gcloud CLI & kubectl Cheatsheet
Contents
gcloud CLI & kubectl Cheatsheet#
Assumption
Default project is assumed to have been configured for gcloud CLI. Hence, --project option is not specified in most of the listed commands.
Warning
Permissions required for each listed command had been provided on a best effort basis. There are some commands with only the required write permissions provided and had been indicated as such.
Setting Up#
Install Components#
# install kubectl
gcloud components install kubectl
Configuration Profile#
# list profiles
gcloud config configurations list
# create new profile
gcloud config configurations create <profile_name>
# configure new profile
see Authenticate & Defaults below
# activate profile
gcloud config configurations activate <profile_name>
Authenticate#
# authenticate as service account
gcloud auth activate-service-account --key-file <json_key_file>
# authenticate as user account
gcloud auth login
Defaults - Set#
# set default project
gcloud config set core/project <project_name>
# set default compute region and zone
gcloud config set compute/region <region>
gcloud config set compute/zone <zone>
# set default service account to impersonate
gcloud config set auth/impersonate_service_account <service_account>
Defaults - Unset#
# unset default project
gcloud config unset core/project
# unset default compute region and zone
gcloud config unset compute/region
gcloud config unset compute/zone
# unset default service account to impersonate
gcloud config unset auth/impersonate_service_account
Impersonate Service Account#
# impersonate using user account
gcloud iam service-accounts add-iam-policy-binding <target_acct> \
--member='user:<user_acct>' \
--role='roles/iam.serviceAccountTokenCreator'
# impersonate using service account
gcloud iam service-accounts add-iam-policy-binding <target_acct> \
--member='serviceAccount:<svc_acct>' \
--role='roles/iam.serviceAccountTokenCreator'
# verify
gcloud iam service-accounts get-iam-policy <target_acct>
Add SSH Key to Compute OS Login#
gcloud compute os-login ssh-keys add --key-file <public_key_file>
Instance#
Instance - List#
gcloud compute instances list
# permissions required
compute.instances.list
compute.zones.list
Instance - Describe#
gcloud compute instances describe <instance_name> --zone <zone>
# permissions required
compute.instances.get
Instance - Create#
# example
gcloud compute instances create <instance_name> \
--zone <zone> \
--machine-type=e2-highmem-4 \
--subnet=<subnet> \
--tags=<tags_comma_separated> \
--create-disk=auto-delete=yes,boot=yes,device-name=<instance_name>,image-family=debian-10,image-project=debian-cloud,mode=rw,size=60,type=pd-ssd
# write permissions required
compute.instances.create
compute.instances.setServiceAccount
compute.instances.setTags
compute.subnetworks.use
compute.subnetworks.useExternalIp
Instance - Suspend#
gcloud compute instances suspend <instance_name> --zone <zone>
# permissions required
compute.instances.get
compute.instances.suspend
compute.zoneOperations.get
Instance - Resume#
gcloud compute instances resume <instance_name> --zone <zone>
# permissions required
compute.instances.get
compute.instances.resume
compute.zoneOperations.get
Instance - Delete#
gcloud compute instances delete <instance_name> --zone <zone>
# permissions required
compute.instances.delete
compute.zoneOperations.get
Instance - Delete Access Config#
gcloud compute instances delete-access-config <instance_name> --zone <zone> \
--access-config-name <access_config_name>
# permissions required
compute.instances.deleteAccessConfig
compute.instances.get
Instance - Transfer Files#
# to instance
gcloud compute scp <local_file> <instance_name>:<remote_dest> --zone <zone>
# from instance
gcloud compute scp <instance_name>:<remote_file> <local_dest> --zone <zone>
# permissions required
SSH access
compute.projects.get
compute.instances.get
Instance Group - Create#
# unmanaged group
gcloud compute instance-groups unmanaged create <group_name> --zone <zone>
# write permissions required
compute.instanceGroups.create
Instance Group - Add Instance#
# unmanaged group
gcloud compute instance-groups unmanaged add-instances <group_name> \
--zone=<zone> \
--instances=<instances_comma_separated>
# write permissions required
compute.instanceGroups.update
compute.instances.use
