ranjeethap · July 9, 2019 15:27 · Jun 18, 2019 · Jun 18, 2019 · Jun 12, 2019 · Jun 9, 2019
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -278,6 +278,18 @@ gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get node
 
 gcloud compute scp  --recurse ../manifest <instance_name>:
 ```
+
+### SSH via IAP
+* https://cloud.google.com/iap/docs/using-tcp-forwarding
+
+```
+# find out access-config-name's name
+gcloud compute instances describe oregon1
+# remove the external IP
+gcloud compute instances delete-access-config  oregon1 --access-config-name "External NAT"
+# connect via IAP, assuming the IAP is granted to the account used for login. 
+gcloud beta compute ssh oregon1 --tunnel-through-iap
+```
 ### ssh port forwarding for elasticsearch
 ```
 gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -14,6 +14,7 @@
 
 ## multiple gcloud config configurations
 * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
+* https://medium.com/infrastructure-adventures/working-with-multiple-environment-in-gcloud-cli-93b2d4e8cf1e
 
 ```
 gcloud config configurations create pythonrocks

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -606,4 +606,8 @@ gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-
 ```
 brew install bat
 gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat  -l json
-```
+```
+
+## Deployment Manager
+* https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/
+Play with the commands for preview and cancel-preview. 
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -16,11 +16,13 @@
 * https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
 
 ```
-$gcloud config configurations list
-NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
-default        False      [email protected]     operator  us-west1-b    us-west1
-someone  True       [email protected]  dev-env     us-west1-b    us-west1
-$gcloud config configurations activate default
+gcloud config configurations create pythonrocks
+gcloud config configurations list
+gcloud config configurations activate pythonrocks
+gcloud config set core/account [email protected]
+gcloud auth login
+gcloud projects list
+gcloud config set project dev-193420
 ```
 
 ### switch gcloud context with gcloud config

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -103,7 +103,16 @@ gcloud beta billing accounts list
 gcloud organizations list
 ```
 
-## service account
+## IAM list permission and roles for a given resource
+```
+gcloud iam list-testable-permissions <uri>
+gcloud iam list-grantable-roles <uri>
+
+# get uri e.g.
+gcloud projects list --uri
+```
+
+## IAM service account
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -203,7 +203,7 @@ gcloud kms keyrings add-iam-policy-binding $KEYRING_NAME \
 gcloud kms keyrings add-iam-policy-binding $KEYRING_NAME \
     --location global \
     --member user:$USER_EMAIL \
-    --role roles/cloudkms.admin
+    --role roles/cloudkms.cryptoKeyEncrypterDecrypter
     
 # Encrypt and Decrypt in REST API
 curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locations/global/keyRings/$KEYRING_NAME/cryptoKeys/$CRYPTOKEY_NAME:encrypt" \

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -86,8 +86,9 @@ PROJECT_ID=$(gcloud config get-value core/project)
 PROJECT_ID=$(gcloud config list project --format='value(core.project)')
 PROJECT_ID=$(gcloud info --format='value(config.project)')
 
-# get project_number
-gcloud projects list --filter="name:${project_id}"  --format='value(project_number)'
+# get project_number given project_id or name
+gcloud projects list --filter="project_id:${project_id}"  --format='value(project_number)'
+gcloud projects list --filter="name:${project_name}"  --format='value(project_number)'
 ```
 
 ## zones

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -96,32 +96,33 @@ To return a list of zones given a region
 gcloud compute zones list --filter=region:us-central1
 ```
 
-
-
 ## billing
 ```
 gcloud beta billing accounts list
 gcloud organizations list
 ```
 
-## service account and IAM
+## service account
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 
-### List IAM policy on the project level
-```
-gcloud projects get-iam-policy <project_id>
 ```
-### service account level
-```
-# creaate jenkins sa
-gcloud iam service-accounts create jenkins --display-name jenkins
-
 export SA_EMAIL=$(gcloud iam service-accounts list \
     --filter="displayName:jenkins" --format='value(email)')
 export PROJECT=$(gcloud info --format='value(config.project)')
 
