gcloud

Elios-FPT

更新于 Today

11 次查看

设计design

关于

This Claude Skill provides comprehensive guidance for implementing and using the Google Cloud SDK (gcloud CLI) to manage Google Cloud resources. Use it for installing/configuring gcloud, authenticating with Google Cloud, deploying applications, and working with services like Compute Engine and GKE. It's particularly helpful for scripting operations, implementing CI/CD pipelines, and troubleshooting Google Cloud deployments.

技能文档

Google Cloud SDK (gcloud) Skill

Comprehensive guide for working with the Google Cloud SDK (gcloud CLI) - the primary command-line interface for interacting with Google Cloud Platform services, managing resources, and automating cloud operations.

When to Use This Skill

Use this skill when you need to:

Install and configure the Google Cloud SDK
Authenticate with Google Cloud (user accounts, service accounts, ADC)
Initialize gcloud and set up projects/configurations
Manage multiple Google Cloud projects and environments
Deploy applications to GCP (Compute Engine, GKE, App Engine, Cloud Run)
Work with Cloud Storage, databases, and other GCP services
Script gcloud commands for automation and CI/CD pipelines
Troubleshoot authentication, authorization, or deployment issues
Optimize gcloud command performance and output formatting
Implement security best practices for cloud operations

Core Concepts

The gcloud CLI

Architecture:

Command Structure: gcloud + [release-level] + component + entity + operation + [args] + [flags]
Release Levels: alpha, beta, GA (general availability)
Components: compute, container, app, sql, iam, config, auth, storage, etc.
Global Flags: --project, --format, --filter, --quiet, --verbosity

Key Features:

Unified CLI for 100+ Google Cloud services
Consistent command patterns across all services
Rich output formatting (JSON, YAML, CSV, table)
Built-in filtering and server-side query optimization
Interactive and non-interactive modes for automation

Authentication vs Authorization

Authentication (Who you are):

User accounts (developers, admins)
Service accounts (applications, automation)
Application Default Credentials (ADC)
OAuth 2.0, API keys, workload/workforce identity federation

Authorization (What you can do):

IAM roles and permissions
Service account impersonation
Resource-level access control

Configuration Management

Named Configurations:

Multiple configuration profiles for different environments
Each configuration stores: account, project, region, zone, and other properties
Switch between configurations instantly

Properties:

50+ configurable properties across 7 categories
Precedence: CLI flags > env vars > config files > defaults

I. INSTALLATION & SETUP

A. Installation Methods

Linux (Archive Installation)

# Download (choose architecture)
curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz

# Extract
tar -xf google-cloud-cli-linux-x86_64.tar.gz

# Install
./google-cloud-sdk/install.sh

# Initialize
./google-cloud-sdk/bin/gcloud init

Debian/Ubuntu (Package Manager)

# Add repo
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list

# Import key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -

# Install
sudo apt-get update && sudo apt-get install google-cloud-cli

macOS

# Download installer
curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz

# Extract and install
tar -xf google-cloud-cli-darwin-arm.tar.gz
./google-cloud-sdk/install.sh

Windows

# Download installer from https://cloud.google.com/sdk/docs/install
# Run GoogleCloudSDKInstaller.exe
# Follow installation wizard

B. Initialization

# Interactive setup (recommended for first-time)
gcloud init

# What it does:
# 1. Opens browser for OAuth authentication
# 2. Selects or creates a project
# 3. Sets default configuration (region, zone)
# 4. Stores credentials

# Non-interactive (CI/CD environments)
gcloud auth activate-service-account --key-file=key.json
gcloud config set project PROJECT_ID
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a

C. Components

# List available components
gcloud components list

# Install additional components
gcloud components install kubectl        # Kubernetes CLI
gcloud components install app-engine-python  # App Engine
gcloud components install cloud-sql-proxy    # Cloud SQL Proxy
gcloud components install pubsub-emulator    # Pub/Sub emulator

# Update all components
gcloud components update

# Remove component
gcloud components remove COMPONENT_ID

Core Components (installed by default):

gcloud - Main CLI
gsutil - Cloud Storage utility
bq - BigQuery CLI
core - Core libraries

