Open in app

Sign in

Write

Sign in

Become a GCP Master: Get Comfortable with the gcloud CLI

Become a GCP power user by learning how to use the gcloud CLI for almost any tasks you need to achieve in GCP

Danilo Drobac
6 min readJan 16, 2023
Data with Dro — Intro Thumbnail

When working with Google Cloud Platform (GCP), the gcloud CLI gives us so much power at our fingertips through our terminal.

There’s a little learning curve to getting started, but once you’re familiar with the basics, you’ll never need to manually click through the console to create or deploy any services to GCP.

We’ll walk through the authentication process and some common situations where you can save yourself time by using the CLI.

Process

I. Installing gcloud CLI

Depending on your OS, there’s different installation instructions.

On Windows, you need to download the installer and follow the on-screen instructions. For Ubuntu, everything can be done via the terminal.

The full instructions by OS are listed in the documentation here.

II. Check the Version

With gcloud installed, we can check the version of the SDK. We’ll be using version 404.0.0 for this article.

gcloud --version

Output:
Google Cloud SDK 404.0.0
alpha 2022.09.23
beta 2022.09.23
bq 2.0.78
bundled-python3-unix 3.9.12
cloud-build-local 0.5.2
core 2022.09.23
gcloud-crc32c 1.0.0
gsutil 5.14

III. Authentication as User

Once the CLI is installed, the first time you need to authenticate, you can follow the “Get Started” workflow by typing:

gcloud init

This will run through some basic configuration settings (like setting your project ID and location/region) and authenticate through the browser as your user account.

At this point, gcloud commands can be executed against your project ID, acting as the account authenticated during init.

Sometimes, we want to swap accounts and we can do that using the command:

gcloud auth login

This goes through the browser authentication flow again, leaving you logged in as the new account.

IV. Authentication as Service Account

There’s an additional method for logging in, and that is to act as a service-account. For this option, we need to have a key-file in .json format.

gcloud auth activate-service-account <INSERT_SERVICE_ACCOUNT_EMAIL> \
  --key-file=<INSERT_PATH_TO_KEY_FILE>

After running this, we’ll be able to run gcloud commands as the service-account. This is one way to test permissions when you’re developing by logging in directly as the service account.

If we want to go back to our user account, we can type:

gcloud config set account <INSERT_ACCOUNT>

V. Impersonating Service Accounts

Depending on the use-case, there’s actually another method of running commands as a service account, the --impersonate-service-account flag. This flag is one of the gcloud wide flags, i.e. ones that can be run with any command in the gcloud CLI.

For example, the following command would attempt to create the bucket my-bucket while running the operation as the service account.

gcloud storage buckets create gs://my-bucket \
  --impersonate-service-account=<INSERT_SERVICE_ACCOUNT_EMAIL>

The benefit to using this method is that we don’t need to create/download a .json file that contains the service account credentials. The only prerequisite is that we have the iam.serviceAccounts.getAccessToken permission, which is available in the roles/iam.servieAccountTokenCreator role.

Obviously, having to type --impersonate-service-account and the email after each command we want to run can get a bit tiresome, but thankfully, there’s a config variable that we can change to set a default value.

gcloud config set auth/impersonate_service_account <INSERT_SERVICE_ACCOUNT>

If we want to test some commands as a service account we can set this value and then go about using the CLI as we want to, and if we want to unset the value, simply run:

gcloud config unset auth/impersonate_service_account

VI. Application Default Login

There is one other option when authenticating, and this is the application-default mechanism.

This is a useful tool when developing locally with client libraries (for example in Python) that require authentication to Google Cloud.

For example, using the google.cloud.bigquery module in Python, specifying a Client needs some credentials, but if you run the application-default login, it automatically sets the necessary environment variable GOOGLE_APPLICATION_DEFAULT so that you don’t have to specify anything.

To set this, just run the command:

gcloud auth application-default login

Common Use-Cases

Role Assignment

Instead of having to go into the console, navigate to IAM, select a user and then add specific roles for them, you can use the below command to achieve the same result:

gcloud projects add-iam-policy-binding <PROJECT_ID> \
  --member user:<INSERT_USER> OR serviceAccount:<INSERT_SERVICE_ACCOUNT> \
  --role <INSERT_ROLE>

Creating Service Accounts

Best practice is that we create new service accounts for any new pipelines we’re buildings or apps/projects. It becomes quite annoying to have to keep creating them in the UI and assigning roles, but with gcloud it’s really easy.

gcloud iam service-accounts create NAME --description=DESCRIPTION \
    --display-name=DISPLAY_NAME

We can take this one step further by also creating a key for the service account and downloading it directly to our machine.

gcloud iam service-accounts keys create <PATH_TO_KEY_FILE> \
    --iam-account=<INSERT_SERVICE_ACCOUNT_EMAIL>

Create a Google Cloud Storage Bucket

In the same vein as service accounts, we often need to create new storage buckets for every new project we begin working on, so being able to do this programmatically from our terminal (which is where we spend most of our time) becomes really useful.

gcloud storage buckets create gs://<INSERT_BUCKET_NAME> \
    --location=<INSERT_LOCATION>

Using the Help Flag

The CLI has a really useful set of documentation to support it. For any command (at any level), you can add the --help flag to bring up the documentation for the command to see which arguments it accepts and what the syntax needs to be.

gcloud storage buckets create --help

The output shows you the general syntax of the command, along with optional arguments and examples.

With this knowledge, you can quickly learn how to do almost anything with gcloud.

Cheat Sheet

The gcloud CLI documentation has a cheat sheet that gives a list of useful paths to some common use cases you may be trying to achieve, the link is here.

The gcloud CLI cheat sheet | Google Cloud CLI Documentation

A roster of go-to commands for the Google Cloud CLI, the primary command-line tool for Google Cloud. (Also included…

cloud.google.com

Closing Thoughts 💭

Photo by Rebe Pascual on Unsplash

Hopefully, this article has given a brief introduction into the gcloud CLI, how to install, authenticate and some basic commands to get you going.

I’ve also outlined the best way to get familiar with particular use cases yourself.

I’ll keep this updated with any new features that appear in the CLI that I find particularly useful (as and when I find them).

Feel free to drop me a follow on both Medium and LinkedIn for more similar content, and reach out with any questions; I love connecting to new people :)

Lastly, if you have any requests or ideas of other things I could run through in a similar tutorial format, drop them in the comments down below, and I’ll work out which topics I can cover!

Google Cloud Platform
Python
Bash
Command Line
Data Engineering

--

--

Danilo Drobac

Written by Danilo Drobac

437 Followers

Data Engineer. Director @ N-ZYTE // Data Nerd 🤓 // CrossFit and Food Addict

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams