 +848,7 @@ gcloud beta container clusters create private-cluster2 \ --master-authorized-networks <external_ip_of_kubectl_instance> ``` ```bash # create a GKE cluster with CloudRun,Istio, HPA enabled gcloud beta container clusters create run-gke \ --addons HorizontalPodAutoscaling,HttpLoadBalancing,Istio,CloudRun \ @@ -814,10 +859,10 @@ gcloud beta container clusters create run-gke \ --no-enable-ip-alias ``` ```bash export WORKLOAD_POOL=${PROJECT_ID}.svc.id.goog export MESH_ID="proj-${PROJECT_NUMBER}" gcloud bea container clusters create ${CLUSTER_NAME} \ --machine-type=n1-standard-4 \ --num-nodes=4 \ --workload-pool=${WORKLOAD_POOL} \ @@ -827,19 +872,14 @@ gcloud bea contoner clusters create ${CLUSTER_NAME} \ ``` ```bash # create a VPC native cluster gcloud container clusters create k1 \ --network custom-ip-vpc --subnetwork subnet-alias \ --enable-ip-alias --cluster-ipv4-cidr=/16 --services-ipv4-cidr=/22 gcloud container clusters describe mycluster --format='get(endpoint)' # generate a ~/.kube/config for private cluster with private endpoint gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip ``` @@ -851,9 +891,11 @@ gcloud container clusters create example-cluster --labels env=dev gcloud container clusters list --filter resourceLabels.env=dev ``` ## 0.26. Cloud SQL * https://www.qwiklabs.com/focuses/1157?parent=catalog ```bash gcloud sql instances create flights \ --tier=db-n1-standard-1 --activation-policy=ALWAYS gcloud sql users set-password root --host % --instance flights \ @@ -875,14 +917,15 @@ mysql --host=$MYSQLIP --user=root --p ``` ## 0.27. Cloud Run ```bash # deploy a service on Cloud Run in us-central1 and allow unauthenticated user gcloud run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform managed --region us-central1 --allow-unauthenticated # list services gcloud run services list # get endpoint url for a service gcloud run services describe <service_name> --format="get(status.url)" export SERVICE_URL="$(gcloud run services list --platform managed --filter=${SERVICE_NAME} --format='value(URL)')" @@ -893,17 +936,17 @@ gcloud iam service-accounts create ${SERVICE_ACCOUNT} \ gcloud run services add-iam-policy-binding event-display-scheduled \ --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com \ --role=roles/run.invoker ``` ## 0.28. Machine Learning ```bash brew install bat gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat -l json ``` ## 0.29. Deployment Manager * https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/ Play with the commands for preview and cancel-preview. -
Mar 31, 2021 . 1 changed file with 63 additions and 66 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,69 +1,66 @@ * [0.1. References](#01-references) * [0.2. Other cheatsheets](#02-other-cheatsheets) * [0.3. Manage multiple gcloud config configurations](#03-manage-multiple-gcloud-config-configurations) * [0.3.1. Switch gcloud context with gcloud config](#031-switch-gcloud-context-with-gcloud-config) * [0.4. Auth](#04-auth) * [0.5. info](#05-info) * [0.6. projects](#06-projects) * [0.7. zones & regions](#07-zones--regions) * [0.8. organization](#08-organization) * [0.9. billing](#09-billing) * [0.10. IAM](#010-iam) * [0.11. service account](#011-service-account) * [0.11.1. as an identity](#0111-as-an-identity) * [0.11.2. service account as a resource](#0112-service-account-as-a-resource) * [0.11.3. GCS bucket level](#0113-gcs-bucket-level) * [0.11.4. Custom Roles](#0114-custom-roles) * [0.12. App engine](#012-app-engine) * [0.13. Cloud build](#013-cloud-build) * [0.13.1. Cloud build trigger GCE rolling replace/start](#0131-cloud-build-trigger-gce-rolling-replacestart) * [0.14. KMS](#014-kms) * [0.15. Secret Manager](#015-secret-manager) * [0.16. Compute Engine](#016-compute-engine) * [0.16.1. gcloud command for creating an instance?](#0161-gcloud-command-for-creating-an-instance) * [0.16.2. list compute images](#0162-list-compute-images) * [0.16.3. list an instance](#0163-list-an-instance) * [0.16.4. move instance](#0164-move-instance) * [0.16.5. ssh & scp](#0165-ssh--scp) * [0.16.6. SSH via IAP](#0166-ssh-via-iap) * [0.16.7. ssh port forwarding for elasticsearch](#0167-ssh-port-forwarding-for-elasticsearch) * [0.16.8. ssh reverse port forwarding](#0168-ssh-reverse-port-forwarding) * [0.16.9. generate ssh config](#0169-generate-ssh-config) * [0.16.10. Windows RDP reset windows password](#01610-windows-rdp-reset-windows-password) * [0.16.11. debugging](#01611-debugging) * [0.16.12. instance level metadata](#01612-instance-level-metadata) * [0.16.13. project level metadata](#01613-project-level-metadata) * [0.16.14. instances, template, target-pool and instance group](#01614-instances-template-target-pool-and-instance-group) * [0.16.15. MIG with startup and shutdown scripts](#01615-mig-with-startup-and-shutdown-scripts) * [0.16.16. disk snapshot](#01616-disk-snapshot) * [0.16.17. regional disk](#01617-regional-disk) * [0.17. Networking](#017-networking) * [0.17.1. network and subnets](#0171-network-and-subnets) * [0.17.2. route](#0172-route) * [0.17.3. firewall rules](#0173-firewall-rules) * [0.17.4. layer 4 network lb](#0174-layer-4-network-lb) * [0.17.5. layer 7 http lb](#0175-layer-7-http-lb) * [0.17.6. forwarding-rules](#0176-forwarding-rules) * [0.17.7. address](#0177-address) * [0.17.8. private service access](#0178-private-service-access) * [0.18. interconnect](#018-interconnect) * [0.19. GCP managed ssl certificate](#019-gcp-managed-ssl-certificate) * [0.20. StackDriver logging](#020-stackdriver-logging) * [0.21. Service](#021-service) * [0.21.1. list service available](#0211-list-service-available) * [0.21.2. Enable Service](#0212-enable-service) * [0.22. Client libraries you can use to connect to Google APIs](#022-client-libraries-you-can-use-to-connect-to-google-apis) * [0.23. chaining gcloud commands](#023-chaining-gcloud-commands) * [0.24. one liner to purge GCR images given a date](#024-one-liner-to-purge-gcr-images-given-a-date) * [0.25. GKE](#025-gke) * [0.25.1. create a GKE cluster with label and query it later](#0251-create-a-gke-cluster-with-label-and-query-it-later) * [0.26. SQL](#026-sql) * [0.27. Cloud Run](#027-cloud-run) * [0.28. Machine Learning](#028-machine-learning) * [0.29. Deployment Manager](#029-deployment-manager) # 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) -
