gcloud Cheatsheet
Quick reference for the Google Cloud CLI — covering Compute Engine, GKE, Cloud Storage, IAM, Cloud SQL, Networking, Secrets, and more.
Tip: Install the Google Cloud CLI:
curl https://sdk.cloud.google.com | bash. Initialize with gcloud init. Verify with gcloud version.
Auth & Config
gcloud auth login
gcloud auth application-default login
gcloud auth list
gcloud config list
gcloud config set project my-project
gcloud config set compute/region asia-southeast1
gcloud config configurations create prod
gcloud config configurations activate prod
gcloud projects listCompute Engine
gcloud compute instances list
gcloud compute instances describe my-vm \
--zone=asia-southeast1-a
gcloud compute instances start my-vm \
--zone=asia-southeast1-a
gcloud compute instances stop my-vm \
--zone=asia-southeast1-a
gcloud compute instances create my-vm \
--machine-type=e2-medium \
--zone=asia-southeast1-a \
--image-family=debian-12 \
--image-project=debian-cloud
gcloud compute ssh my-vm --zone=asia-southeast1-a
gcloud compute disks list
gcloud compute snapshots create my-snap \
--source-disk my-disk \
--source-disk-zone asia-southeast1-aGKE
gcloud container clusters list
gcloud container clusters describe my-cluster \
--region asia-southeast1
gcloud container clusters get-credentials my-cluster \
--region asia-southeast1
gcloud container clusters upgrade my-cluster \
--master --cluster-version 1.28 \
--region asia-southeast1
gcloud container node-pools list \
--cluster my-cluster --region asia-southeast1
gcloud container node-pools update my-pool \
--cluster my-cluster \
--enable-autoscaling \
--min-nodes 1 --max-nodes 5 \
--region asia-southeast1GCS (Cloud Storage)
gsutil ls gs://my-bucket/
gsutil cp file.txt gs://my-bucket/
gsutil cp gs://my-bucket/file.txt ./
gsutil rsync -r ./local-dir gs://my-bucket/remote-dir/
gsutil rm gs://my-bucket/file.txt
gsutil mb -l asia-southeast1 gs://my-new-bucket
gsutil versioning set on gs://my-bucket
gsutil lifecycle set lifecycle.json gs://my-bucket
gsutil iam get gs://my-bucketIAM
gcloud iam service-accounts list
gcloud iam service-accounts create my-sa \
--display-name="My SA"
gcloud iam service-accounts keys create key.json \
[email protected]
gcloud projects get-iam-policy my-project \
--format=json
gcloud projects add-iam-policy-binding my-project \
--member=serviceAccount:[email protected] \
--role=roles/storage.objectViewer
gcloud iam roles list --project my-project
gcloud iam roles describe roles/container.adminCloud SQL
gcloud sql instances list
gcloud sql instances describe my-db
gcloud sql connect my-db --user=postgres
gcloud sql backups list --instance my-db
gcloud sql backups create --instance my-db
gcloud sql instances patch my-db \
--database-flags max_connections=200Networking
gcloud compute networks list
gcloud compute networks describe my-vpc
gcloud compute firewall-rules list \
--filter="network=my-vpc"
gcloud compute firewall-rules create allow-ssh \
--network=my-vpc \
--allow=tcp:22 \
--source-ranges=10.0.0.0/8
gcloud compute routers list
gcloud compute vpn-gateways list
gcloud compute interconnects listSecrets & Config
gcloud secrets list
gcloud secrets create my-secret \
--replication-policy=automatic
echo -n "myvalue" | gcloud secrets versions add \
my-secret --data-file=-
gcloud secrets versions access latest \
--secret my-secret
gcloud secrets versions list my-secretLogging & Monitoring
gcloud logging read \
"resource.type=gce_instance AND severity>=ERROR" \
--limit=50
gcloud logging read \
"resource.labels.cluster_name=my-cluster" \
--format=json
gcloud monitoring dashboards list
gcloud alpha monitoring policies list
gcloud logging sinks listArtifact Registry
gcloud artifacts repositories list
gcloud artifacts docker images list \
asia-southeast1-docker.pkg.dev/my-project/my-repo
gcloud auth configure-docker \
asia-southeast1-docker.pkg.dev
docker push \
asia-southeast1-docker.pkg.dev/my-project/my-repo/image:tagUseful Flags
--project=my-project