-gcloud projects add-iam-policy-binding $PROJECT \
-    --role roles/storage.admin --member serviceAccount:$SA_EMAIL
+# creaate and list sa
+gcloud iam service-accounts create jenkins --display-name jenkins
+gcloud iam service-accounts list
+gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --format='table(email)'
+
+# create & list sa key  
+gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
+gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
+
+# project level: grant roles to sa
+gcloud projects get-iam-policy $PROJECT
+gcloud projects add-iam-policy-binding $PROJECT  --role roles/storage.admin \
+    --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.instanceAdmin.v1 \
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.networkAdmin \
@@ -130,20 +131,9 @@ gcloud projects add-iam-policy-binding $PROJECT --role roles/compute.securityAdm
     --member serviceAccount:$SA_EMAIL
 gcloud projects add-iam-policy-binding $PROJECT --role roles/iam.serviceAccountActor \
     --member serviceAccount:$SA_EMAIL
-    
-# create service account key    
-gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL    
-```
 
-```
-gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
-gcloud iam service-accounts list
+# service account level: add role to service account
 gcloud iam service-accounts get-iam-policy <sa_email>
-
-# get the compute engine account 
-gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --format='table(email)'
-
-# add role to service account
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
 
@@ -153,7 +143,7 @@ COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Comput
 gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name
 ```
 
-## Custom Roles
+### Custom Roles
 ```
 # list predefined roles
 gcloud iam roles list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -160,9 +160,9 @@ gcloud iam roles list
 # list custom roles
 gcloud iam roles list --project $PROJECT_ID
 
-# create custom role in 2 ways
+# create custom role in the following 2 ways, either on project level (--project [PROJECT_ID]) or org level (--organization [ORGANIZATION_ID])
 1. gcloud iam roles create editor --project $PROJECT_ID --file role-definition.yaml
-2. gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu
+2. gcloud iam roles create viewer --project $PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu
 te.instances.list --stage ALPHA
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -78,8 +78,6 @@ gcloud info --format flattened
 export PROJECT=$(gcloud info --format='value(config.project)')
 ```
 
-
-
 ## projects
 
 ```
@@ -155,6 +153,19 @@ COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Comput
 gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name
 ```
 
+## Custom Roles
+```
+# list predefined roles
+gcloud iam roles list
+# list custom roles
+gcloud iam roles list --project $PROJECT_ID
+
+# create custom role in 2 ways
+1. gcloud iam roles create editor --project $PROJECT_ID --file role-definition.yaml
+2. gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID --title "Role Viewer" --description "Custom role description." --permissions compute.instances.get,compu
+te.instances.list --stage ALPHA
+```
+
 ## app engine
 * https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -583,6 +583,12 @@ gcloud beta container clusters create run-gke \
 ```
 
 
+```
+# create a VPC native cluster
+gcloud container clusters create k1 --network custom-ip-vpc --subnetwork subnet-alias  --enable-ip-alias --cluster-ipv4-cidr=/16   --services-ipv4-cidr=/22
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -12,17 +12,53 @@
 ## Other cheatsheets
 * https://github.com/dennyzhang/cheatsheet-gcp-A4
 
-## multiple gcloud config
+## multiple gcloud config configurations
+* https://www.jhanley.com/google-cloud-understanding-gcloud-configurations/
 
 ```
 $gcloud config configurations list
 NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
 default        False      [email protected]     operator  us-west1-b    us-west1
 someone  True       [email protected]  dev-env     us-west1-b    us-west1
-
 $gcloud config configurations activate default
 ```
 