Mar 31, 2021 . 1 changed file with 73 additions and 65 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,70 +1,69 @@ Table of Contents ================= * [0.1. References](#01-references) * [0.2. Other cheatsheets](#02-other-cheatsheets) * [0.3. Manage multiple gcloud config configurations](#03-manage-multiple-gcloud-config-configurations) * [0.3.1. Switch gcloud context with gcloud config](#031-switch-gcloud-context-with-gcloud-config) * [0.4. Auth](#04-auth) * [0.5. info](#05-info) * [0.6. projects](#06-projects) * [0.7. zones & regions](#07-zones--regions) * [0.8. organization](#08-organization) * [0.9. billing](#09-billing) * [0.10. IAM](#010-iam) * [0.11. service account](#011-service-account) * [0.11.1. as an identity](#0111-as-an-identity) * [0.11.2. service account as a resource](#0112-service-account-as-a-resource) * [0.11.3. GCS bucket level](#0113-gcs-bucket-level) * [0.11.4. Custom Roles](#0114-custom-roles) * [0.12. App engine](#012-app-engine) * [0.13. Cloud build](#013-cloud-build) * [0.13.1. Cloud build trigger GCE rolling replace/start](#0131-cloud-build-trigger-gce-rolling-replacestart) * [0.14. KMS](#014-kms) * [0.15. Secret Manager](#015-secret-manager) * [0.16. Compute Engine](#016-compute-engine) * [0.16.1. gcloud command for creating an instance?](#0161-gcloud-command-for-creating-an-instance) * [0.16.2. list compute images](#0162-list-compute-images) * [0.16.3. list an instance](#0163-list-an-instance) * [0.16.4. move instance](#0164-move-instance) * [0.16.5. ssh & scp](#0165-ssh--scp) * [0.16.6. SSH via IAP](#0166-ssh-via-iap) * [0.16.7. ssh port forwarding for elasticsearch](#0167-ssh-port-forwarding-for-elasticsearch) * [0.16.8. ssh reverse port forwarding](#0168-ssh-reverse-port-forwarding) * [0.16.9. generate ssh config](#0169-generate-ssh-config) * [0.16.10. Windows RDP reset windows password](#01610-windows-rdp-reset-windows-password) * [0.16.11. debugging](#01611-debugging) * [0.16.12. instance level metadata](#01612-instance-level-metadata) * [0.16.13. project level metadata](#01613-project-level-metadata) * [0.16.14. instances, template, target-pool and instance group](#01614-instances-template-target-pool-and-instance-group) * [0.16.15. MIG with startup and shutdown scripts](#01615-mig-with-startup-and-shutdown-scripts) * [0.16.16. disk snapshot](#01616-disk-snapshot) * [0.16.17. regional disk](#01617-regional-disk) * [0.17. Networking](#017-networking) * [0.17.1. network and subnets](#0171-network-and-subnets) * [0.17.2. route](#0172-route) * [0.17.3. firewall rules](#0173-firewall-rules) * [0.17.4. layer 4 network lb](#0174-layer-4-network-lb) * [0.17.5. layer 7 http lb](#0175-layer-7-http-lb) * [0.17.6. forwarding-rules](#0176-forwarding-rules) * [0.17.7. address](#0177-address) * [0.17.8. private service access](#0178-private-service-access) * [0.18. interconnect](#018-interconnect) * [0.19. GCP managed ssl certificate](#019-gcp-managed-ssl-certificate) * [0.20. StackDriver logging](#020-stackdriver-logging) * [0.21. Service](#021-service) * [0.21.1. list service available](#0211-list-service-available) * [0.21.2. Enable Service](#0212-enable-service) * [0.22. Client libraries you can use to connect to Google APIs](#022-client-libraries-you-can-use-to-connect-to-google-apis) * [0.23. chaining gcloud commands](#023-chaining-gcloud-commands) * [0.24. one liner to purge GCR images given a date](#024-one-liner-to-purge-gcr-images-given-a-date) * [0.25. GKE](#025-gke) * [0.25.1. create a GKE cluster with label and query it later](#0251-create-a-gke-cluster-with-label-and-query-it-later) * [0.26. SQL](#026-sql) * [0.27. Cloud Run](#027-cloud-run) * [0.28. Machine Learning](#028-machine-learning) * [0.29. Deployment Manager](#029-deployment-manager) # 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) @@ -75,6 +74,7 @@ Table of Contents * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-1-114924737 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-2-4d049a656f1a * https://gist.github.com/bborysenko/97749fe0514b819a5a87611e6aea3db8 * https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ ## 0.2. Other cheatsheets * https://cloud.google.com/sdk/docs/cheatsheet @@ -234,7 +234,7 @@ export SA_EMAIL=$(gcloud iam service-accounts list \ --filter="displayName:jenkins" --format='value(email)') export PROJECT=$(gcloud info --format='value(config.project)') # create and list sa gcloud iam service-accounts create jenkins --display-name jenkins gcloud iam service-accounts list gcloud iam service-accounts list --filter='email ~ [0-9]*-compute@.*' --format='table(email)' @@ -245,6 +245,7 @@ gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam gcloud iam service-accounts keys create connect-sa-key.json \ --iam-account=connect-sa@${PROJECT_ID}.iam.gserviceaccount.com # get-iam-policy gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com" gcloud projects get-iam-policy ${PROJECT} \ @@ -674,6 +675,13 @@ gcloud compute addresses describe https-lb --global --format json gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {} 2>/dev/null | sort | uniq -c ``` ### 0.17.8. private service access Useful for services like Cloud SQL and Redis, peering between a custom VPC to a managed VPC by google. ``` gcloud beta services vpc-peerings list --network=my-vpc ``` ## 0.18. interconnect ``` -
Dec 16, 2020 . 1 changed file with 46 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -65,7 +65,6 @@ Table of Contents * [0\.28\. Machine Learning](#028-machine-learning) * [0\.29\. Deployment Manager](#029-deployment-manager) # 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) @@ -205,8 +204,10 @@ gcloud beta billing accounts list gcloud beta billing projects link ${project_id} \ --billing-account ${ORGANIZATION_BILLING_ACCOUNT} ``` ## 0.10. IAM * https://github.com/darkbitio/gcp-iam-role-permissions ``` gcloud iam roles describe roles/container.admin @@ -268,6 +269,36 @@ gcloud projects add-iam-policy-binding ${PROJECT} \ ``` ### 0.11.2. service account as a resource * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials * https://medium.com/@tanujbolisetty/gcp-impersonate-service-accounts-36eaa247f87c * https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d * https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken shows the lifetime of the OAuth token of 3600 seconds by default ``` # ansible impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com # ${SA_PROJECT_ID} is the global project storing all the service accounts TF_SA_EMAIL=terraform@${SA_PROJECT_ID}.iam.gserviceaccount.com ANSIBLE_SA_EMAIL="ansible@${SA_PROJECT_ID}.iam.gserviceaccount.com" gcloud iam service-accounts add-iam-policy-binding ${TF_SA_EMAIL} \ --project ${SA_PROJECT_ID} \ --member "serviceAccount:$ANSIBLE_SA_EMAIL" \ --role roles/iam.serviceAccountTokenCreator # create a gcp project $A_PROJECT_ID under $A_FOLDER_ID gcloud projects --impersonate-service-account=$TF_SA_EMAIL create $A_PROJECT_ID --name=$A_PROJECT_NAME --folder=$A_FOLDER_ID ``` ``` # user:[email protected] impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com TF_SA_EMAIL=terraform@your-service-account-project.iam.gserviceaccount.com gcloud iam service-accounts add-iam-policy-binding $TF_SA_EMAIL --member=user:[email protected] \ --role roles/iam.serviceAccountTokenCreator gcloud container clusters list --impersonate-service-account=terraform@${PROJECT_ID}.iam.gserviceaccount.com ``` ``` gcloud iam service-accounts get-iam-policy <sa_email>, eg. gcloud iam service-accounts get-iam-policy secret-accessor-dev@$PROJECT_ID.iam.gserviceaccount.com --project $PROJECT_ID @@ -278,17 +309,7 @@ bindings: etag: BwWhFqqv9aQ= version: 1 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor' ``` ### 0.11.3. GCS bucket level @@ -857,6 +878,18 @@ gcloud beta run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform manage gcloud beta run services list # get endpoint url for a service gcloud beta run services describe <service_name> --format="get(status.url)" export SERVICE_URL="$(gcloud run services list --platform managed --filter=${SERVICE_NAME} --format='value(URL)')" # Give service account permission to invoke the Cloud Run service export SERVICE_ACCOUNT=cloudrun-scheduler-sa gcloud iam service-accounts create ${SERVICE_ACCOUNT} \ --display-name "Cloud Run Scheduler Service Account" gcloud run services add-iam-policy-binding event-display-scheduled \ --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com \ --role=roles/run.invoker ``` -
