Auto-activate for gcloud commands, .gcloudignore, app.yaml. Google Cloud Platform expert: gcloud CLI, IAM, service accounts, Cloud Storage, Pub/Sub, BigQuery, Vertex AI. Use when: managing GCP resources, scripting gcloud commands, or configuring any GCP service. Not for AWS, Azure, or non-GCP cloud providers.
From flownpx claudepluginhub cofin/flow --plugin flowThis skill uses the workspace's default tool permissions.
references/iam.mdSearches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
gcloud CLI & ScriptingAvoid interactive prompts in scripts.
</guardrails> <example># Production/CI: Use Service Account Key or Workload Identity
gcloud auth activate-service-account --key-file=key.json
# Local Dev: User Login
gcloud auth login
gcloud config set project MY_PROJECT_ID
Never parse default text output. Use --format (json/yaml) and --filter.
# Bad
gcloud compute instances list | grep RUNNING
# Good (Parseable JSON)
gcloud compute instances list --format="json"
# Good (Filter + Specific Value)
gcloud run services list \
--filter="status.conditions.status=True AND metadata.name:my-service" \
--format="value(status.url)"
Flatten complex resources to find what you need.
<example># Find latest revision of a service
gcloud run revisions list \
--service=my-service \
--sort-by="~metadata.creationTimestamp" \
--limit=1 \
--format="value(metadata.name)"
Suppress "updates available" warnings and prompts.
<example>export CLOUDSDK_CORE_DISABLE_PROMPTS=1
gcloud ... --quiet
Standard pattern for deploying containers.
<example>gcloud run deploy my-service \
--image gcr.io/my-project/my-image:tag \
--platform managed \
--region us-central1 \
--allow-unauthenticated \
--set-env-vars="DEBUG=true,DB_HOST=10.0.0.2"
Access secrets securely (requires Secret Manager API).
</guardrails> <example># Mount as volume in Cloud Run (Preferred)
gcloud run deploy ... --set-secrets="/secrets/db=my-db-secret:latest"
# Access via CLI (for ops scripts)
gcloud secrets versions access latest --secret="my-secret"
AlloyDB is a fully managed PostgreSQL-compatible database with columnar engine and ML-assisted auto-vacuum.
# Create a cluster
gcloud alloydb clusters create my-cluster \
--region=us-central1 \
--password=SECRET \
--network=projects/MY_PROJECT/global/networks/default
# Create primary instance
gcloud alloydb instances create my-primary \
--cluster=my-cluster \
--region=us-central1 \
--instance-type=PRIMARY \
--cpu-count=4
AlloyDB requires Private Service Access (PSA) — a peered VPC range allocated for Google-managed services. Client VMs must be in the same VPC (or a connected VPC) to reach the instance IP.
# Allocate PSA range (one-time per VPC)
gcloud compute addresses create google-managed-services-default \
--global \
--purpose=VPC_PEERING \
--prefix-length=20 \
--network=default
# Create the peering
gcloud services vpc-peerings connect \
--service=servicenetworking.googleapis.com \
--ranges=google-managed-services-default \
--network=default
| Aspect | AlloyDB | Cloud SQL |
|---|---|---|
| Engine | PostgreSQL-compatible only | PostgreSQL, MySQL, SQL Server |
| Performance | ~4× higher throughput (columnar engine, shared memory cache) | Standard managed RDBMS |
| HA | Auto-failover < 60 s, cross-zone | Regional replica, ~60 s failover |
| Pricing | Higher; compute + storage separate | Instance + storage (simpler) |
| Best for | High-throughput OLTP, mixed OLTP/OLAP | General-purpose managed SQL |
Avoid creating unnecessary secret versions. Compare the current value before adding a new version.
# Read existing value
CURRENT=$(gcloud secrets versions access latest --secret="my-secret" 2>/dev/null || echo "")
NEW_VALUE="new-password-here"
if [ "$CURRENT" != "$NEW_VALUE" ]; then
echo -n "$NEW_VALUE" | gcloud secrets versions add my-secret --data-file=-
echo "Secret updated."
else
echo "Secret unchanged, skipping version creation."
fi
# Access the latest version
gcloud secrets versions access latest --secret="my-secret"
# Access a specific version
gcloud secrets versions access 3 --secret="my-secret"
# List versions
gcloud secrets versions list my-secret
# Create a new secret
echo -n "my-value" | gcloud secrets create my-secret \
--data-file=- \
--replication-policy=automatic
Workload Identity lets GKE or Cloud Run workloads impersonate a GCP service account without key files.
# 1. Create a GCP Service Account (GSA)
gcloud iam service-accounts create my-app-sa \
--display-name="My App SA"
# 2. Grant required roles to the GSA
gcloud projects add-iam-policy-binding MY_PROJECT \
--member="serviceAccount:my-app-sa@MY_PROJECT.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
# 3. Allow the Kubernetes Service Account (KSA) to impersonate the GSA
gcloud iam service-accounts add-iam-policy-binding \
my-app-sa@MY_PROJECT.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:MY_PROJECT.svc.id.goog[NAMESPACE/KSA_NAME]"
# 4. Annotate the KSA
kubectl annotate serviceaccount KSA_NAME \
--namespace=NAMESPACE \
iam.gke.io/gcp-service-account=my-app-sa@MY_PROJECT.iam.gserviceaccount.com
# Impersonate a GSA from a user or another SA
gcloud storage ls \
--impersonate-service-account=my-app-sa@MY_PROJECT.iam.gserviceaccount.com
# Generate a short-lived token
gcloud auth print-access-token \
--impersonate-service-account=my-app-sa@MY_PROJECT.iam.gserviceaccount.com
See AlloyDB section above. PSA is also required for Cloud SQL private IP and Memorystore.
Cloud NAT allows VMs without external IPs to reach the internet.
# Create a Cloud Router
gcloud compute routers create my-router \
--region=us-central1 \
--network=default
# Attach Cloud NAT
gcloud compute routers nats create my-nat \
--router=my-router \
--region=us-central1 \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges
# IAP TCP tunneling (SSH/RDP via IAP)
gcloud compute firewall-rules create allow-iap-ssh \
--network=default \
--allow=tcp:22 \
--source-ranges=35.235.240.0/20 \
--description="Allow SSH via IAP"
# GCP load balancer health checks
gcloud compute firewall-rules create allow-health-checks \
--network=default \
--allow=tcp \
--source-ranges=130.211.0.0/22,35.191.0.0/16 \
--description="Allow GCP health check probers"
| Purpose | CIDR |
|---|---|
| IAP TCP forwarding | 35.235.240.0/20 |
| GCP health check probers | 130.211.0.0/22, 35.191.0.0/16 |
Cloud Batch is a fully managed service for batch and HPC workloads. It provisions, schedules, and autoscales VMs (including Spot/preemptible) without managing a cluster.
When to use Cloud Batch vs GKE:
| Aspect | Cloud Batch | GKE |
|---|---|---|
| Workload type | Batch jobs, array jobs, MPI | Long-running services, microservices |
| Cluster management | None (fully managed) | Cluster lifecycle managed by operator |
| Spot/preemptible | Built-in, first-class | Node pool configuration |
| GPU / HPC support | A100/H100, HPC VM families | Any accelerator, custom node pools |
| Scheduling | Queue-based, job arrays | Kubernetes scheduler |
# Submit a simple batch job from JSON spec
gcloud batch jobs submit my-job \
--location=us-central1 \
--config=job.json
gcloud cheat-sheet