+### switch gcloud context with gcloud config
+```
+gcloud config list
+gcloud config set account [email protected] 
+gcloud config set project salt-163215
+gcloud config set compute/region us-west1
+gcloud config set compute/zone us-west1-a
+alias demo='gcloud config set account [email protected] && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
+
+
+cluster=$(gcloud config get-value container/cluster 2> /dev/null)
+zone=$(gcloud config get-value compute/zone 2> /dev/null)
+project=$(gcloud config get-value core/project 2> /dev/null)
+
+# switch project based on the name
+gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)')
+
+# get the GKE cluster endpoint
+gcloud container clusters describe mycluster --zone $(gcloud config get-value compute/zone) --format='get(endpoint)'
+```
+
+```
+command -v gcloud >/dev/null 2>&1 || { \
+ echo >&2 "I require gcloud but it's not installed.  Aborting."; exit 1; }
+
+REGION=$(gcloud config get-value compute/region)
+if [[ -z "${REGION}" ]]; then
+    echo "https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-region" 1>&2
+    echo "gcloud cli must be configured with a default region." 1>&2
+    echo "run 'gcloud config set compute/region REGION'." 1>&2
+    echo "replace 'REGION' with the region name like us-west1." 1>&2
+    exit 1;
+fi
+
+```
+
 ## auth
 ```
 gcloud auth list
@@ -62,42 +98,7 @@ To return a list of zones given a region
 gcloud compute zones list --filter=region:us-central1
 ```
 
-## switch gcloud context with gcloud config
-```
-gcloud config list
-gcloud config configurations list
-gcloud config set account [email protected] 
-gcloud config set project salt-163215
-gcloud config set compute/region us-west1
-gcloud config set compute/zone us-west1-a
-alias demo='gcloud config set account [email protected] && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
-
-
-cluster=$(gcloud config get-value container/cluster 2> /dev/null)
-zone=$(gcloud config get-value compute/zone 2> /dev/null)
-project=$(gcloud config get-value core/project 2> /dev/null)
-
-# switch project based on the name
-gcloud config set project $(gcloud projects list --filter='name:wordpress-dev' --format='value(project_id)')
-
-# get the GKE cluster endpoint
-gcloud container clusters describe mycluster --zone $(gcloud config get-value compute/zone) --format='get(endpoint)'
-```
-
-```
-command -v gcloud >/dev/null 2>&1 || { \
- echo >&2 "I require gcloud but it's not installed.  Aborting."; exit 1; }
 
-REGION=$(gcloud config get-value compute/region)
-if [[ -z "${REGION}" ]]; then
-    echo "https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-region" 1>&2
-    echo "gcloud cli must be configured with a default region." 1>&2
-    echo "run 'gcloud config set compute/region REGION'." 1>&2
-    echo "replace 'REGION' with the region name like us-west1." 1>&2
-    exit 1;
-fi
-
-```
 
 ## billing
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -42,11 +42,7 @@ gcloud info --format flattened
 export PROJECT=$(gcloud info --format='value(config.project)')
 ```
 
-## zones
-To return a list of zones given a region
-```
-gcloud compute zones list --filter=region:us-central1
-```
+
 
 ## projects
 
@@ -59,10 +55,11 @@ PROJECT_ID=$(gcloud info --format='value(config.project)')
 # get project_number
 gcloud projects list --filter="name:${project_id}"  --format='value(project_number)'
 ```
-## billing
+
+## zones
+To return a list of zones given a region
 ```
-gcloud beta billing accounts list
-gcloud organizations list
+gcloud compute zones list --filter=region:us-central1
 ```
 
 ## switch gcloud context with gcloud config
@@ -76,7 +73,6 @@ gcloud config set compute/zone us-west1-a
 alias demo='gcloud config set account [email protected] && gcloud config set project salt-163215 && gcloud config set compute/region us-west1 && gcloud config set compute/zone us-west1-a'
 
 
-
 cluster=$(gcloud config get-value container/cluster 2> /dev/null)
 zone=$(gcloud config get-value compute/zone 2> /dev/null)
 project=$(gcloud config get-value core/project 2> /dev/null)
@@ -103,6 +99,12 @@ fi
 
 ```
 
+## billing
+```
+gcloud beta billing accounts list
+gcloud organizations list
+```
+
 ## service account and IAM
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -364,6 +364,8 @@ gcloud compute routes create no-ip-internet-route \
     --tags no-ip --priority 800
 ```
 ### firewall rules
+* https://medium.com/@swongra/protect-your-google-cloud-instances-with-firewall-rules-69cce960fba
+
 ```
 # allow SSH, RDP and ICMP for the given network
 gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -380,6 +380,9 @@ gcloud compute firewall-rules create mynetwork-deny-icmp \
 gcloud compute firewall-rules list \
 --filter="network:mynetwork AND name=mynetwork-deny-icmp"
 
+# sort-by
+gcloud compute firewall-rules list --sort-by=NETWORK
+
 ```
 