Jul 23, 2020 . 1 changed file with 32 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,4 @@ Table of Contents ================= @@ -77,7 +78,7 @@ Created by [gh-md-toc](https://github.com/ekalinin/github-markdown-toc.go) * https://gist.github.com/bborysenko/97749fe0514b819a5a87611e6aea3db8 ## 0.2. Other cheatsheets * https://cloud.google.com/sdk/docs/cheatsheet ## 0.3. Manage multiple gcloud config configurations * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/ @@ -157,9 +158,10 @@ PROJECT_ID=$(gcloud config get-value core/project 2>/dev/null) PROJECT_ID=$(gcloud config list project --format='value(core.project)') PROJECT_ID=$(gcloud info --format='value(config.project)') # get project_number PROJECT_NUMBER=$(gcloud projects list --filter="project_id:${PROJECT_ID}" --format='value(project_number)') PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)") PROJECT_NUMBER=$(gcloud projects list --filter="name:${project_name}" --format='value(project_number)') ``` ## 0.7. zones & regions @@ -206,6 +208,7 @@ gcloud beta billing projects link ${project_id} \ ## 0.10. iam ``` gcloud iam roles describe roles/container.admin gcloud iam list-testable-permissions <uri> @@ -218,6 +221,7 @@ gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$ # get uri e.g. gcloud projects list --uri ``` ## 0.11. service account @@ -237,10 +241,15 @@ gcloud iam service-accounts list --filter='email ~ [0-9]*-compute@.*' --form # create & list sa key gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com gcloud iam service-accounts keys create connect-sa-key.json \ --iam-account=connect-sa@${PROJECT_ID}.iam.gserviceaccount.com gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com" gcloud projects get-iam-policy ${PROJECT} \ --flatten="bindings[].members" \ --filter="bindings.members:user:$(gcloud config get-value core/account 2>/dev/null)" gcloud projects add-iam-policy-binding $PROJECT --role roles/storage.admin \ --member serviceAccount:$SA_EMAIL gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.instanceAdmin.v1 \ @@ -251,6 +260,11 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.securityAdm --member serviceAccount:$SA_EMAIL gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountActor \ --member serviceAccount:$SA_EMAIL # for Anthos GKE on prem gcloud projects add-iam-policy-binding ${PROJECT} \ --member="serviceAccount:connect-sa@${PROJECT}.iam.gserviceaccount.com" \ --role="roles/gkehub.connect" ``` ### 0.11.2. service account as a resource @@ -542,7 +556,7 @@ Use [gcloud compute operations describe URI] command to check the status of the ``` ### 0.17.2. route tag the instances with `no-ip` ``` gcloud compute instances add-tags existing-instance --tags no-ip @@ -774,6 +788,18 @@ gcloud beta container clusters create run-gke \ --no-enable-ip-alias ``` ``` export WORKLOAD_POOL=${PROJECT_ID}.svc.id.goog export MESH_ID="proj-${PROJECT_NUMBER}" gcloud bea contoner clusters create ${CLUSTER_NAME} \ --machine-type=n1-standard-4 \ --num-nodes=4 \ --workload-pool=${WORKLOAD_POOL} \ --enable-stackdriver-kubernetes \ --subnetwork=default \ --labels mesh_id=${MESH_ID} ``` ``` # create a VPC native cluster -
Jul 1, 2020 . 1 changed file with 90 additions and 67 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,70 +1,71 @@ Table of Contents ================= * [0\.1\. References](#01-references) * [0\.2\. Other cheatsheets](#02-other-cheatsheets) * [0\.3\. Manage multiple gcloud config configurations](#03-manage-multiple-gcloud-config-configurations) * [0\.3\.1\. Switch gcloud context with gcloud config](#031-switch-gcloud-context-with-gcloud-config) * [0\.4\. Auth](#04-auth) * [0\.5\. info](#05-info) * [0\.6\. projects](#06-projects) * [0\.7\. zones & regions](#07-zones--regions) * [0\.8\. organization](#08-organization) * [0\.9\. billing](#09-billing) * [0\.10\. iam](#010-iam) * [0\.11\. service account](#011-service-account) * [0\.11\.1\. as an identity](#0111-as-an-identity) * [0\.11\.2\. service account as a resource](#0112-service-account-as-a-resource) * [0\.11\.3\. GCS bucket level](#0113-gcs-bucket-level) * [0\.11\.4\. Custom Roles](#0114-custom-roles) * [0\.12\. App engine](#012-app-engine) * [0\.13\. Cloud build](#013-cloud-build) * [0\.13\.1\. Cloud build trigger GCE rolling replace/start](#0131-cloud-build-trigger-gce-rolling-replacestart) * [0\.14\. KMS](#014-kms) * [0\.15\. Secret Manager](#015-secret-manager) * [0\.16\. Compute Engine](#016-compute-engine) * [0\.16\.1\. gcloud command for creating an instance?](#0161-gcloud-command-for-creating-an-instance) * [0\.16\.2\. list compute images](#0162-list-compute-images) * [0\.16\.3\. list an instance](#0163-list-an-instance) * [0\.16\.4\. move instance](#0164-move-instance) * [0\.16\.5\. ssh & scp](#0165-ssh--scp) * [0\.16\.6\. SSH via IAP](#0166-ssh-via-iap) * [0\.16\.7\. ssh port forwarding for elasticsearch](#0167-ssh-port-forwarding-for-elasticsearch) * [0\.16\.8\. ssh reverse port forwarding](#0168-ssh-reverse-port-forwarding) * [0\.16\.9\. generate ssh config](#0169-generate-ssh-config) * [0\.16\.10\. Windows RDP reset windows password](#01610-windows-rdp-reset-windows-password) * [0\.16\.11\. debugging](#01611-debugging) * [0\.16\.12\. instance level metadata](#01612-instance-level-metadata) * [0\.16\.13\. project level metadata](#01613-project-level-metadata) * [0\.16\.14\. instances, template, target\-pool and instance group](#01614-instances-template-target-pool-and-instance-group) * [0\.16\.15\. MIG with startup and shutdown scripts](#01615-mig-with-startup-and-shutdown-scripts) * [0\.16\.16\. disk snapshot](#01616-disk-snapshot) * [0\.16\.17\. regional disk](#01617-regional-disk) * [0\.17\. Networking](#017-networking) * [0\.17\.1\. network and subnets](#0171-network-and-subnets) * [0\.17\.2\. route](#0172-route) * [0\.17\.3\. firewall rules](#0173-firewall-rules) * [0\.17\.4\. layer 4 network lb](#0174-layer-4-network-lb) * [0\.17\.5\. layer 7 http lb](#0175-layer-7-http-lb) * [0\.17\.6\. forwarding\-rules](#0176-forwarding-rules) * [0\.17\.7\. address](#0177-address) * [0\.18\. interconnect](#018-interconnect) * [0\.19\. GCP