gcp

Use when managing Google Cloud resources, editing .gcloudignore or app.yaml, scripting gcloud commands, configuring IAM, service accounts, Cloud Storage, Pub/Sub, BigQuery, Vertex AI, or GCP services.

9 stars

Best use case

gcp is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when managing Google Cloud resources, editing .gcloudignore or app.yaml, scripting gcloud commands, configuring IAM, service accounts, Cloud Storage, Pub/Sub, BigQuery, Vertex AI, or GCP services.

Teams using gcp should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/gcp/SKILL.md --create-dirs "https://raw.githubusercontent.com/cofin/flow/main/plugins/flow/skills/gcp/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/gcp/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How gcp Compares

Feature / AgentgcpStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when managing Google Cloud resources, editing .gcloudignore or app.yaml, scripting gcloud commands, configuring IAM, service accounts, Cloud Storage, Pub/Sub, BigQuery, Vertex AI, or GCP services.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Google Cloud Platform (GCP) Skill

## Service Overview

Use the dedicated `terraform` skill when the question is primarily about Terraform layout, state boundaries, brownfield import/export, workspaces, or CI-driven plan/apply workflows. Keep this `gcp` skill focused on Google Cloud services and `gcloud`-centric operations.

### Core Services

- **Compute**:
  - **Cloud Run**: Serverless containers (default choice for stateless apps).
  - **GKE**: Managed Kubernetes for complex orchestrations.
  - **Compute Engine**: Raw VMs for specific OS/kernel needs.
- **Data & Storage**:
  - **Cloud Storage (GCS)**: Object storage.
  - **Cloud SQL**: Managed PostgreSQL/MySQL/SQL Server.
  - **BigQuery**: Serverless data warehouse (analytics).
  - **Firestore**: NoSQL document database.
- **AI/ML**:
  - **Vertex AI**: Unified platform for models (Gemini, PaLM), training, and deployment.

<workflow>

## `gcloud` CLI & Scripting

### Configuration & Auth

<guardrails>

Avoid interactive prompts in scripts.

</guardrails>

<example>

```bash
# Production/CI: Use Service Account Key or Workload Identity
gcloud auth activate-service-account --key-file=key.json

# Local Dev: User Login
gcloud auth login
gcloud config set project MY_PROJECT_ID
```

</example>

### Scripting Best Practices

#### 1. Structured Output

Never parse default text output. Use `--format` (json/yaml) and `--filter`.

<example>

```bash
# Bad
gcloud compute instances list | grep RUNNING

# Good (Parseable JSON)
gcloud compute instances list --format="json"

# Good (Filter + Specific Value)
gcloud run services list \
  --filter="status.conditions.status=True AND metadata.name:my-service" \
  --format="value(status.url)"
```

</example>

#### 2. Deterministic Filters

Flatten complex resources to find what you need.

<example>

```bash
# Find latest revision of a service
gcloud run revisions list \
  --service=my-service \
  --sort-by="~metadata.creationTimestamp" \
  --limit=1 \
  --format="value(metadata.name)"
```

</example>

#### 3. Quiet Mode

Suppress "updates available" warnings and prompts.

<example>

```bash
export CLOUDSDK_CORE_DISABLE_PROMPTS=1
gcloud ... --quiet
```

</example>

## Automation Patterns

### 1. Cloud Run Deployment

Standard pattern for deploying containers.

<example>

```bash
gcloud run deploy my-service \
  --image gcr.io/my-project/my-image:tag \
  --platform managed \
  --region us-central1 \
  --allow-unauthenticated \
  --set-env-vars="DEBUG=true,DB_HOST=10.0.0.2"
```

</example>

### 2. Secret Management

<guardrails>

Access secrets securely (requires Secret Manager API).

</guardrails>

<example>

```bash
# Mount as volume in Cloud Run (Preferred)
gcloud run deploy ... --set-secrets="/secrets/db=my-db-secret:latest"

# Access via CLI (for ops scripts)
gcloud secrets versions access latest --secret="my-secret"
```

</example>

</workflow>

## AlloyDB

AlloyDB is a fully managed PostgreSQL-compatible database with columnar engine and ML-assisted auto-vacuum.

