CLI
CLI Cheatsheet
The gcloud cheat sheet is available as a one-page sheet and a command itself (gcloud cheat-sheet):
Basics
| Command |
Notes |
gcloud init |
Initialize gcloud |
gcloud auth list |
Lists credentialed accounts |
gcloud auth login
gcloud config set project <NAME>
gcloud auth application-default login |
Obtains user access credentials via a web flow and puts them in the well-known location for Application Default Credentials (ADC) |
gcloud config set account ACCOUNT |
GCP user account to use for invocation |
gcloud auth activate-service-account <email> --key-file=<filepath> |
Activate service account with key file |
alpha cloud-shell ssh |
Cloudshell interactive |
gcloud asset search-all-resources --asset-types='storage.googleapis.com/Bucket' --limit 2 |
Use Cloud Asset Inventory to search for all your resources globally |
IAM
| Command |
Notes |
gcloud organizations list |
List organizations |
gcloud organizations get-iam-policy <ORG ID> |
Enumerate policies within an Org |
gcloud projects get-iam-policy <PROJECT ID> |
List roles assigned project-wide to all members |
gcloud compute instances get-iam-policy <INSTANCE> --zone <ZONE> |
Show policy assigned to a single Compute Instance |
gcloud projects get-iam-policy <PROJECT ID> --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:<ACCOUNT> |
Enumerate roles assigned to a service account project-wide |
gcloud asset analyze-iam-policy --organization='$ID' --permissions="iam.serviceAccounts.actAs" --format="flattened(ACLs[0].resources[0].fullResourceName,policy.binding.members,policy.binding.role)" |
Which IAM members in the GCP Org can impersonate a service account |
gcloud iam service-accounts get-iam-policy <name>@<project>.iam.gserviceaccount.com |
List bindings for a Service Account |
gcloud projects add-iam-policy-binding <project> --member=serviceAccount:<name>@<project>.iam.gserviceaccount.com --role=roles/owner |
Add permissions to a Service Account |
gcloud iam service-accounts keys list --iam-account [email protected] |
List all keys associated with a Service Account |
GKE
| Command |
Notes |
gcloud container clusters list |
List clusters |
gcloud container clusters get-credentials <cluster-name> |
Obtain credentials to interact with a GKE cluster |
GCE
| Command |
Notes |
gcloud compute images list |
List image names |
Logging
| Command |
Notes |
gcloud logging logs list |
List available logs |
gcloud logging read <FOLDER> |
View logs for an item |
Cloud Functions
| Command |
Notes |
gcloud functions list |
List cloud functions |
gcloud functions describe <FUNCTION NAME> |
Obtain configuration for a cloud function |
gcloud functions logs read <FUNCTION NAME> |
Show function logs |
Buckets
| Command |
Notes |
gsutil ls |
List all storage buckets in project |
gsutil ls -r gs://<BUCKET NAME>/ |
List contents of a specific bucket |
gsutil cp gs://<BUCKET NAME>/ . |
Copy bucket locally |
Databases
| Command |
Notes |
gcloud sql instances list |
List Cloud SQL instances |
gcloud sql databases list --instance <INSTANCE> |
|
gcloud spanner instances list |
List Cloud Spanner instances |
gcloud spanner databases list --instance <INSTANCE> |
|
gcloud bigtable instances list |
List Cloud Bigtable instances |
Secrets Management
| Command |
Notes |
gcloud beta secrets list |
List entries |
gcloud beta secrets versions access 1 --secret="<SECRET NAME>" |
Pull clear text secret |
KMS
| Command |
Notes |
gcloud kms keyrings list --location global |
List the global keyrings available |
gcloud kms keys list --keyring <KEYRING NAME> --location global |
List the keys inside a keyring |
gcloud kms decrypt --ciphertext-file=<PATH> --plaintext-file=<PATH> --key <KEY> --keyring <KEYRING> --location global |
Decrypt a file using one of the keys |
Pub/Sub
| Command |
Notes |
gcloud pubsub topics list |
List topics |
gcloud pubsub subscriptions list --format=json |
List subscriptions across all topics |