managed ssl certificate](#019-gcp-managed-ssl-certificate) * [0\.20\. StackDriver logging](#020-stackdriver-logging) * [0\.21\. Service](#021-service) * [0\.21\.1\. list service available](#0211-list-service-available) * [0\.21\.2\. Enable Service](#0212-enable-service) * [0\.22\. Client libraries you can use to connect to Google APIs](#022-client-libraries-you-can-use-to-connect-to-google-apis) * [0\.23\. chaining gcloud commands](#023-chaining-gcloud-commands) * [0\.24\. one liner to purge GCR images given a date](#024-one-liner-to-purge-gcr-images-given-a-date) * [0\.25\. GKE](#025-gke) * [0\.25\.1\. create a GKE cluster with label and query it later](#0251-create-a-gke-cluster-with-label-and-query-it-later) * [0\.26\. SQL](#026-sql) * [0\.27\. Cloud Run](#027-cloud-run) * [0\.28\. Machine Learning](#028-machine-learning) * [0\.29\. Deployment Manager](#029-deployment-manager) Created by [gh-md-toc](https://github.com/ekalinin/github-markdown-toc.go) # 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters) @@ -157,7 +158,7 @@ PROJECT_ID=$(gcloud config list project --format='value(core.project)') PROJECT_ID=$(gcloud info --format='value(config.project)') # get project_number given project_id or name PROJECT_NUMBER=$(gcloud projects list --filter="project_id:${PROJECT_ID}" --format='value(project_number)') gcloud projects list --filter="name:${project_name}" --format='value(project_number)' ``` @@ -798,8 +799,30 @@ gcloud container clusters create example-cluster --labels env=dev gcloud container clusters list --filter resourceLabels.env=dev ``` ## 0.26. SQL * https://www.qwiklabs.com/focuses/1157?parent=catalog ``` gcloud sql instances create flights \ --tier=db-n1-standard-1 --activation-policy=ALWAYS gcloud sql users set-password root --host % --instance flights \ --password Passw0rd # authorizes the IP export ADDRESS=$(wget -qO - http://ipecho.net/plain)/32 gcloud sql instances patch flights --authorized-networks $ADDRESS ## mysql cli to creat table MYSQLIP=$(gcloud sql instances describe \ flights --format="value(ipAddresses.ipAddress)") mysql --host=$MYSQLIP --user=root \ --password --verbose < create_table.sql ## import data in csv mysqlimport --local --host=$MYSQLIP --user=root --password \ --ignore-lines=1 --fields-terminated-by=',' bts flights.csv-* mysql --host=$MYSQLIP --user=root --p ``` ## 0.27. Cloud Run ``` # deploy a service on Cloud Run in us-central1 and allow unauthenticated user gcloud beta run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform managed --region us-central1 --allow-unauthenticated @@ -811,12 +834,12 @@ gcloud beta run services describe <service_name> --format="get(status.url)" ``` ## 0.28. Machine Learning ``` brew install bat gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat -l json ``` ## 0.29. Deployment Manager * https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/ Play with the commands for preview and cancel-preview. -
Jun 9, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -411,7 +411,7 @@ gcloud compute instances list --filter=tags:kafka-node gcloud compute instances list --filter='machineType:g1-small' # list gke instances with an autogenerated tag from GKE gcloud compute instances list --filter='tags.items:(gke-whatever)' ``` ### 0.16.4. move instance -
May 19, 2020 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -409,6 +409,9 @@ gcloud compute instances list --project=dev --filter="name~^es" gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)" gcloud compute instances list --filter=tags:kafka-node gcloud compute instances list --filter='machineType:g1-small' # list gke instances with an autogenerated tag from GKE gcloud compute instances list --filter='tags.items:(gke-five9-gke-dev-app2-bd32d43b-node)' ``` ### 0.16.4. move instance -
Apr 29, 2020 . 1 changed file with 66 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,69 @@ Table of Contents ================= * [0\.1\. References](#01-references) * [0\.2\. Other cheatsheets](#02-other-cheatsheets) * [0\.3\. Manage multiple gcloud config configurations](#03-manage-multiple-gcloud-config-configurations) * [0\.3\.1\. Switch gcloud context with gcloud config](#031-switch-gcloud-context-with-gcloud-config) * [0\.4\. Auth](#04-auth) * [0\.5\. info](#05-info) * [0\.6\. projects](#06-projects) * [0\.7\. zones & regions](#07-zones--regions) * [0\.8\. organization](#08-organization) * [0\.9\. billing](#09-billing) * [0\.10\. iam](#010-iam) * [0\.11\. service account](#011-service-account) * [0\.11\.1\. as an identity](#0111-as-an-identity) * [0\.11\.2\. service account as a resource](#0112-service-account-as-a-resource) * [0\.11\.3\. GCS bucket level](#0113-gcs-bucket-level) * [0\.11\.4\. Custom Roles](#0114-custom-roles) * [0\.12\. App engine](#012-app-engine) * [0\.13\. Cloud build](#013-cloud-build) * [0\.13\.1\. Cloud build trigger GCE rolling replace/start](#0131-cloud-build-trigger-gce-rolling-replacestart) * [0\.14\. KMS](#014-kms) * [0\.15\. Secret Manager](#015-secret-manager) * [0\.16\. Compute Engine](#016-compute-engine) * [0\.16\.1\. gcloud command for creating an instance?](#0161-gcloud-command-for-creating-an-instance) * [0\.16\.2\. list compute images](#0162-list-compute-images) * [0\.16\.3\. list an instance](#0163-list-an-instance) * [0\.16\.4\. move instance](#0164-move-instance) * [0\.16\.5\. ssh & scp](#0165-ssh--scp) * [0\.16\.6\. SSH via IAP](#0166-ssh-via-iap) * [0\.16\.7\. ssh port forwarding for elasticsearch](#0167-ssh-port-forwarding-for-elasticsearch) * [0\.16\.8\. ssh reverse port forwarding](#0168-ssh-reverse-port-forwarding) * [0\.16\.9\. generate ssh config](#0169-generate-ssh-config) * [0\.16\.10\. Windows RDP reset windows password](#01610-windows-rdp-reset-windows-password) * [0\.16\.11\. debugging](#01611-debugging) * [0\.16\.12\. instance level metadata](#01612-instance-level-metadata) * [0\.16\.13\. project level metadata](#01613-project-level-metadata) * [0\.16\.14\. instances, template, target\-pool and instance group](#01614-instances-template-target-pool-and-instance-group) * [0\.16\.15\. MIG with startup and shutdown scripts](#01615-mig-with-startup-and-shutdown-scripts) * [0\.16\.16\. disk snapshot](#01616-disk-snapshot) * [0\.16\.17\. regional disk](#01617-regional-disk) * [0\.17\. Networking](#017-networking) * [0\.17\.1\. network and subnets](#0171-network-and-subnets) * [0\.17\.2\. route](#0172-route) * [0\.17\.3\. firewall rules](#0173-firewall-rules) * [0\.17\.4\. layer 4 network lb](#0174-layer-4-network-lb) * [0\.17\.5\. layer 7 http lb](#0175-layer-7-http-lb) * [0\.17\.6\. forwarding\-rules](#0176-forwarding-rules) * [0\.17\.7\. address](#0177-address) * [0\.18\. interconnect](#018-interconnect) * [0\.19\. GCP managed ssl certificate](#019-gcp-managed-ssl-certificate) * [0\.20\. StackDriver logging](#020-stackdriver-logging) * [0\.21\. Service](#021-service) * [0\.21\.1\. list service available](#0211-list-service-available) * [0\.21\.2\. Enable Service](#0212-enable-service) * [0\.22\. Client libraries you can use to connect to Google APIs](#022-client-libraries-you-can-use-to-connect-to-google-apis) * [0\.23\. chaining gcloud commands](#023-chaining-gcloud-commands) * [0\.24\. one liner to purge GCR images given a date](#024-one-liner-to-purge-gcr-images-given-a-date) * [0\.25\. GKE](#025-gke) * [0\.25\.1\. create a GKE cluster with label and query it later](#0251-create-a-gke-cluster-with-label-and-query-it-later) * [0\.26\. Cloud Run](#026-cloud-run) * [0\.27\. Machine Learning](#027-machine-learning) * [0\.28\. Deployment Manager](#028-deployment-manager) ## 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) -