II. AUTHENTICATION & AUTHORIZATION

A. Authentication Methods

1. User Account (OAuth 2.0)

# Login with browser
gcloud auth login

# Login without browser (remote/headless)
gcloud auth login --no-browser

# Login with specific account
gcloud auth login [email protected]

# List authenticated accounts
gcloud auth list

# Switch active account
gcloud config set account [email protected]

# Revoke credentials
gcloud auth revoke [email protected]

2. Service Account

# Activate service account with key file
gcloud auth activate-service-account SA_EMAIL --key-file=path/to/key.json

# Create service account
gcloud iam service-accounts create SA_NAME \
  --display-name="Service Account Display Name"

# Create and download key
gcloud iam service-accounts keys create key.json \
  --iam-account=SA_EMAIL

# Grant IAM role
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:SA_EMAIL" \
  --role="roles/compute.admin"

3. Application Default Credentials (ADC)

# Setup ADC for client libraries
gcloud auth application-default login

# Setup ADC with service account impersonation
gcloud auth application-default login \
  --impersonate-service-account=SA_EMAIL

# Revoke ADC
gcloud auth application-default revoke

# ADC Search Order:
# 1. GOOGLE_APPLICATION_CREDENTIALS environment variable
# 2. ~/.config/gcloud/application_default_credentials.json
# 3. Metadata server (on GCP resources)

4. Service Account Impersonation (Recommended for Production)

# Impersonate for single command
gcloud compute instances list \
  --impersonate-service-account=SA_EMAIL

# Set default impersonation
gcloud config set auth/impersonate_service_account SA_EMAIL

# Verify impersonation
gcloud config get-value auth/impersonate_service_account

# Clear impersonation
gcloud config unset auth/impersonate_service_account

Why Impersonation?

Short-lived temporary credentials (no persistent key risk)
No need to distribute service account keys
Centralized permission management
Easy to audit and rotate

B. Configuration Profiles

Create and Manage Configurations

# Create new configuration
gcloud config configurations create dev

# List all configurations
gcloud config configurations list

# Activate configuration
gcloud config configurations activate dev

# Switch configuration for single command
gcloud compute instances list --configuration=prod

# Set properties
gcloud config set project my-project-dev
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a

# View all properties
gcloud config list

# Unset property
gcloud config unset compute/zone

# Delete configuration
gcloud config configurations delete dev

Multi-Environment Pattern

# Development environment
gcloud config configurations create dev
gcloud config set project my-project-dev
gcloud config set account [email protected]
gcloud config set compute/region us-central1

# Staging environment
gcloud config configurations create staging
gcloud config set project my-project-staging
gcloud config set auth/impersonate_service_account [email protected]

# Production environment
gcloud config configurations create prod
gcloud config set project my-project-prod
gcloud config set auth/impersonate_service_account [email protected]

# Switch environments
gcloud config configurations activate dev
gcloud config configurations activate prod

III. COMMON WORKFLOWS

A. Project Management

# List projects
gcloud projects list

# Create project
gcloud projects create PROJECT_ID --name="Project Name"

# Set active project
gcloud config set project PROJECT_ID

# Get current project
gcloud config get-value project

# Enable API
gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com

# List enabled APIs
gcloud services list

# Describe project
gcloud projects describe PROJECT_ID

B. Compute Engine

# List instances
gcloud compute instances list

# Create instance
gcloud compute instances create my-instance \
  --zone=us-central1-a \
  --machine-type=e2-medium \
  --image-family=debian-11 \
  --image-project=debian-cloud \
  --boot-disk-size=10GB

# SSH into instance
gcloud compute ssh my-instance --zone=us-central1-a

# Copy files
gcloud compute scp local-file.txt my-instance:~/remote-file.txt \
  --zone=us-central1-a

# Stop instance
gcloud compute instances stop my-instance --zone=us-central1-a

# Delete instance
gcloud compute instances delete my-instance --zone=us-central1-a

C. Google Kubernetes Engine (GKE)

# Create cluster
gcloud container clusters create my-cluster \
  --zone=us-central1-a \
  --num-nodes=3 \
  --machine-type=e2-medium