--format=json|yaml|table|csv
--filter="status=RUNNING"
--sort-by=~createTime
--limit=10
--quiet / -q # skip confirmation
--async # return immediately
--verbosity=debugAuth & Configuration
Authentication
# Login with your Google account (browser-based)
gcloud auth login
# Application Default Credentials (for local development / SDKs)
gcloud auth application-default login
# Service account impersonation
gcloud auth login --impersonate-service-account=my-sa@project.iam.gserviceaccount.com
# Activate service account key
gcloud auth activate-service-account \
--key-file=key.json
# List active credentials
gcloud auth list
# Revoke credentials
gcloud auth revoke [email protected]Configuration & Profiles
# View current config
gcloud config list
gcloud config list --all
# Set properties
gcloud config set project my-project
gcloud config set compute/region asia-southeast1
gcloud config set compute/zone asia-southeast1-a
gcloud config set core/account [email protected]
# Named configurations (like AWS profiles)
gcloud config configurations create prod
gcloud config configurations activate prod
gcloud config configurations list
gcloud config configurations describe prod
# Delete a configuration
gcloud config configurations delete staging
# Projects
gcloud projects list
gcloud projects describe my-project
gcloud config set project my-projectCompute Engine
Instances
# List instances
gcloud compute instances list
gcloud compute instances list --filter="status=RUNNING"
gcloud compute instances list --format="table(name,zone,machineType,status,networkInterfaces[0].networkIP)"
# Create instance
gcloud compute instances create my-vm \
--machine-type=e2-medium \
--zone=asia-southeast1-a \
--image-family=debian-12 \
--image-project=debian-cloud \
--boot-disk-size=50GB \
--tags=http-server,https-server \
--metadata=startup-script='#!/bin/bash
apt-get update && apt-get install -y nginx'
# Start / Stop / Delete
gcloud compute instances start my-vm --zone=asia-southeast1-a
gcloud compute instances stop my-vm --zone=asia-southeast1-a
gcloud compute instances delete my-vm --zone=asia-southeast1-a
# SSH into instance
gcloud compute ssh my-vm --zone=asia-southeast1-a
gcloud compute ssh my-vm --zone=asia-southeast1-a -- -L 8080:localhost:8080 # with port forwarding
# Copy files
gcloud compute scp my-vm:/remote/path ./local-path --zone=asia-southeast1-a
gcloud compute scp ./local-file my-vm:/remote/path --zone=asia-southeast1-aDisks & Snapshots
# List disks
gcloud compute disks list
gcloud compute disks describe my-disk --zone=asia-southeast1-a
# Create snapshot
gcloud compute snapshots create my-snap \
--source-disk my-disk \
--source-disk-zone asia-southeast1-a \
--description "Pre-upgrade backup"
# List snapshots
gcloud compute snapshots list
# Create disk from snapshot
gcloud compute disks create restored-disk \
--source-snapshot my-snap \
--zone=asia-southeast1-aGKE (Google Kubernetes Engine)
# List clusters
gcloud container clusters list
gcloud container clusters list --format="table(name,location,status,currentMasterVersion,currentNodeCount)"
# Describe cluster
gcloud container clusters describe my-cluster --region asia-southeast1
# Get credentials (updates ~/.kube/config)
gcloud container clusters get-credentials my-cluster --region asia-southeast1
# Create cluster
gcloud container clusters create my-cluster \
--region asia-southeast1 \
--num-nodes 3 \
--machine-type e2-standard-4 \
--enable-autoscaling \
--min-nodes 1 --max-nodes 10 \
--enable-ip-alias \
--workload-pool=my-project.svc.id.goog
# Upgrade control plane
gcloud container clusters upgrade my-cluster \
--master \
--cluster-version 1.28 \
--region asia-southeast1
# Node pools
gcloud container node-pools list \
--cluster my-cluster --region asia-southeast1
gcloud container node-pools describe my-pool \
--cluster my-cluster --region asia-southeast1
gcloud container node-pools update my-pool \
--cluster my-cluster \
--enable-autoscaling \
--min-nodes 1 --max-nodes 5 \