 ### layer 4 network lb

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -365,22 +365,19 @@ gcloud compute routes create no-ip-internet-route \
 ```
 ### firewall rules
 ```
-## ALLOW
-gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
---action ALLOW --direction INGRESS --rules icmp
-gcloud beta compute firewall-rules create mynetwork-allow-ssh --network mynetwork \
---action ALLOW --direction INGRESS --rules tcp:22
-gcloud beta compute firewall-rules create mynetwork-allow-internal --network \
+# allow SSH, RDP and ICMP for the given network
+gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=managementnet --action=ALLOW --rules=tcp:22,3389,icmp --source-ranges=0.0.0.0/0
+# allow internal from given source range
+gcloud compute firewall-rules create mynetwork-allow-internal --network \
 mynetwork --action ALLOW --direction INGRESS --rules all \
 --source-ranges 10.128.0.0/9
-gcloud beta compute firewall-rules list \
---filter="network:mynetwork"
+gcloud compute firewall-rules list --filter="network:mynetwork"
 
 ## DENY
-gcloud beta compute firewall-rules create mynetwork-deny-icmp \
+gcloud compute firewall-rules create mynetwork-deny-icmp \
 --network mynetwork --action DENY --direction EGRESS --rules icmp \
 --destination-ranges 10.132.0.2 --priority 500
-gcloud beta compute firewall-rules list \
+gcloud compute firewall-rules list \
 --filter="network:mynetwork AND name=mynetwork-deny-icmp"
 
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -343,6 +343,14 @@ Use [gcloud compute operations describe URI] command to check the status of the
 
 ## Networking
 
+### network and subnets
+```
+ gcloud compute networks create privatenet --subnet-mode=custom
+ gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-central1 --range=172.16.0.0/24
+ gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region=europe-west1 --range=172.20.0.0/20
+ gcloud compute networks subnets list --sort-by=NETWORK
+```
+
 ### route
 tag the instances with `no-ips`
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -558,6 +558,18 @@ gcloud beta container clusters create private-cluster2 \
     --master-authorized-networks <external_ip_of_kubectl_instance>
 ```
 
+```
+# create a GKE cluster with CloudRun,Istio, HPA enabled
+gcloud beta container clusters create run-gke \
+  --addons HorizontalPodAutoscaling,HttpLoadBalancing,Istio,CloudRun \
+  --scopes cloud-platform \
+  --zone us-central1-a \
+  --machine-type n1-standard-4 \
+  --enable-stackdriver-kubernetes \
+  --no-enable-ip-alias
+```
+
+
 ## Machine Learning
 ```
 brew install bat

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -213,19 +213,90 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati
   -H "Content-Type:application/json" \
 | jq .plaintext -r | base64 -d    
 ```
+## compute engine
 
-## gcloud command for creating an instance? 
+### gcloud command for creating an instance? 
 from web console
 ```
 gcloud compute instances create [INSTANCE_NAME] \
   --image-family [IMAGE_FAMILY] \
   --image-project [IMAGE_PROJECT] \
   --create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]
   