Apr 29, 2020 . 1 changed file with 68 additions and 135 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,69 +1,4 @@ ## 0.1. References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters) @@ -74,10 +9,10 @@ Table of Contents * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-2-4d049a656f1a * https://gist.github.com/bborysenko/97749fe0514b819a5a87611e6aea3db8 ## 0.2. Other cheatsheets * https://github.com/dennyzhang/cheatsheet-gcp-A4 ## 0.3. Manage multiple gcloud config configurations * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/ * https://medium.com/infrastructure-adventures/working-with-multiple-environment-in-gcloud-cli-93b2d4e8cf1e @@ -90,7 +25,8 @@ gcloud projects list gcloud config set project mygcp-demo ``` ### 0.3.1. Switch gcloud context with gcloud config ``` gcloud config list gcloud config set account [email protected] @@ -99,17 +35,13 @@ gcloud config set compute/region us-west1 gcloud config set compute/zone us-west1-a alias demo='gcloud config set account [email protected] && gcloud config set project mygcp-demo && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a' cluster=$(gcloud config get-value container/cluster 2> /dev/null) zone=$(gcloud config get-value compute/zone 2> /dev/null) project=$(gcloud config get-value core/project 2> /dev/null) #switch project based on the name gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)') command -v gcloud >/dev/null 2>&1 || { \ echo >&2 "I require gcloud but it's not installed. Aborting."; exit 1; } @@ -124,7 +56,7 @@ fi ``` ## 0.4. Auth * https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505 * https://medium.com/google-cloud/local-remote-authentication-with-google-cloud-platform-afe3aa017b95 @@ -144,13 +76,13 @@ kubectl uses OAuth token generated by * `gcloud auth print-access-token` generates new token ## 0.5. info ``` gcloud info --format flattened export PROJECT=$(gcloud info --format='value(config.project)') ``` ## 0.6. projects ``` # various way to get project_id @@ -163,7 +95,7 @@ gcloud projects list --filter="project_id:${PROJECT_ID}" --format='value(projec gcloud projects list --filter="name:${project_name}" --format='value(project_number)' ``` ## 0.7. zones & regions To return a list of zones given a region ``` gcloud compute zones list --filter=region:us-central1 @@ -173,7 +105,7 @@ gcloud compute zones list --filter=region:us-central1 gcloud compute regions list ``` ## 0.8. organization ``` ORG_ID=$(gcloud organizations list --format 'value(ID)') # list top level folders @@ -196,16 +128,16 @@ gcloud resource-manager folders add-iam-policy-binding ${folder_id} \ --role=roles/billing.projectManager ``` ## 0.9. billing ``` gcloud organizations list gcloud beta billing accounts list # link a billing account with a project, assuming the user or service account has "Billing Account User" role. gcloud beta billing projects link ${project_id} \ --billing-account ${ORGANIZATION_BILLING_ACCOUNT} ``` ## 0.10. iam ``` gcloud iam roles describe roles/container.admin @@ -221,8 +153,10 @@ gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$ gcloud projects list --uri ``` ## 0.11. service account * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts) ### 0.11.1. as an identity ``` export SA_EMAIL=$(gcloud iam service-accounts list \ --filter="displayName:jenkins" --format='value(email)') @@ -251,9 +185,8 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.securityAdm gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountActor \ --member serviceAccount:$SA_EMAIL ``` ### 0.11.2. service account as a resource ``` gcloud iam service-accounts get-iam-policy <sa_email>, eg. gcloud iam service-accounts get-iam-policy secret-accessor-dev@$PROJECT_ID.iam.gserviceaccount.com --project $PROJECT_ID @@ -277,14 +210,14 @@ gcloud iam service-accounts add-iam-policy-binding terraform@${PROJECT_ID}.iam. gcloud container clusters list --impersonate-service-account=terraform@${PROJECT_ID}.iam.gserviceaccount.com ``` ### 0.11.3. GCS bucket level ``` gsutil iam get gs://${BUCKET_NAME} -p ${PROJECT_ID} COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)") gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://${BUCKET_NAME} ``` ### 0.11.4. Custom Roles ``` # list predefined roles gcloud iam roles list @@ -297,10 +230,10 @@ gcloud iam roles list --project $PROJECT_ID te.instances.list --stage ALPHA ``` ## 0.12. App engine * https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a ## 0.13. Cloud build ``` # user defined @@ -310,7 +243,7 @@ gcloud builds submit --config=cloudbuild.yaml --substitutions=_BRANCH_NAME=foo,_ gcloud builds submit --config=cloudbuild.yaml --substitutions=TAG_NAME=v1.0.1 ``` ### 0.13.1. Cloud build trigger GCE rolling replace/start * https://medium.com/google-cloud/continuous-delivery-in-google-cloud-platform-cloud-build-with-compute-engine-a95bf4fd1821 * https://cloud.google.com/compute/docs/instance-groups/updating-managed-instance-groups#performing_a_rolling_replace_or_restart @@ -325,7 +258,7 @@ images: ``` ## 0.14. KMS * [cloud-encrypt-with-kms](https://codelabs.developers.google.com/codelabs/cloud-encrypt-with-kms/#0) * [Integrated with cloud build](https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials) @@ -359,7 +292,7 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati | jq .plaintext -r | base64 -d ``` ## 0.15. Secret Manager * https://blog.scalesec.com/gcp-secret-manager-first-look-eaa9b0620da1 ``` @@ -375,9 +308,9 @@ gcloud secrets versions access latest --secret=my_ssh_private_key gcloud secrets update SECRET_NAME --update-labels=KEY=VALUE ``` ## 0.16. Compute Engine ### 0.16.1. gcloud command for creating an instance? from web console ``` gcloud compute instances create [INSTANCE_NAME] \ @@ -388,7 +321,7 @@ gcloud compute instances create [INSTANCE_NAME] \ gcloud compute instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1 ``` ### 0.16.2. list compute images ``` gcloud compute images list --filter=name:debian --uri https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109 @@ -400,7 +333,7 @@ gcloud compute images list --project windows-cloud --no-standard-images gcloud compute images list --project gce-uefi-images --no-standard-images ``` ### 0.16.3. list an instance * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters) * [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys) @@ -412,10 +345,10 @@ gcloud compute instances list --filter=tags:kafka-node gcloud compute instances list --filter='machineType:g1-small' ``` ### 0.16.4. move instance `gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c` ### 0.16.5. ssh & scp ``` #--verbosity=debug is great for debugging, showing the SSH command # the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network) @@ -424,7 +357,7 @@ gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get node gcloud compute scp --recurse ../manifest <instance_name>: ``` ### 0.16.6. SSH via IAP * https://cloud.google.com/iap/docs/using-tcp-forwarding ``` @@ -435,28 +368,28 @@ gcloud compute instances delete-access-config oregon1 --access-config-name "Ext # connect via IAP, assuming the IAP is granted to the account used for login. gcloud beta compute ssh oregon1 --tunnel-through-iap ``` ### 0.16.7. ssh port forwarding for elasticsearch ``` gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1" --ssh-flag="-L localhost:9200:localhost:9200" ``` The 2nd `localhost` is relative to elasticsearch-1` ### 0.16.8. ssh reverse port forwarding for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development ``` GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project) gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server" ``` ### 0.16.9. generate ssh config ``` gcloud compute config-ssh ``` ### 0.16.10. Windows RDP reset windows password returns the IP and password for creating the RDP connection. ``` gcloud compute reset-windows-password instance --user=jdoe ip_address: 104.199.119.166 password: Ks(;_gx7Bf2d.NP @@ -465,24 +398,24 @@ username: jode ### 0.16.11. debugging * `gcloud compute instances list --log-http` * [serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console) ### 0.16.12. instance level metadata ``` curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google" leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google") ``` ### 0.16.13. project level metadata ``` gcloud compute project-info describe gcloud compute project-info describe --flatten="commonInstanceMetadata[]" ``` ### 0.16.14. instances, template, target-pool and instance group ``` cat << EOF > startup.sh #! /bin/bash @@ -501,7 +434,7 @@ gcloud compute instance-groups managed create nginx-group \ --target-pool nginx-pool ``` ### 0.16.15. MIG with startup and shutdown scripts https://cloud.google.com/vpc/docs/special-configurations#multiple-natgateways ``` @@ -515,30 +448,30 @@ gcloud compute instance-templates create nat-2 \ --machine-type n1-standard-2 --can-ip-forward --tags natgw \ --metadata-from-file=startup-script=startup.sh --address $nat_2_ip ``` ### 0.16.16. disk snapshot ``` gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a Use [gcloud compute operations describe URI] command to check the status of the operation(s). ``` ### 0.16.17. regional disk ``` gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional ``` ## 0.17. Networking ### 0.17.1. network and subnets ``` gcloud compute networks create privatenet --subnet-mode=custom gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-central1 --range=172.16.0.0/24 gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region=europe-west1 --range=172.20.0.0/20 gcloud compute networks subnets list --sort-by=NETWORK ``` ### 0.17.2. route tag the instances with `no-ips` ``` @@ -550,7 +483,7 @@ gcloud compute routes create no-ip-internet-route \ --next-hop-instance-zone us-central1-a \ --tags no-ip --priority 800 ``` ### 0.17.3. firewall rules * https://medium.com/@swongra/protect-your-google-cloud-instances-with-firewall-rules-69cce960fba ``` @@ -574,7 +507,7 @@ gcloud compute firewall-rules list --sort-by=NETWORK ``` ### 0.17.4. layer 4 network lb ``` gcloud compute firewall-rules create www-firewall --allow tcp:80 gcloud compute forwarding-rules create nginx-lb \ @@ -586,7 +519,7 @@ gcloud compute firewall-rules list --sort-by=NETWORK ``` ### 0.17.5. layer 7 http lb * https://cloud.google.com/solutions/scalable-and-resilient-apps ``` @@ -617,14 +550,14 @@ gcloud compute forwarding-rules list ``` ### 0.17.6. forwarding-rules ``` gcloud compute forwarding-rules list --filter=$(dig +short <dns_name>) gcloud compute forwarding-rules describe my-forwardingrule --region us-central1 gcloud compute forwarding-rules describe my-http-forwardingrule --global ``` ### 0.17.7. address ``` # get the external IP address of the instance gcloud compute instances describe single-node \ @@ -636,14 +569,14 @@ gcloud compute addresses describe https-lb --global --format json gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {} 2>/dev/null | sort | uniq -c ``` ## 0.18. interconnect ``` # list Google Compute Engine interconnect locations gcloud compute interconnects locations list ``` ## 0.19. GCP managed ssl certificate ``` gcloud beta compute ssl-certificates create example-mydomain --domains example.mydomain.com gcloud beta compute ssl-certificates list @@ -653,18 +586,18 @@ gcloud beta compute target-https-proxies list ``` ## 0.20. StackDriver logging ``` gcloud logging read "timestamp >= \"2018-04-19T00:30:00Z\" and logName=projects/${project_id}/logs/requests and resource.type=http_load_balancer" --format="csv(httpRequest.remoteIp,httpRequest.requestUrl,timestamp)" --project=${project_id} ``` ## 0.21. Service ### 0.21.1. list service available `gcloud services list --available` ### 0.21.2. Enable Service ``` # chain @@ -700,11 +633,11 @@ function enable-service() { enable-service container.googleapis.com ``` ## 0.22. Client libraries you can use to connect to Google APIs * https://medium.com/google-cloud/simple-google-api-auth-samples-for-service-accounts-installed-application-and-appengine-da30ee4648 ## 0.23. chaining gcloud commands ``` gcloud compute forwarding-rules list --format 'value(NAME)' \ | xargs -I {} gcloud compute forwarding-rules delete {} --region us-west1 -q @@ -722,15 +655,15 @@ gcloud compute routes list --filter="NOT network=default" --format='value(NAME)' | xargs -I {} gcloud compute routes delete -q {} ``` ## 0.24. one liner to purge GCR images given a date ``` DATE=2018-10-01 IMAGE=<project_id>/<image_name> gcloud container images list-tags gcr.io/$IMAGE --limit=unlimited --sort-by=TIMESTAMP \ --filter="NOT tags:* AND timestamp.datetime < '${DATE}'" --format='get(digest)' | \ while read digest;do gcloud container images delete -q --force-delete-tags gcr.io/$IMAGE@$digest ;done ``` ## 0.25. GKE ``` # create a private cluster gcloud beta container clusters create private-cluster \ @@ -789,15 +722,15 @@ gcloud container clusters describe mycluster --format='get(endpoint)' gcloud container clusters get-credentials private-cluster --zone us-central1-a --internal-ip ``` ### 0.25.1. create a GKE cluster with label and query it later ``` gcloud container clusters create example-cluster --labels env=dev gcloud container clusters list --filter resourceLabels.env=dev ``` ## 0.26. Cloud Run ``` # deploy a service on Cloud Run in us-central1 and allow unauthenticated user gcloud beta run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform managed --region us-central1 --allow-unauthenticated @@ -809,12 +742,12 @@ gcloud beta run services describe <service_name> --format="get(status.url)" ``` ## 0.27. Machine Learning ``` brew install bat gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat -l json ``` ## 0.28. Deployment Manager * https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/ Play with the commands for preview and cancel-preview. -