# Get cluster credentials
gcloud container clusters get-credentials my-cluster --zone=us-central1-a

# List clusters
gcloud container clusters list

# Resize cluster
gcloud container clusters resize my-cluster \
  --num-nodes=5 \
  --zone=us-central1-a

# Delete cluster
gcloud container clusters delete my-cluster --zone=us-central1-a

D. Cloud Storage

# Create bucket
gsutil mb gs://my-bucket-name

# Upload file
gsutil cp local-file.txt gs://my-bucket-name/

# Download file
gsutil cp gs://my-bucket-name/file.txt ./

# List bucket contents
gsutil ls gs://my-bucket-name/

# Sync directory
gsutil rsync -r ./local-dir gs://my-bucket-name/remote-dir

# Set bucket permissions
gsutil iam ch user:[email protected]:objectViewer gs://my-bucket-name

# Delete bucket
gsutil rm -r gs://my-bucket-name

E. App Engine

# Deploy application
gcloud app deploy app.yaml

# View application
gcloud app browse

# View logs
gcloud app logs tail

# List versions
gcloud app versions list

# Delete version
gcloud app versions delete VERSION_ID

# Set traffic split
gcloud app services set-traffic SERVICE \
  --splits v1=0.5,v2=0.5

F. Cloud Run

# Deploy container
gcloud run deploy my-service \
  --image=gcr.io/PROJECT_ID/my-image:tag \
  --platform=managed \
  --region=us-central1 \
  --allow-unauthenticated

# List services
gcloud run services list

# Describe service
gcloud run services describe my-service --region=us-central1

# Delete service
gcloud run services delete my-service --region=us-central1

IV. SCRIPTING & AUTOMATION

A. Output Formats

# JSON (recommended for scripting)
gcloud compute instances list --format=json

# YAML
gcloud compute instances list --format=yaml

# CSV
gcloud compute instances list --format="csv(name,zone,status)"

# Table (default)
gcloud compute instances list --format=table

# Value (single field extraction)
gcloud config get-value project --format="value()"

# Custom format
gcloud compute instances list \
  --format="table(name,zone,machineType,status)"

B. Filtering

# Server-side filtering (more efficient)
gcloud compute instances list --filter="zone:us-central1-a"
gcloud compute instances list --filter="status=RUNNING"
gcloud compute instances list --filter="name~^web-.*"

# Multiple conditions
gcloud compute instances list \
  --filter="zone:us-central1 AND status=RUNNING"

# Negation
gcloud compute instances list --filter="NOT status=TERMINATED"

# Complex expressions
gcloud compute instances list \
  --filter="(status=RUNNING OR status=STOPPING) AND zone:us-central1"

C. Error Handling

#!/bin/bash

# Simple error check
if ! gcloud compute instances create my-instance; then
  echo "Failed to create instance"
  exit 1
fi

# Capture exit code
gcloud compute instances describe my-instance
EXIT_CODE=$?
if [ $EXIT_CODE -ne 0 ]; then
  echo "Instance not found or error occurred"
  exit $EXIT_CODE
fi

# Capture stderr
ERROR_OUTPUT=$(gcloud compute instances create my-instance 2>&1)
if [ $? -ne 0 ]; then
  echo "Error: $ERROR_OUTPUT"
  exit 1
fi

# Validate before create (idempotent pattern)
if ! gcloud compute instances describe my-instance &>/dev/null; then
  gcloud compute instances create my-instance
else
  echo "Instance already exists, skipping creation"
fi

D. Retry Logic

#!/bin/bash

MAX_RETRIES=5
RETRY_DELAY=5

for i in $(seq 1 $MAX_RETRIES); do
  if gcloud compute instances create my-instance; then
    echo "Instance created successfully"
    exit 0
  else
    echo "Attempt $i failed, retrying in ${RETRY_DELAY}s..."
    sleep $RETRY_DELAY
    RETRY_DELAY=$((RETRY_DELAY * 2))  # Exponential backoff
  fi
done

echo "Failed after $MAX_RETRIES attempts"
exit 1

E. Batch Operations

#!/bin/bash

# Parallel instance creation
INSTANCES=("web-1" "web-2" "web-3")

for instance in "${INSTANCES[@]}"; do
  gcloud compute instances create "$instance" \
    --zone=us-central1-a \
    --machine-type=e2-medium \
    --async  # Run in background
done