-gcloud beta compute --project=victory-demo-dev instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
+gcloud compute instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
 ```
 
-## instances, template, target-pool and instance group
+### list compute images
+```
+gcloud compute images list --filter=name:debian --uri
+https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109
+https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105
+
+# Use the following command to see available non-Shielded VM Windows Server images
+gcloud compute images list --project windows-cloud --no-standard-images
+# Use the following command to see a list of available Shielded VM images, including Windows images
+gcloud compute images list --project gce-uefi-images --no-standard-images
+```
+
+### list an instance 
+* [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
+* [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
+
+```
+gcloud compute instances list --filter="zone:us-central1-a"
+gcloud compute instances list --project=dev --filter="name~^es"
+gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)"
+gcloud compute instances list --filter=tags:kafka-node
+gcloud compute instances list --filter='machineType:g1-small'
+```
+
+### move instance
+`gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c`
+
+### ssh & scp
+```
+#--verbosity=debug is great for debugging, showing the SSH command 
+# the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network)
+gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes"
+
+gcloud compute scp  --recurse ../manifest <instance_name>:
+```
+### ssh port forwarding for elasticsearch
+```
+gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"
+```
+The 2nd `localhost` is relative to  elasticsearch-1`
+
+### ssh reverse port forwarding 
+for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
+```
+GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
+gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
+```
+
+### generate ssh config 
+```
+gcloud compute config-ssh
+```
+
+### debugging
+gcloud debugging: `gcloud  compute instances list --log-http`
+[serial port debug](https://cloud.google.com/compute/docs/instances/interacting-with-serial-console)
+
+
+### instance level metadata
+```
+curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
+leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google")
+```
+
+### project level metadata
+```
+gcloud compute project-info describe
+gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
+```
+
+### instances, template, target-pool and instance group
 ```
 cat << EOF > startup.sh
 #! /bin/bash
@@ -258,6 +329,19 @@ gcloud compute instance-templates create nat-2 \
     --machine-type n1-standard-2 --can-ip-forward --tags natgw \
     --metadata-from-file=startup-script=startup.sh  --address $nat_2_ip
 ```
+### disk snapshot
+```
+gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a
+Use [gcloud compute operations describe URI] command to check the status of the operation(s).
+```
+
+### regional disk
+```
+ gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
+```
+
+
+## Networking
 
 ### route
 tag the instances with `no-ips`
@@ -271,7 +355,7 @@ gcloud compute routes create no-ip-internet-route \
     --next-hop-instance-zone us-central1-a \
     --tags no-ip --priority 800
 ```
-## firewall rules
+### firewall rules
 ```
 ## ALLOW
 gcloud beta compute firewall-rules create mynetwork-allow-icmp --network mynetwork \
@@ -293,8 +377,7 @@ gcloud beta compute firewall-rules list \
 
 ```
 
-
-## layer 4 network lb
+### layer 4 network lb
 ```
 gcloud compute firewall-rules create www-firewall --allow tcp:80
 gcloud compute forwarding-rules create nginx-lb \
@@ -306,7 +389,7 @@ gcloud compute firewall-rules list --sort-by=NETWORK
 
 ```
 
-## layer 7 http lb
+### layer 7 http lb
 * https://cloud.google.com/solutions/scalable-and-resilient-apps
 
 ```
@@ -337,14 +420,14 @@ gcloud compute forwarding-rules list
 
 ```
 
-## forwarding-rules
+### forwarding-rules
 ```
 gcloud compute forwarding-rules list --filter=$(dig +short <dns_name>)
 gcloud compute forwarding-rules describe my-forwardingrule --region us-central1
 gcloud compute forwarding-rules describe my-http-forwardingrule --global
 ```
 
-## address
+### address
 ```
 # get the external IP address of the instance
 gcloud compute instances describe single-node \
@@ -357,84 +440,6 @@ gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute a
 ```
 
 
-## compute engine image
-```
-gcloud compute images list --filter=name:debian --uri
-https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20180109
-https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-9-stretch-v20180105
-```
-
-## list an instance 
-* [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
-* [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
-
-```
-gcloud compute instances list --filter="zone:us-central1-a"
-gcloud compute instances list --project=dev --filter="name~^es"
-gcloud compute instances list --project=dev --filter=name:kafka --format="value(name,INTERNAL_IP)"
-gcloud compute instances list --filter=tags:kafka-node
-gcloud compute instances list --filter='machineType:g1-small'
-```
-
-## move instance
-`gcloud compute instances move <instance_wanna_move> --destination-zone=us-central1-a --zone=us-central1-c`
-
-## ssh & scp
-```
-#--verbosity=debug is great for debugging, showing the SSH command 
-# the following is a real word example for running a bastion server that talks to a GKE cluster (master authorized network)
-gcloud compute ssh --verbosity=debug <instance_name> --command "kubectl get nodes"
-
-gcloud compute scp  --recurse ../manifest <instance_name>:
-```
-### ssh port forwarding for elasticsearch
-```
-gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --ssh-flag="-L localhost:9200:localhost:9200"
-```
-The 2nd `localhost` is relative to  elasticsearch-1`
-
-### ssh reverse port forwarding 
-for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
-```
-GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
-gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
-```
-
-### generate ssh config 
-```
-gcloud compute config-ssh
-```
-
-## serial port debug
-* https://cloud.google.com/compute/docs/instances/interacting-with-serial-console
-
-## disk snapshot
-```
-gcloud compute disks snapshot kafka-data1-1 --async --snapshot-names=kafka-data-1 --project project_a --zone us-west1-a
-Use [gcloud compute operations describe URI] command to check the status of the operation(s).
-```
-
-## regional disk
-```
- gcloud beta compute instance attach-disk micro1 --disk pd-west1 --disk-scope regional
-```
-
-## debugging
-```
-gcloud  compute instances list --log-http
-```
-
-## instance level metadata
-```
-curl -s "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
-leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/leader" -H "Metadata-Flavor: Google")
-```
-
-## project level metadata
-```
-gcloud compute project-info describe
-gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
-```
 
