Haft

Backlinks

gcloud CLI

Install gcloud CLI

If you’re using apt package manager, this can do the work :

#!/bin/bash
sudo apt-get update && \
sudo apt-get install -y apt-transport-https ca-certificates gnupg curl && \
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
sudo apt-get update && \
sudo apt-get install -y google-cloud-cli

Add autocompletion for zsh (also doable with bash, check up all the completion options in the google-cloud-sdk directory).

#Adapt the 
source "/usr/share/google-cloud-sdk/completion.zsh.inc""

Otherwise you can check the install documentation.

Useful options

CommandDescription
--log-httpReturns the HTTP API made for the equivalent command.
--json
--impersonate-service-accountUse that with the associated mail to impersonate said service account. This requires the permission iam.serviceAccounts.getAccessToken

Cheatsheet

Metadata Server (not gcloud command)

Retrieve Metadata from the server from an Cloud instance :

curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"

Only retrieve the scope from your token

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes"     -H 'Metadata-Flavor:Google'

List firewall policies at folder / organization level :

gcloud compute firewall-policies list --organization=$ORGANIZATION_ID

Result output can be used to analyze each policy :

#example using the default root-firewall-policy
gcloud compute firewall-policies describe --organization=$ORGANIZATION_ID root-firewall-policy --format=json

List unitary VPC firewall rules (specify project ID if not the default one). Same principle applies to describe keyword.

gcloud compute firewall-rules list

List global VPC’s firewall policies :

gcloud compute network-firewall-policies list --global

List regional VPC’s firewall policies :

#This is the exhaustive list of every policies possibly deployed. Longer output result, but you may miss existing configuration otherwise.
gcloud compute network-firewall-policies list \
--regions=asia-east1,asia-east2,asia-northeast1,asia-northeast2,\
asia-northeast3,asia-south1,asia-south2,asia-southeast1,\
asia-southeast2,australia-southeast1,australia-southeast2,\
europe-central2,europe-north1,europe-west1,europe-west2,\
europe-west3,europe-west4,europe-west6,northamerica-northeast1,\
northamerica-northeast2,southamerica-east1,southamerica-west1,\
us-central1,us-east1,us-east4,us-west1,us-west2,us-west3,us-west4

List internal IP in a project :

gcloud compute instances list \
--format="value(networkInterfaces[0].networkIP)"

List external IP in a project :

gcloud compute instances list \
--format="value(networkInterfaces[0].accessConfigs[0].natIP)"

List every instances with starting or shut down scripts :

gcloud compute instances list \
--filter="metadata.items.key=('startup-script','shutdown-script')" \
--format="table(name,zone,metadata.items)"

These requires Cloud Asset Inventory

This service is completely free unless you store the output data in buckets from it. However the benefits from the queries are absolutely insane.

Given the highest node scope, return every role/principal associations :

gcloud asset  search-all-iam-policies \
--scope=folder/$FOLDER_ID \
--format=json \
|jq 'map(del(.project, .organization, .folders))' > output.json

Given a scope, return every effective IAM policy :

gcloud asset get-effective-iam-policy \
--scope=projects/$PROJECT_ID \

List cloud DNS zones (look for dangling DNS) :

gcloud dns managed-zones list

Retrieve DNS records from a zone :

gcloud DNS records-set list --zone=<zone DNS>

tocomplete

Backlinks

Recent Notes