Apr 29, 2020 . 1 changed file with 67 additions and 61 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,62 +1,68 @@ Table of Contents ================= * [References](#references) * [Other cheatsheets](#other-cheatsheets) * [multiple gcloud config configurations](#multiple-gcloud-config-configurations) * [switch gcloud context with gcloud config](#switch-gcloud-context-with-gcloud-config) * [auth](#auth) * [info](#info) * [projects](#projects) * [zones & regions](#zones--regions) * [organization](#organization) * [billing](#billing) * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource) * [service account: treat service account as an identity](#service-account-treat-service-account-as-an-identity) * [service account:treat service account as a resource](#service-accounttreat-service-account-as-a-resource) * [GCS bucket level](#gcs-bucket-level) * [Custom Roles](#custom-roles) * [app engine](#app-engine) * [cloud build](#cloud-build) * [Cloud build trigger GCE rolling replace/start](#cloud-build-trigger-gce-rolling-replacestart) * [kms](#kms) * [secret manager](#secret-manager) * [compute engine](#compute-engine) * [gcloud command for creating an instance?](#gcloud-command-for-creating-an-instance) * [list compute images](#list-compute-images) * [list an instance](#list-an-instance) * [move instance](#move-instance) * [ssh & scp](#ssh--scp) * [SSH via IAP](#ssh-via-iap) * [ssh port forwarding for elasticsearch](#ssh-port-forwarding-for-elasticsearch) * [ssh reverse port forwarding](#ssh-reverse-port-forwarding) * [generate ssh config](#generate-ssh-config) * [Windows RDP reset windows password](#windows-rdp-reset-windows-password) * [debugging](#debugging) * [instance level metadata](#instance-level-metadata) * [project level metadata](#project-level-metadata) * [instances, template, target-pool and instance group](#instances-template-target-pool-and-instance-group) * [MIG with startup and shutdown scripts](#mig-with-startup-and-shutdown-scripts) * [disk snapshot](#disk-snapshot) * [regional disk](#regional-disk) * [Networking](#networking) * [network and subnets](#network-and-subnets) * [route](#route) * [firewall rules](#firewall-rules) * [layer 4 network lb](#layer-4-network-lb) * [layer 7 http lb](#layer-7-http-lb) * [forwarding-rules](#forwarding-rules) * [address](#address) * [interconnect](#interconnect) * [GCP managed ssl certificate](#gcp-managed-ssl-certificate) * [StackDriver logging](#stackdriver-logging) * [Service](#service) * [list service available](#list-service-available) * [Enable Service](#enable-service) * [Client libraries you can use to connect to Google APIs](#client-libraries-you-can-use-to-connect-to-google-apis) * [chaining gcloud commands](#chaining-gcloud-commands) * [one liner to purge GCR images given a date](#one-liner-to-purge-gcr-images-given-a-date) * [GKE](#gke) * [create a GKE cluster with label and query it later](#create-a-gke-cluster-with-label-and-query-it-later) * [Cloud Run](#cloud-run) * [Machine Learning](#machine-learning) * [Deployment Manager](#deployment-manager) ## References * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html) * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections) @@ -358,15 +364,15 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati ``` # create a secret gcloud secrets create SECRET_NAME --replication-policy="automatic" #create a secret version gcloud secrets versions add "SECRET_NAME" --data-file="/path/to/file.txt" # list gcloud secrets list # read gcloud secrets versions access latest --secret=my_ssh_private_key #update the labels (metadata) of a secret gcloud secrets update SECRET_NAME --update-labels=KEY=VALUE ``` ## compute engine -
Apr 23, 2020 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -173,7 +173,9 @@ ORG_ID=$(gcloud organizations list --format 'value(ID)') # list top level folders gcloud resource-manager folders list --organization=$ORG_ID # list sub folders given upper level folder id gcloud resource-manager folders list --folder=$FOLDER_ID # get iam policy for the folder gcloud resource-manager folders get-iam-policy $FOLDER_ID # grant roles to a user ORGANIZATION_ADMIN_ADDRESS='user:[email protected]' -
Apr 19, 2020 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -199,6 +199,8 @@ gcloud beta billing projects link ${project_id} \ ## IAM list permission and roles for a given resource ``` gcloud iam roles describe roles/container.admin gcloud iam list-testable-permissions <uri> e.g gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID -
Mar 30, 2020 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -269,8 +269,9 @@ gcloud container clusters list --impersonate-service-account=terraform@${PROJECT ### GCS bucket level ``` gsutil iam get gs://${BUCKET_NAME} -p ${PROJECT_ID} COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)") gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://${BUCKET_NAME} ``` ### Custom Roles -
Mar 18, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,7 +11,7 @@ Table of Contents * [organization](#organization) * [billing](#billing) * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource) * [service account](#service-account-treat-service-account-as-an-identity) * [GCS bucket level](#gcs-bucket-level) * [Custom Roles](#custom-roles) * [app engine](#app-engine) -
Mar 18, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,7 +11,7 @@ Table of Contents * [organization](#organization) * [billing](#billing) * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource) * [service account](#iam-service-account) * [GCS bucket level](#gcs-bucket-level) * [Custom Roles](#custom-roles) * [app engine](#app-engine) -
Mar 18, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -211,7 +211,7 @@ gcloud iam list-grantable-roles https://www.googleapis.com/compute/v1/projects/$ gcloud projects list --uri ``` ## service account: treat service account as an identity ``` export SA_EMAIL=$(gcloud iam service-accounts list \ @@ -227,7 +227,7 @@ gcloud iam service-accounts list --filter='email ~ [0-9]*-compute@.*' --form gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com" gcloud projects add-iam-policy-binding $PROJECT --role roles/storage.admin \ -