 ## GCP managed ssl certificate
 ```

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -217,6 +217,11 @@ curl -v "https://cloudkms.googleapis.com/v1/projects/$DEVSHELL_PROJECT_ID/locati
 ## gcloud command for creating an instance? 
 from web console
 ```
+gcloud compute instances create [INSTANCE_NAME] \
+  --image-family [IMAGE_FAMILY] \
+  --image-project [IMAGE_PROJECT] \
+  --create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]
+  
 gcloud beta compute --project=victory-demo-dev instances create micro1 --zone=us-west1-a --machine-type=f1-micro --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=398028291895-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append --min-cpu-platform=Automatic --image=debian-9-stretch-v20180510 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=micro1
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -446,7 +446,14 @@ gcloud beta compute target-https-proxies list
 gcloud logging read "timestamp >= \"2018-04-19T00:30:00Z\"  and logName=projects/${project_id}/logs/requests and resource.type=http_load_balancer" --format="csv(httpRequest.remoteIp,httpRequest.requestUrl,timestamp)" --project=${project_id}
 ```
 
-## Enable Service
+## Service
+
+### list service available
+
+`gcloud services list --available`
+
+### Enable Service 
+
 ```
 # chain 
 gcloud services enable cloudapis.googleapis.com && \

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -428,6 +428,7 @@ leader=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/at
 ## project level metadata
 ```
 gcloud compute project-info describe
+gcloud compute project-info describe --flatten="commonInstanceMetadata[]"
 ```
 
 ## GCP managed ssl certificate

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -289,7 +289,7 @@ gcloud beta compute firewall-rules list \
 ```
 
 
-## layer 3 network lb
+## layer 4 network lb
 ```
 gcloud compute firewall-rules create www-firewall --allow tcp:80
 gcloud compute forwarding-rules create nginx-lb \
@@ -341,11 +341,17 @@ gcloud compute forwarding-rules describe my-http-forwardingrule --global
 
 ## address
 ```
+# get the external IP address of the instance
+gcloud compute instances describe single-node \
+     --format='value(networkInterfaces.accessConfigs[0].natIP)
+     
 gcloud compute addresses describe https-lb --global --format json
 
 # list all IP addresses
 gcloud projects list --format='value(project_id)' | xargs -I {} gcloud compute addresses list --format='value(address)' --project {}  2>/dev/null | sort | uniq -c
 ```
+
+
 ## compute engine image
 ```
 gcloud compute images list --filter=name:debian --uri

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -7,6 +7,7 @@
 * [gcloud alpha interactive](http://cloudplatform.googleblog.com/2018/03/introducing-GCPs-new-interactive-CLI.html)
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-1-114924737
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-2-4d049a656f1a
+* https://gist.github.com/bborysenko/97749fe0514b819a5a87611e6aea3db8
 
 ## Other cheatsheets
 * https://github.com/dennyzhang/cheatsheet-gcp-A4

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -532,3 +532,9 @@ gcloud beta container clusters create private-cluster2 \
     --enable-master-authorized-networks \
     --master-authorized-networks <external_ip_of_kubectl_instance>
 ```
+
+## Machine Learning
+```
+brew install bat
+gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'." | bat  -l json
+```
diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -14,11 +14,11 @@
 ## multiple gcloud config
 
 ```
-gcloud config configurations list
+$gcloud config configurations list
 NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
 default        False      [email protected]     operator  us-west1-b    us-west1
 someone  True       [email protected]  dev-env     us-west1-b    us-west1
-~/.config/gcloud/configurations
+
 $gcloud config configurations activate default
 ```
 