Instance Group - Delete#
gcloud compute instance-groups unmanaged delete <group_name> --zone <zone>
# write permissions required
compute.instanceGroups.delete
Disk / Snapshot#
Disk - List#
gcloud compute disks list
# permissions required
compute.disks.list
Disk - Attach to Instance#
gcloud compute instances attach-disk <instance_name> \
--project <dst_proj> \
--disk <disk_name> \
--mode ro
# permissions required
compute.disks.useReadOnly
compute.instances.attachDisk
compute.instances.get
compute.zoneOperations.get
iam.serviceAccounts.actAs
# example
gcloud compute instances attach-disk response \
--project proj-298211 \
--disk compromised-disk \
--mode ro
# mount in destination instance
lsblk
sudo mkdir <mnt_pt>
sudo mount -o ro,noload /dev/<device_id> <mnt_pt>
# unmount in destination instance
sudo umount <mnt_pt>
Snapshot - Create#
gcloud compute disks snapshot <disk_name> \
--project <src_proj> \
--zone <src_zone> \
--snapshot-names <ss_name>
# permissions required
compute.disks.createSnapshot
compute.snapshots.create
compute.snapshots.get
compute.zoneOperations.get
# example
gcloud compute disks snapshot compromised \
--project compromised \
--zone asia-southeast2-a \
--snapshot-names compromised-ss
Snapshot - Create Disk#
gcloud compute disks create <disk_name> \
--project <dst_proj> \
--zone <dst_zone> \
--source-snapshot <ss_path>
# permissions required
compute.disks.create
compute.disks.get
compute.snapshots.useReadOnly
compute.zoneOperations.get
# example
gcloud compute disks create compromised \
--project response-298211 \
--zone asia-southeast1-b \
--source-snapshot projects/compromised/global/snapshots/compromised-ss
Snapshot - Delete#
gcloud compute snapshots delete <ss_name> --project <src_proj>
# permissions required
compute.snapshots.delete
compute.globalOperations.get
Network#
Network - List#
gcloud compute networks list
# permissions required
compute.networks.list
Network - Describe#
gcloud compute networks describe <network_name>
# permissions required
compute.networks.get
Network - Create#
gcloud compute networks create <network_name> --subnet-mode=custom
# write permissions required
compute.networks.create
Network - Delete#
gcloud compute networks delete <network_name>
# write permissions required
compute.networks.delete
Subnet - Create#
gcloud compute networks subnets create <subnet_name> \
--network=<network_name> \
--range=<subnet_range> \
--region=<subnet_region>
# permissions required
compute.networks.get
compute.subnetworks.create
Subnet - Delete#
gcloud compute networks subnets delete <subnet_name> --region <subnet_region>
# write permissions required
compute.subnetworks.delete
Subnet - Enable VPC Flow Logs#
gcloud compute networks subnets update <subnet_name> \
--enable-flow-logs \
--logging-aggregation-interval=interval-5-sec \
--logging-flow-sampling=1.0 \
--logging-metadata=include-all
# permissions required
compute.subnetworks.get
compute.subnetworks.update
Subnet - Disable VPC Flow Logs#
gcloud compute networks subnets update <subnet_name> --no-enable-flow-logs
# permissions required
compute.subnetworks.get
compute.subnetworks.update
Firewall Rule - List#
gcloud compute firewall-rules list
# permissions required
compute.firewalls.list
Firewall Rule - Describe#
gcloud compute firewall-rules describe <firewall_rule>
# permissions required
compute.firewalls.get
Firewall Rule - Create#
gcloud compute firewall-rules create <firewall_rule> \
--network <network_name> \
--action deny \
--direction ingress \
--rules tcp \
--source-ranges 0.0.0.0/0 \
--priority 1 \
--target-tags <tags_comma_separated>
# permissions required
compute.firewalls.create
compute.firewalls.get
compute.networks.updatePolicy
Firewall Rule - Delete#
gcloud compute firewall-rules delete <firewall_rule>
# permissions required
compute.firewalls.delete
compute.networks.updatePolicy
compute.globalOperations.get
Firewall Rule - Enable Logs#
gcloud compute firewall-rules update <firewall_rule> \
--enable-logging \
--logging-metadata=include-all
# permissions required
compute.firewalls.get
compute.firewalls.update
compute.networks.updatePolicy
Firewall Rule - Disable Logs#
gcloud compute firewall-rules update <firewall_rule> --no-enable-logging
# permissions required
compute.firewalls.get
compute.firewalls.update
compute.networks.updatePolicy