Mar 18, 2020 . 1 changed file with 13 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -227,11 +227,9 @@ gcloud iam service-accounts list --filter='email ~ [0-9]*-compute@.*' --form gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com ## project level: treat service account as an identity gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com" gcloud projects add-iam-policy-binding $PROJECT --role roles/storage.admin \ --member serviceAccount:$SA_EMAIL gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.instanceAdmin.v1 \ @@ -245,9 +243,17 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountA ``` * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts) # service account:treat service account as a resource ``` gcloud iam service-accounts get-iam-policy <sa_email>, eg. gcloud iam service-accounts get-iam-policy secret-accessor-dev@$PROJECT_ID.iam.gserviceaccount.com --project $PROJECT_ID bindings: - members: - serviceAccount:<project-id>.svc.id.goog[default/secret-accessor-dev] role: roles/iam.workloadIdentityUser etag: BwWhFqqv9aQ= version: 1 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor' ``` * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials -
Feb 27, 2020 . 1 changed file with 17 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -341,6 +341,23 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati -H "Content-Type:application/json" \ | jq .plaintext -r | base64 -d ``` ## secret manager * https://blog.scalesec.com/gcp-secret-manager-first-look-eaa9b0620da1 ``` # create a secret gcloud beta secrets create SECRET_NAME --replication-policy="automatic" #create a secret version gcloud beta secrets versions add "SECRET_NAME" --data-file="/path/to/file.txt" # list gcloud beta secrets list # read gcloud beta secrets versions access latest --secret=my_ssh_private_key #update the labels (metadata) of a secret gcloud beta secrets update SECRET_NAME --update-labels=KEY=VALUE ``` ## compute engine ### gcloud command for creating an instance? @@ -492,12 +509,6 @@ Use [gcloud compute operations describe URI] command to check the status of the gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional ``` ## Networking -
Feb 27, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,6 +35,7 @@ Table of Contents * [MIG with startup and shutdown scripts](#mig-with-startup-and-shutdown-scripts) * [disk snapshot](#disk-snapshot) * [regional disk](#regional-disk) * [Secret Manager](#secret-manager) * [Networking](#networking) * [network and subnets](#network-and-subnets) * [route](#route) -
Feb 27, 2020 . 1 changed file with 7 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -491,6 +491,13 @@ Use [gcloud compute operations describe URI] command to check the status of the gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional ``` ## secret manager ``` gcloud beta secrets list gcloud beta secrets versions access latest --secret=my_ssh_private_key ``` ## Networking -
Feb 5, 2020 . 1 changed file with 13 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -166,16 +166,25 @@ gcloud compute zones list --filter=region:us-central1 gcloud compute regions list ``` ## organization ``` ORG_ID=$(gcloud organizations list --format 'value(ID)') # list top level folders gcloud resource-manager folders list --organization=$ORG_ID # list sub folders given upper level folder id gcloud resource-manager folders list --organization=$FOLDER_ID # grant roles to a user ORGANIZATION_ADMIN_ADDRESS='user:[email protected]' gcloud resource-manager folders add-iam-policy-binding ${folder_id} \ --member=${ORGANIZATION_ADMIN_ADDRESS} \ --role=roles/resourcemanager.folderAdmin gcloud resource-manager folders add-iam-policy-binding ${folder_id} \ --member=${ORGANIZATION_ADMIN_ADDRESS} \ --role=roles/storage.admin gcloud resource-manager folders add-iam-policy-binding ${folder_id} \ --member=${ORGANIZATION_ADMIN_ADDRESS} \ --role=roles/billing.projectManager ``` ## billing -
Feb 5, 2020 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -180,8 +180,11 @@ gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \ ## billing ``` gcloud organizations list gcloud beta billing accounts list # link a billing account with a project, assuming the user or svc account has "Billing Account User" role. gcloud beta billing projects link ${project_id} \ --billing-account ${ORGANIZATION_BILLING_ACCOUNT} ``` ## IAM list permission and roles for a given resource -
Feb 3, 2020 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -588,7 +588,12 @@ gcloud compute addresses describe https-lb --global --format json gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {} 2>/dev/null | sort | uniq -c ``` ## interconnect ``` # list Google Compute Engine interconnect locations gcloud compute interconnects locations list ``` ## GCP managed ssl certificate ``` -
Jan 30, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,6 +8,7 @@ Table of Contents * [info](#info) * [projects](#projects) * [zones](#zones) * [organization](#organization) * [billing](#billing) * [IAM list permission and roles for a given resource](#iam-list-permission-and-roles-for-a-given-resource) * [IAM service account](#iam-service-account) -
Jan 30, 2020 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -165,6 +165,18 @@ gcloud compute zones list --filter=region:us-central1 gcloud compute regions list ``` ## organization & folder ``` ORG_ID=$(gcloud organizations list --format 'value(ID)') # list top level folders gcloud resource-manager folders list --organization=$ORG_ID # list sub folders given upper level folder id gcloud resource-manager folders list --organization=$FOLDER_ID # grant role to a user gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \ --member='user:[email protected]' --role='roles/editor' ``` ## billing ``` gcloud beta billing accounts list -
Jan 29, 2020 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,7 +117,8 @@ fi ``` ## auth * https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505 * https://medium.com/google-cloud/local-remote-authentication-with-google-cloud-platform-afe3aa017b95 ``` gcloud auth list -
Jan 29, 2020 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -78,7 +78,6 @@ gcloud config configurations create pythonrocks gcloud config configurations list gcloud config configurations activate pythonrocks gcloud config set core/account [email protected] gcloud projects list gcloud config set project mygcp-demo ``` @@ -118,10 +117,16 @@ fi ``` ## auth https://stackoverflow.com/questions/53306131/difference-between-gcloud-auth-application-default-login-and-gcloud-auth-logi/53307505 ``` gcloud auth list # to authenticate with a user identity (via web flow) which then authorizes gcloud and other SDK tools to access Google Cloud Platform. gcloud auth login # Service Account: to authenticate with a user identity (via a web flow) but using the credentials as a proxy for a service account. gcloud auth application-default login gcloud auth activate-service-account --key-file=sa_key.json # use GOOGLE_APPLICATION_CREDENTIALS pointing to JSON key ``` kubectl uses OAuth token generated by
NewerOlder