# Wait for all operations to complete
gcloud compute operations list --filter="status=RUNNING" \
  --format="value(name)" | while read op; do
  gcloud compute operations wait "$op" --zone=us-central1-a
done

echo "All instances created"

F. CI/CD Integration

GitHub Actions

name: Deploy to GCP

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - id: auth
        uses: google-github-actions/auth@v1
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v1

      - name: Deploy to Cloud Run
        run: |
          gcloud run deploy my-service \
            --image=gcr.io/${{ secrets.GCP_PROJECT_ID }}/my-image:${{ github.sha }} \
            --region=us-central1 \
            --platform=managed

GitLab CI

deploy:
  image: google/cloud-sdk:alpine
  script:
    - echo $GCP_SA_KEY | base64 -d > key.json
    - gcloud auth activate-service-account --key-file=key.json
    - gcloud config set project $GCP_PROJECT_ID
    - gcloud app deploy
  only:
    - main

V. BEST PRACTICES

A. Security

1. Never Commit Credentials

# Add to .gitignore
echo "key.json" >> .gitignore
echo ".config/gcloud/" >> .gitignore
echo "application_default_credentials.json" >> .gitignore

2. Use Service Account Impersonation

# Prefer impersonation over key files
gcloud config set auth/impersonate_service_account SA_EMAIL

# NOT: gcloud auth activate-service-account --key-file=key.json

3. Principle of Least Privilege

# Grant minimal required roles
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:SA_EMAIL" \
  --role="roles/compute.instanceAdmin.v1"  # Specific role, not "owner"

4. Rotate Keys Regularly

# Create new key
gcloud iam service-accounts keys create new-key.json \
  --iam-account=SA_EMAIL

# Delete old key
gcloud iam service-accounts keys delete KEY_ID \
  --iam-account=SA_EMAIL

B. Performance

1. Use Server-Side Filtering

# Good: Filter on server
gcloud compute instances list --filter="zone:us-central1"

# Bad: Filter locally with grep
gcloud compute instances list | grep us-central1

2. Limit Output

# Only fetch what you need
gcloud compute instances list --limit=10

# Project only needed fields
gcloud compute instances list --format="value(name,zone)"

3. Batch Operations

# Use --async for parallel operations
gcloud compute instances create instance-1 --async
gcloud compute instances create instance-2 --async
gcloud compute instances create instance-3 --async

C. Maintainability

1. Use Named Configurations

# Separate dev/staging/prod configurations
gcloud config configurations create dev
gcloud config configurations create prod

2. Document Commands

#!/bin/bash
# Purpose: Deploy application to Cloud Run
# Usage: ./deploy.sh [environment]
# Example: ./deploy.sh production

ENV=${1:-staging}
gcloud config configurations activate "$ENV"
gcloud run deploy my-service --image=gcr.io/project/image:latest

3. Use Environment Variables

# Make scripts portable
PROJECT_ID=${GCP_PROJECT_ID:-default-project}
REGION=${GCP_REGION:-us-central1}

gcloud config set project "$PROJECT_ID"
gcloud config set compute/region "$REGION"

D. Monitoring & Logging

# Enable audit logging
gcloud logging read "resource.type=gce_instance" \
  --limit=10 \
  --format=json

# Track command history
gcloud info --show-log

# Verbose output for debugging
gcloud compute instances create my-instance --verbosity=debug

VI. TROUBLESHOOTING

Common Issues

1. Authentication Failures

# Check current authentication
gcloud auth list

# Verify credentials
gcloud auth application-default print-access-token

# Re-authenticate
gcloud auth login
gcloud auth application-default login

2. Permission Denied

# Check IAM permissions
gcloud projects get-iam-policy PROJECT_ID \
  --flatten="bindings[].members" \
  --filter="bindings.members:[email protected]"

