You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ping stands for Packet Internet Groper. It uses the ICMP (Internet Control Message Protocol) to send an echo request message. If the listening server can answer it sends an echo message back, displaying information to the user.
Ping timeout ping -c 3 google.com
SSH (mynetwork-allow-ssh)
The Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. tcp:22
Cloud shell provides the following:
Temporary Compute Engine VM
Command-line access to the instance via a browser
5 GB of persistent disk storage ($HOME dir)
Pre-installed Cloud SDK and other tools
gcloud for working with Compute Engine and many Google Cloud services
gsutil for working with Cloud Storage
kubectl for working with Google Kubernetes Engine and Kubernetes
bq for working with BigQuery
Language support for Java, Go, Python, Node.js, PHP, and Ruby
Web preview functionality
Built-in authorization for access to resources and instances
Getting started
Get going with the gcloud CLI.
gcloud init: Initialize, authorize, and configure the gcloud CLI.
gcloud version: Display version and installed components.
# Init of the tool
gcloud init
# Gcloud structure
$ gcloud compute instances list
# |------base--| |--who--| |-what-|
$ gcloud components install kubectl # exception
# |------base-----| |-what-| |-who-|
# Set the project
gcloud config set project PROJECT-NAME
# Bucket Versioning (NB: is gsutil)
gsutil versioning set (on|off) gs://<bucket_name>...
gsutil versioning get gs://<bucket_name>...
# List VM
gcloud compute instances list [--zones] [--format json]
# Create VM with boot disk
gcloud compute instances create VM_NAME \
--source-snapshot=BOOT_SNAPSHOT_NAME \
--boot-disk-size=BOOT_DISK_SIZE \
--boot-disk-type=BOOT_DISK_TYPE \
--boot-disk-device-name=BOOT_DISK_NAME
# Install components (e.g. kubectl, minikube, kustomize, bq)
gcloud components list
gcloud components install PRODUCT
# Set a default Region
gcloud config set compute/region europe-west1
# Create Compute Engine persistent disks
gcloud compute disks create my-disk-1 my-disk-2 --zone=us-east1-a
# Resize a cluster nodes
gcloud container clusters resize sample-cluster --num-nodes=2
# Add IAM policy binding
gcloud projects add-iam-policy-binding example-project-id-1 --member='user:test-user@gmail.com' --role='roles/editor'
# Delete `default` VPC (NB: start with 'compute')
gcloud compute networks delete defaulta
# Create VPC
gcloud compute networks create
# gcloud Wide Flags
--account # GCP user account to use for invocation
--project # The Google Cloud Platform project ID to use for this invocation
--billing-project # project that will be charged quota for operations performed
--configuration # The configuration to use for this command invocation
--flags-file # A YAML or JSON file that specifies a --flag:value dictionary
--flatten # Use to "flatten" resources list
--format # Set the format for printing command output resources
--log-http # Log all HTTP server requests and responses to stderr
--trace-token # Token used to route traces of service requests for investigation of issues
--verbosity
--quiet
--impersonate-service-account
# List VPC networks
gcloud compute networks list
# List existing clusters for running containers
gcloud container clusters list
# Describe cluster image info (NB: is gcloud not kubectl)
gcloud container images describe gcr.io/myproject/myimage:tag
Name
Summary
Check version & settings
gcloud version, gcloud info, gcloud components list
Init profile
gcloud init This will ask you to open an OpenID URL
We can impersonate service account from a user or another service account, a short-lived token is used instead of service account key.
# serviceAccount:ansible impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com
# ${SA_PROJECT_ID} is the global project storing all the service accounts
TF_SA_EMAIL=terraform@${SA_PROJECT_ID}.iam.gserviceaccount.com
ANSIBLE_SA_EMAIL="ansible@${SA_PROJECT_ID}.iam.gserviceaccount.com"
gcloud iam service-accounts add-iam-policy-binding ${TF_SA_EMAIL} \
--project ${SA_PROJECT_ID} \
--member "serviceAccount:$ANSIBLE_SA_EMAIL" \
--role roles/iam.serviceAccountTokenCreator
# create a gcp project $A_PROJECT_ID under $A_FOLDER_ID
gcloud projects --impersonate-service-account=$TF_SA_EMAIL create $A_PROJECT_ID --name=$A_PROJECT_NAME --folder=$A_FOLDER_ID
# user:pythonrocks@gmail.com impersonate as a svc account terraform@${PROJECT_ID}.iam.gserviceaccount.com
TF_SA_EMAIL=terraform@your-service-account-project.iam.gserviceaccount.com
gcloud iam service-accounts add-iam-policy-binding $TF_SA_EMAIL --member=user:pythonrocks@gmail.com \
--role roles/iam.serviceAccountTokenCreator
gcloud container clusters list --impersonate-service-account=terraform@${PROJECT_ID}.iam.gserviceaccount.com
Cloud Build
# user defined
gcloud builds submit --config=cloudbuild.yaml --substitutions=_BRANCH_NAME=foo,_BUILD_NUMBER=1 .
# override built in TAG_NAME
gcloud builds submit --config=cloudbuild.yaml --substitutions=TAG_NAME=v1.0.1
# cloud build with artifact registry
export GCP_REGION="us-east1"
export TEST_IMAGE="us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0"
export IMAGE_NAME="hello-app"
export REPO_NAME=team1
export TAG_NAME="tag1"
docker pull $TEST_IMAGE
docker tag $TEST_IMAGE \
${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG_NAME}
docker push ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG_NAME}
# build / push image to artifact registry (using local Dockerfile)
gcloud builds submit --tag ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG}
Private Service Access
Useful for services like Cloud SQL and Redis, peering between a custom VPC to a managed VPC by google.
gcloud services vpc-peerings list --network=my-vpc
# list Google Compute Engine interconnect locations
gcloud compute interconnects locations list
Cloud Run
# deploy a service on Cloud Run in us-central1 and allow unauthenticated user
gcloud run deploy --image gcr.io/${PROJECT-ID}/helloworld --platform managed --region us-central1 --allow-unauthenticated
# list services
gcloud run services list
# get endpoint url for a service
gcloud run services describe <service_name> --format="get(status.url)"
export SA_NAME="cloud-scheduler-runner"
export SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
# create service account
gcloud iam service-accounts create $SA_NAME \
--display-name "${SA_NAME}"
# add sa binding to cloud run app
gcloud run services add-iam-policy-binding $APP_DIR \
--platform managed \
--region $GCP_REGION \
--member=serviceAccount:$SA_EMAIL \
--role=roles/run.invoker
# fetch the service URL
export APP="helloworld"
export SVC_URL=$(gcloud run services describe $APP --platform managed --region $GCP_REGION --format="value(status.url)")
# create the job to hit URL every 1 minute
gcloud scheduler jobs create http test-job --schedule "*/1 * * * *" \
--http-method=GET \
--uri=$SVC_URL \
--oidc-service-account-email=$SA_EMAIL \
--oidc-token-audience=$SVC_URL
export GCP_REGION="us-east1"
export SERVICE_NAME="hello-service"
# deploy app to Cloud Run
gcloud run deploy $SERVICE_NAME \
--platform managed \
--region $GCP_REGION \
--allow-unauthenticated \
--image ${GCP_REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/${IMAGE_NAME}:${TAG_NAME}
# confirm service is running
gcloud run services list \
--platform managed \
--region $GCP_REGION
# test URL
export SVC_URL=$(gcloud run services describe $SERVICE_NAME --platform managed --region $GCP_REGION --format="value(status.url)")
curl -X GET $SVC_URL
# Hello, world!
# Version: 1.0.0
# Hostname: localhost