Network Tag - View Instances’#
gcloud compute instances list --format='table(name,status,tags.list())'
# OR
gcloud compute instances list --filter='tags:TAG_EXPRESSION'
# permissions required
compute.instances.list
compute.zones.list
Network Tag - Add to Instance#
gcloud compute instances add-tags <instance_name> --zone <zone> \
--tags <tag_comma_separated>
# permissions required
compute.instances.get
compute.instances.setTags
Network Tag - Remove from Instance#
gcloud compute instances remove-tags <instance_name> --zone <zone> \
--tags <tag_comma_separated>
# permissions required
compute.instances.get
compute.instances.setTags
VPC Network Peering - Create#
gcloud compute networks peerings create <peering_name> \
--network=<network_name>
--peer-project <dst_proj>
--peer-network <dst_network_name>
# permissions required
compute.networks.addPeering
conmpute.networks.get
VPC Network Peering - Delete#
gcloud compute networks peerings delete <peering_name> --network=<network_name>
# permissions required
compute.networks.removePeering
compute.networks.get
Load Balancer - Create Regional Health Check#
gcloud compute health-checks create http <healthcheck_name> \
--region=<region> \
--port=80
# write permissions required
compute.regionHealthChecks.create
Load Balancer - Delete Regional Health Check#
gcloud compute health-checks delete <healthcheck_name> --region=<region>
# write permissions required
compute.regionHealthChecks.delete
Load Balancer - Create Backend Service#
gcloud compute backend-services create <backend_name> \
--load-balancing-scheme=internal \
--protocol=tcp \
--region=<region> \
--health-checks=<healthcheck_name> \
--health-checks-region=<healthcheck_region>
# write permissions required
compute.regionBackendServices.create
Load Balancer - Add Instance Group to Backend Service#
gcloud compute backend-services add-backend <backend_name> \
--region=<region> \
--instance-group=<group_name> \
--instance-group-zone=<group_zone>
# write permissions required
compute.regionBackendServices.update
Load Balancer - Delete Backend Service#
gcloud compute backend-services delete <backend_name> --region=<region>
# write permissions required
compute.regionBackendServices.delete
Load Balancer - Create Forwarding Rule (Frontend Service)#
gcloud compute forwarding-rules create <rule_name> \
--region=<region> \
--load-balancing-scheme=internal \
--backend-service=<backend_name> \
--ports=all \
--is-mirroring-collector \
--network=<dst_network_name> \
--subnet=<dst_subnet_name>
# write permissions required
compute.forwardingRules.create
compute.regionBackendServices.use
compute.subnetworks.use
Load Balancer - Delete Forwarding Rule (Frontend Service)#
gcloud compute forwarding-rules delete <rule_name> --region=<region>
# write permissions required
compute.forwardingRules.delete
Packet Mirroring - Create Policy#
gcloud compute packet-mirrorings create <policy_name> \
--region=<region> \
--network=projects/<src_project>/global/networks/<src_network> \
--mirrored-tags=<tags_comma_separated> \
--collector-ilb=<rule_name>
# write permissions required
compute.packetMirrorings.create
compute.networks.mirror (for dst proj only)
# + some unknown permission(s) in Compute Security Admin Role, likely one of the following
compute.firewallPolicies.copyRules
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.securityPolicies.addAssociation
compute.securityPolicies.copyRules
compute.securityPolicies.move
compute.securityPolicies.removeAssociation
# these permissions can't be added to a project Custom Role
# Use Compute Security Admin Role instead
Packet Mirroring - Delete Policy#
gcloud compute packet-mirrorings delete <policy_name> --region=<region>
# write permissions required
compute.packetMirrorings.update
Storage#
Bucket - List#
gsutil ls
# permissions required
storage.buckets.list
Bucket - Create#
gsutil mb gs://<bucket_name>
# permissions required
storage.buckets.create
Bucket - List ACLs#
gsutil acl get gs://<bucket_name>
# permissions required
storage.buckets.get
storage.buckets.list
storage.buckets.getIamPolicy
Bucket - Set ACLs#
Reference
Predefined ACLs - e.g. private, publicRead, authenticatedRead, etc
# set bucket to private
gsutil acl set private gs://<bucket_name>
# self-defined acls (textfile follows output of "gsutil acl get")
gsutil acl set <acl_textfile> gs://<bucket_name>