# Check service account permissions
gcloud iam service-accounts get-iam-policy SA_EMAIL

3. Quota Exceeded

# Check quota usage
gcloud compute project-info describe --project=PROJECT_ID

# Request quota increase via Cloud Console

4. Network Issues

# Check connectivity
gcloud info

# Use proxy
gcloud config set proxy/type http
gcloud config set proxy/address PROXY_HOST
gcloud config set proxy/port PROXY_PORT

5. Configuration Issues

# View current configuration
gcloud config list

# Reset configuration
gcloud config configurations delete default
gcloud init

VII. QUICK REFERENCE

Essential Commands

Task	Command
Initialize gcloud	`gcloud init`
Login	`gcloud auth login`
Set project	`gcloud config set project PROJECT_ID`
List resources	`gcloud [SERVICE] list`
Describe resource	`gcloud [SERVICE] describe RESOURCE`
Create resource	`gcloud [SERVICE] create RESOURCE`
Delete resource	`gcloud [SERVICE] delete RESOURCE`
Get help	`gcloud [SERVICE] --help`
View configurations	`gcloud config configurations list`
Switch configuration	`gcloud config configurations activate CONFIG`

Global Flags

Flag	Purpose	Example
`--project`	Override project	`--project=my-project`
`--format`	Output format	`--format=json`
`--filter`	Server-side filter	`--filter="status=RUNNING"`
`--limit`	Limit results	`--limit=10`
`--quiet`	Suppress prompts	`--quiet`
`--verbosity`	Log level	`--verbosity=debug`
`--async`	Don't wait	`--async`

Common Properties

# Core
gcloud config set project PROJECT_ID
gcloud config set account EMAIL
gcloud config set disable_usage_reporting true

# Compute
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a

# Container
gcloud config set container/cluster CLUSTER_NAME

# App Engine
gcloud config set app/cloud_build_timeout 1200

VIII. RESOURCES

Official Documentation

gcloud CLI Reference: https://cloud.google.com/sdk/gcloud/reference
Installation Guide: https://cloud.google.com/sdk/docs/install
Authentication Guide: https://cloud.google.com/docs/authentication
Cheatsheet: https://cloud.google.com/sdk/docs/cheatsheet
Scripting Guide: https://cloud.google.com/sdk/docs/scripting-gcloud

Tools

Cloud Console: https://console.cloud.google.com
Cloud Shell: Browser-based shell with gcloud pre-installed
Cloud Code: IDE extensions (VS Code, IntelliJ)

Best Practices Summary

Authentication: Use service account impersonation instead of key files
Configuration: Use named configurations for multiple environments
Security: Grant minimal IAM permissions, rotate keys regularly
Performance: Use server-side filtering, batch operations with --async
Scripting: Output JSON format, implement error handling and retries
Automation: Use environment variables, validate before operations
Monitoring: Enable Cloud Audit Logs, track command history
Maintenance: Keep SDK updated, document scripts thoroughly

Common Use Cases

Multi-Environment Deployment

Separate configurations for dev/staging/prod
Service account impersonation for each environment
Automated deployments via CI/CD

Infrastructure as Code

Create resources with gcloud in shell scripts
Export configurations as YAML/JSON
Version control infrastructure commands

Data Pipeline Automation

Scheduled BigQuery jobs
Cloud Storage file transfers
Pub/Sub message processing

Security Compliance

Audit logging for all operations
Encrypted data at rest and in transit
Regular key rotation and access reviews

This skill provides comprehensive gcloud CLI knowledge for implementing Google Cloud solutions, from basic authentication to advanced automation workflows. Always refer to official documentation for the latest features and service-specific details.

快速安装

/plugin add https://github.com/Elios-FPT/EliosCodePracticeService/tree/main/gcloud

在 Claude Code 中复制并粘贴此命令以安装该技能

GitHub 仓库

Elios-FPT/EliosCodePracticeService

路径: .claude/skills/gcloud