--region asia-southeast1
# Upgrade node pool
gcloud container node-pools upgrade my-pool \
--cluster my-cluster \
--region asia-southeast1GCS (Cloud Storage)
# List buckets / objects
gsutil ls
gsutil ls gs://my-bucket/
gsutil ls -l gs://my-bucket/ # long listing with sizes
gsutil ls -r gs://my-bucket/ # recursive
gsutil du -sh gs://my-bucket/ # bucket size
# Copy
gsutil cp file.txt gs://my-bucket/path/
gsutil cp gs://my-bucket/file.txt ./
gsutil cp -r ./local-dir gs://my-bucket/ # recursive
# Sync (efficient incremental copy)
gsutil rsync -r ./local-dir gs://my-bucket/remote-dir/
gsutil rsync -r -d ./local-dir gs://my-bucket/ # delete extra files (mirror)
gsutil rsync -r -x "\.git/|\.tmp$" ./local-dir gs://my-bucket/ # exclude patterns
# Delete
gsutil rm gs://my-bucket/file.txt
gsutil rm -r gs://my-bucket/prefix/
# Bucket management
gsutil mb -l asia-southeast1 gs://my-new-bucket
gsutil rb gs://my-bucket # remove empty bucket
gsutil versioning set on gs://my-bucket
gsutil versioning get gs://my-bucket
# Lifecycle policy
gsutil lifecycle set lifecycle.json gs://my-bucket
gsutil lifecycle get gs://my-bucket
# IAM
gsutil iam get gs://my-bucket
gsutil iam ch serviceAccount:[email protected]:objectViewer gs://my-bucketIAM
# Service Accounts
gcloud iam service-accounts list
gcloud iam service-accounts describe [email protected]
gcloud iam service-accounts create my-sa \
--display-name="My Service Account" \
--description="SA for my-app"
gcloud iam service-accounts delete [email protected]
# Service Account Keys
gcloud iam service-accounts keys create key.json \
[email protected]
gcloud iam service-accounts keys list \
[email protected]
gcloud iam service-accounts keys delete KEY_ID \
[email protected]
# Project IAM Policy
gcloud projects get-iam-policy my-project
gcloud projects get-iam-policy my-project --format=json
# Grant / Revoke roles
gcloud projects add-iam-policy-binding my-project \
--member=serviceAccount:[email protected] \
--role=roles/storage.objectViewer
gcloud projects remove-iam-policy-binding my-project \
--member=serviceAccount:[email protected] \
--role=roles/storage.objectViewer
# Roles
gcloud iam roles list
gcloud iam roles list --project my-project
gcloud iam roles describe roles/container.admin
gcloud iam roles create custom-role \
--project my-project \
--file=role-definition.yamlCloud SQL
# List instances
gcloud sql instances list
gcloud sql instances describe my-db
# Connect
gcloud sql connect my-db --user=postgres
gcloud sql connect my-db --user=postgres --database=mydb
# Create instance
gcloud sql instances create my-db \
--database-version=POSTGRES_15 \
--tier=db-g1-small \
--region=asia-southeast1 \
--storage-size=20GB \
--storage-auto-increase
# Backups
gcloud sql backups list --instance my-db
gcloud sql backups create --instance my-db
gcloud sql backups describe BACKUP_ID --instance my-db
gcloud sql backups restore BACKUP_ID --restore-instance=my-db
# Maintenance / Patch
gcloud sql instances patch my-db \
--database-flags max_connections=200
gcloud sql instances patch my-db \
--maintenance-window-day=SUN \
--maintenance-window-hour=2
# Users & Databases
gcloud sql users list --instance my-db
gcloud sql users create myuser --instance my-db --password=mypass
gcloud sql databases list --instance my-db
gcloud sql databases create mydb --instance my-dbNetworking
# VPC Networks
gcloud compute networks list
gcloud compute networks describe my-vpc
gcloud compute networks create my-vpc --subnet-mode=custom
gcloud compute networks subnets list --network my-vpc
gcloud compute networks subnets create my-subnet \
--network my-vpc \
--region asia-southeast1 \
--range 10.10.0.0/24
# Firewall Rules
gcloud compute firewall-rules list
gcloud compute firewall-rules list --filter="network=my-vpc"
gcloud compute firewall-rules create allow-ssh \
--network=my-vpc \
--direction=INGRESS \
--allow=tcp:22 \
--source-ranges=10.0.0.0/8 \
--priority=1000
gcloud compute firewall-rules create allow-internal \