# permissions required
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
Bucket - Grant Write Permission to Cloud-Storage-Analytics Group#
gsutil iam ch group:cloud-storage-analytics@google.com:legacyBucketWriter gs://<bucket_name>
# permissions required
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
Bucket - Enable Logging for Target Bucket#
gsutil logging set on -b gs://<log_storage_bucket> gs://<target_bucket>
# permissions required
storage.buckets.get
storage.buckets.update
Bucket Object - List#
gsutil ls gs://<bucket_name>
# permissions required
storage.objects.list
Bucket Object - List ACLs#
gsutil acl get gs://<object_name>
# permissions required
storage.buckets.get
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Bucket Object - Set ACLs#
Reference
Predefined ACLs - e.g. private, publicRead, authenticatedRead, etc
# set bucket object to private
gsutil acl set private gs://<object_name>
# self-defined acls (textfile follows output of "gsutil acl get")
gsutil acl set <acl_textfile> gs://<object_name>
# permissions required
storage.buckets.list
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update
Bucket Object - List Metadata#
gsutil stat gs://<object_name>
# permissions required
storage.objects.get
Bucket Object - Delete#
gsutil rm gs://<object_name>
# permissions required
storage.objects.delete
IAM#
Custom Role - List#
Project must be specified to list only custom roles (even if gcp CLI default project had been configured), else all available/curated roles will be listed
gcloud iam roles list \
--project <project> \
--format="table(title, name, description, stage, etag)"
# permissions required
iam.roles.list
Custom Role - Describe#
Project must be specified (even if gcp CLI default project had been configured)
Specify role name not role title
gcloud iam roles describe <role_name> --project <project>
# permissions required
iam.roles.get
Custom Role - Disable#
Project must be specified (even if gcp CLI default project had been configured)
Specify role name not role title
gcloud iam roles update <role_name> --project <project> --stage=DISABLED
# permissions required
iam.roles.update
iam.roles.get
Custom Role - Delete#
Project must be specified (even if gcp CLI default project had been configured)
Specify role name not role title
gcloud iam roles delete <role_name> --project <project>
# permissions required
iam.roles.delete
Service Account - List#
Only service accounts created in the project
Excludes service accounts from other projects added to this project
gcloud iam service-accounts list
# permissions required
iam.serviceAccounts.list
Service Account - Describe#
gcloud iam service-accounts describe <svc_acct>
# permissions required
iam.serviceAccounts.get
Service Account - List Roles#
gcloud projects get-iam-policy <project> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<svc_acct>"
# permissions required
resourcemanager.projects.getIamPolicy
Service Account - Describe IAM Policy#
gcloud iam service-accounts get-iam-policy <svc_acct>
# permissions required
iam.serviceAccounts.getIamPolicy
Service Account - Remove IAM Policy Binding#
gcloud iam service-accounts remove-iam-policy-binding <svc_acct> \
--member='<serviceAccount_or_user>:Maccount>' \
--role='roles/<role>'
# permissions required
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
# example
# remove iam.serviceAccountTokenCreator from service account
gcloud iam service-accounts remove-iam-policy-binding totest@compromised.iam.gserviceaccount.com \
--member='serviceAccount:svc_acct@response-298211.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountTokenCreator'
# remove iam.serviceAccountUser from user account
gcloud iam service-accounts remove-iam-policy-binding totest@compromised.iam.gserviceaccount.com \
--member='user:user@gmail.com' \
--role='roles/iam.serviceAccountUser'
Service Account - Disable#
gcloud iam service-accounts disable <svc_acct>
# permissions required
iam.serviceAccounts.disable
Service Account - Delete#
gcloud iam service-accounts delete <svc_acct>
# permissions required
iam.serviceAccounts.delete
Service Account Key - List#
gcloud iam service-accounts keys list --iam-account <svc_acct>
# permissions required
iam.serviceAccountKeys.list
Service Account Key - Delete#