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -11,6 +11,17 @@
 ## Other cheatsheets
 * https://github.com/dennyzhang/cheatsheet-gcp-A4
 
+## multiple gcloud config
+
+```
+gcloud config configurations list
+NAME           IS_ACTIVE  ACCOUNT                  PROJECT             DEFAULT_ZONE  DEFAULT_REGION
+default        False      [email protected]     operator  us-west1-b    us-west1
+someone  True       [email protected]  dev-env     us-west1-b    us-west1
+~/.config/gcloud/configurations
+$gcloud config configurations activate default
+```
+
 ## auth
 ```
 gcloud auth list

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -93,6 +93,12 @@ fi
 
 ## service account and IAM
 * [When granting IAM roles, you can treat a service account either as a resource or as an identity](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts)
+
+### List IAM policy on the project level
+```
+gcloud projects get-iam-policy <project_id>
+```
+### service account level
 ```
 # creaate jenkins sa
 gcloud iam service-accounts create jenkins --display-name jenkins
@@ -118,7 +124,6 @@ gcloud iam service-accounts keys create jenkins-sa.json --iam-account $SA_EMAIL
 
 ```
 gcloud iam service-accounts keys list --iam-account=vault-admin@<project_id>.iam.gserviceaccount.com
-gcloud projects get-iam-policy <project_id>
 gcloud iam service-accounts list
 gcloud iam service-accounts get-iam-policy <sa_email>
 
@@ -128,6 +133,8 @@ gcloud iam service-accounts list   --filter='email ~ [0-9]*-compute@.*'   --form
 # add role to service account
 gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' --role='roles/iam.serviceAccountActor'
 ```
+
+### GCS bucket level
 ```
 COMPUTE_ENGINE_SA_EMAIL=$(gcloud iam service-accounts list --filter="name:Compute Engine default service account" --format "value(email)")
 gsutil iam ch serviceAccount:${COMPUTE_ENGINE_SA_EMAIL}:objectViewer gs://bucket-name

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -363,6 +363,13 @@ gcloud compute --project "foo" ssh --zone "us-central1-c" "elasticsearch-1"  --s
 ```
 The 2nd `localhost` is relative to  elasticsearch-1`
 
+### ssh reverse port forwarding 
+for example, how to connect to home server's flask server (tcp port 5000) for a demo or a local game server in development
+```
+GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project)
+gcloud compute --project "${GOOGLE_CLOUD_PROJECT}" ssh --zone "us-west1-c" --ssh-flag="-v -N -R :5000:localhost:5000" "google_cloud_bastion_server"
+```
+
 ### generate ssh config 
 ```
 gcloud compute config-ssh

diff --git a/gcloud_cheat_sheet.md b/gcloud_cheat_sheet.md
@@ -1,12 +1,16 @@
+## References
 * [have fun with them](https://cloudplatform.googleblog.com/2016/06/filtering-and-formatting-fun-with.html)
 * [projections](https://cloud.google.com/sdk/gcloud/reference/topic/projections)
 * [filters](https://cloud.google.com/sdk/gcloud/reference/topic/filters)
 * [resource-keys](https://cloud.google.com/sdk/gcloud/reference/topic/resource-keys)
 * [scripting-gcloud](https://cloud.google.com/sdk/docs/scripting-gcloud)
-* http://cloudplatform.googleblog.com/2018/03/introducing-GCPs-new-interactive-CLI.html
+* [gcloud alpha interactive](http://cloudplatform.googleblog.com/2018/03/introducing-GCPs-new-interactive-CLI.html)
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-1-114924737
 * https://medium.com/@Joachim8675309/getting-started-with-gcloud-sdk-part-2-4d049a656f1a
 
+## Other cheatsheets
+* https://github.com/dennyzhang/cheatsheet-gcp-A4
+
 ## auth
 ```
 gcloud auth list