--network=my-vpc \
--allow=tcp,udp,icmp \
--source-ranges=10.0.0.0/8
gcloud compute firewall-rules delete allow-ssh
# Cloud Routers & NAT
gcloud compute routers list
gcloud compute routers nats list --router=my-router --region=asia-southeast1
# VPN & Interconnect
gcloud compute vpn-gateways list
gcloud compute interconnects list
# Load Balancers
gcloud compute forwarding-rules list
gcloud compute backend-services list
gcloud compute url-maps listSecrets & Config
# List secrets
gcloud secrets list
gcloud secrets list --filter="labels.env=prod"
# Create secret
gcloud secrets create my-secret \
--replication-policy=automatic
gcloud secrets create my-secret \
--replication-policy=user-managed \
--locations=asia-southeast1,asia-southeast2
# Add secret version
echo -n "myvalue" | gcloud secrets versions add my-secret --data-file=-
gcloud secrets versions add my-secret --data-file=secret.txt
# Access secret value
gcloud secrets versions access latest --secret my-secret
gcloud secrets versions access 1 --secret my-secret
# Manage versions
gcloud secrets versions list my-secret
gcloud secrets versions describe 1 --secret my-secret
gcloud secrets versions disable 1 --secret my-secret
gcloud secrets versions destroy 1 --secret my-secret
# Delete secret
gcloud secrets delete my-secretLogging & Monitoring
# Read logs (Cloud Logging query syntax)
gcloud logging read \
"resource.type=gce_instance AND severity>=ERROR" \
--limit=50
gcloud logging read \
"resource.labels.cluster_name=my-cluster" \
--format=json \
--limit=100
gcloud logging read \
"resource.type=k8s_container AND resource.labels.namespace_name=production" \
--freshness=1h \
--format=json
# Log sinks (export to GCS / BigQuery / Pub/Sub)
gcloud logging sinks list
gcloud logging sinks describe my-sink
gcloud logging sinks create my-sink \
bigquery.googleapis.com/projects/my-project/datasets/my_dataset \
--log-filter='severity>=ERROR'
# Metrics
gcloud monitoring dashboards list
gcloud alpha monitoring policies list
gcloud alpha monitoring policies describe POLICY_ID
# Uptime checks
gcloud monitoring uptime list
gcloud monitoring uptime describe CHECK_IDArtifact Registry
# List repositories
gcloud artifacts repositories list
gcloud artifacts repositories describe my-repo \
--location=asia-southeast1
# Create repository
gcloud artifacts repositories create my-repo \
--repository-format=docker \
--location=asia-southeast1 \
--description="Docker images for my-app"
# Configure Docker authentication
gcloud auth configure-docker asia-southeast1-docker.pkg.dev
# List images
gcloud artifacts docker images list \
asia-southeast1-docker.pkg.dev/my-project/my-repo
gcloud artifacts docker images list \
asia-southeast1-docker.pkg.dev/my-project/my-repo \
--include-tags
# Push & Pull
docker tag my-image:latest \
asia-southeast1-docker.pkg.dev/my-project/my-repo/my-image:latest
docker push \
asia-southeast1-docker.pkg.dev/my-project/my-repo/my-image:latest
docker pull \
asia-southeast1-docker.pkg.dev/my-project/my-repo/my-image:latest
# Delete image
gcloud artifacts docker images delete \
asia-southeast1-docker.pkg.dev/my-project/my-repo/my-image:latest
# Clean up untagged images
gcloud artifacts docker images list \
asia-southeast1-docker.pkg.dev/my-project/my-repo \
--filter="tags:[]" \
--format="get(IMAGE)" | \
xargs -I{} gcloud artifacts docker images delete {} --quiet
Security Note: Avoid using
gcloud iam service-accounts keys create when possible. Prefer Workload Identity for GKE, or Application Default Credentials for local development. Downloaded key files should be treated as passwords.
Pro Tips:
- Use
--format="value(field)"to extract a single field for scripting - Use
--quietor-qto skip confirmation prompts in automation - Set
CLOUDSDK_CORE_PROJECTenvironment variable to override project for one-off commands - Use
gcloud betaorgcloud alphafor preview features not yet in GA - Run
gcloud components updateregularly to stay on the latest SDK version