gcloud iam service-accounts keys delete <key_id> --iam-account <svc_acct>
# permissions required
iam.serviceAccountKeys.delete
User Account - List#
gcloud projects get-iam-policy <project> | grep -i user: | sort | uniq
# permissions required
resourcemanager.projects.getIamPolicy
User Account - List Roles#
gcloud projects get-iam-policy <project> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<user_acct>"
# permissions required
resourcemanager.projects.getIamPolicy
User Account - Delete#
gcloud projects remove-iam-policy-binding <project> \
--member=user:<user_acct> \
--role=roles/<role>
# alternative
# save project IAM policy to yaml file
gcloud projects get-iam-policy <project> --format yaml > users.yaml
# remove the user from his role in the yaml file, e.g. (see user account enclosed by double tildes ~~)
bindings:
- members:
- serviceAccount:service-2160192374724@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- serviceAccount:2160192374724-compute@developer.gserviceaccount.com
- serviceAccount:2160192374724@cloudservices.gserviceaccount.com
role: roles/editor
- members:
- user:user1@gmail.com
~~- user:user2@gmail.com~~
role: roles/owner
etag: BwW2uSt0iE0=
version: 1
# set new project IAM policy with the modified yaml file
gcloud projects set-iam-policy <project> users.yaml
# permissions required
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
Project-wide SSH Key - List#
gcloud compute project-info describe
# permissions required
compute.projects.get
Project-wide SSH Key - Delete#
gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=<file>
# permissions required
compute.globalOperations.get
compute.projects.get
compute.projects.setCommonInstanceMetadata
iam.serviceAccounts.actAs
Instance-specific SSH Keys - Describe#
gcloud compute instances describe <instance_name> --zone <zone> \
--format="value(metadata)"
# permissions required
compute.instances.get
Instance-specific SSH Key - Delete#
gcloud compute instances add-metadata <instance_name> --metadata-from-file ssh-keys=<file>
# permissions required
compute.instances.get
compute.instances.setMetadata
compute.zoneOperations.get
iam.serviceAccounts.actAs
Logging#
Logs - List#
gcloud logging logs list
# permissions required
logging.logs.list
Logs - Query#
Reference
Reference to building queries
# manual
gcloud logging read <log_filter>
# permissions required
Logs Viewer role
Private Logs Viewer role
# example
gcloud logging read "resource.type=gce_instance AND textPayload:SyncAddress" --limit 10 --format json
Log Sink - List#
gcloud logging sinks list
# permissions required
logging.sinks.list
Log Sink - Update#
gcloud logging sinks update <sink_name> --log-filter='<filter>'
# permissions required
logging.sinks.get
logging.sinks.update
Log Sink - Delete#
gcloud logging sinks delete <sink>
# permissions required
logging.sinks.delete
Kubernetes#
Cluster - Connect#
gcloud container clusters get-credentials <cluster_name> --zone <zone>
# permissions required
container.clusters.get
Pod - Exec#
kubectl exec pod <pod_name> -- <command>
# permissions required
container.pods.exec
container.pods.get
Pod - Label#
kubectl label pods <pod_name> <label>=<true/false>
# permissions required
container.pods.get
container.pods.update
# example
kubectl label pods nginx-deployment-c9445c769-ll8nv quarantine=true
Node - Cordon#
kubectl cordon <node_name>
# permissions required
container.nodes.get
container.nodes.update
Node - Drain#
kubectl drain <node_name> --pod-selector=<selector>
# permissions required
container.daemonSets.get
container.nodes.get
container.pods.evict
container.pods.list
# example
kubectl drain gke-ir-test-cluster-default-pool-0f6491d0-x8vv --pod-selector='!quarantine'
Service - List#
kubectl get services
# permissions required
container.services.list
Service - Delete#
kubectl delete service <service_name>
# permissions required
container.services.delete
Service - Patch#
kubectl patch service <service-name> -p '{"spec":{"selector":{"<key>": "<value>"}}}'
# permissions required
container.services.get
container.services.update
Network Policy - List#
kubectl get networkpolicies
# permissions required
container.networkPolicies.list
Network Policy - Create#
kubectl apply -f <networkpolicy_yaml>
# permissions required
container.networkPolicies.create
container.networkPolicies.get