### Cluster / Instance Model

- **Cluster**: regional resource containing one primary and optional read pool instances.
- **Primary instance**: read-write; choose machine type and vCPUs.
- **Read pool**: horizontally scalable read-only replicas within the same cluster.

```bash
# Create a cluster
gcloud alloydb clusters create my-cluster \
  --region=us-central1 \
  --password=SECRET \
  --network=projects/MY_PROJECT/global/networks/default

# Create primary instance
gcloud alloydb instances create my-primary \
  --cluster=my-cluster \
  --region=us-central1 \
  --instance-type=PRIMARY \
  --cpu-count=4
```

### PSA Networking Requirement

AlloyDB requires **Private Service Access (PSA)** — a peered VPC range allocated for Google-managed services. Client VMs must be in the same VPC (or a connected VPC) to reach the instance IP.

```bash
# Allocate PSA range (one-time per VPC)
gcloud compute addresses create google-managed-services-default \
  --global \
  --purpose=VPC_PEERING \
  --prefix-length=20 \
  --network=default

# Create the peering
gcloud services vpc-peerings connect \
  --service=servicenetworking.googleapis.com \
  --ranges=google-managed-services-default \
  --network=default
```

### AlloyDB vs Cloud SQL

| Aspect | AlloyDB | Cloud SQL |
|--------|---------|-----------|
| Engine | PostgreSQL-compatible only | PostgreSQL, MySQL, SQL Server |
| Performance | ~4× higher throughput (columnar engine, shared memory cache) | Standard managed RDBMS |
| HA | Auto-failover < 60 s, cross-zone | Regional replica, ~60 s failover |
| Pricing | Higher; compute + storage separate | Instance + storage (simpler) |
| Best for | High-throughput OLTP, mixed OLTP/OLAP | General-purpose managed SQL |

---

## Secret Manager Patterns

### Diff-Based Updates

Avoid creating unnecessary secret versions. Compare the current value before adding a new version.

```bash
# Read existing value
CURRENT=$(gcloud secrets versions access latest --secret="my-secret" 2>/dev/null || echo "")

NEW_VALUE="new-password-here"

if [ "$CURRENT" != "$NEW_VALUE" ]; then
  echo -n "$NEW_VALUE" | gcloud secrets versions add my-secret --data-file=-
  echo "Secret updated."
else
  echo "Secret unchanged, skipping version creation."
fi
```

### Common Access Patterns

```bash
# Access the latest version
gcloud secrets versions access latest --secret="my-secret"

# Access a specific version
gcloud secrets versions access 3 --secret="my-secret"

# List versions
gcloud secrets versions list my-secret

# Create a new secret
echo -n "my-value" | gcloud secrets create my-secret \
  --data-file=- \
  --replication-policy=automatic
```

---

## IAM Workload Identity

Workload Identity lets GKE or Cloud Run workloads impersonate a GCP service account without key files.

### Annotation + Binding Chain

```bash
# 1. Create a GCP Service Account (GSA)
gcloud iam service-accounts create my-app-sa \
  --display-name="My App SA"

# 2. Grant required roles to the GSA
gcloud projects add-iam-policy-binding MY_PROJECT \
  --member="serviceAccount:my-app-sa@MY_PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

# 3. Allow the Kubernetes Service Account (KSA) to impersonate the GSA
gcloud iam service-accounts add-iam-policy-binding \
  my-app-sa@MY_PROJECT.iam.gserviceaccount.com \
  --role="roles/iam.workloadIdentityUser" \
  --member="serviceAccount:MY_PROJECT.svc.id.goog[NAMESPACE/KSA_NAME]"

# 4. Annotate the KSA
kubectl annotate serviceaccount KSA_NAME \
  --namespace=NAMESPACE \
  iam.gke.io/gcp-service-account=my-app-sa@MY_PROJECT.iam.gserviceaccount.com
```

### Service Account Impersonation (CLI)

```bash
# Impersonate a GSA from a user or another SA
gcloud storage ls \
  --impersonate-service-account=my-app-sa@MY_PROJECT.iam.gserviceaccount.com

# Generate a short-lived token
gcloud auth print-access-token \
  --impersonate-service-account=my-app-sa@MY_PROJECT.iam.gserviceaccount.com
```

---

## VPC Networking

### PSA Ranges

See AlloyDB section above. PSA is also required for Cloud SQL private IP and Memorystore.

### Cloud NAT / Router

Cloud NAT allows VMs without external IPs to reach the internet.

```bash
# Create a Cloud Router
gcloud compute routers create my-router \
  --region=us-central1 \
  --network=default

# Attach Cloud NAT
gcloud compute routers nats create my-nat \
  --router=my-router \
  --region=us-central1 \
  --auto-allocate-nat-external-ips \
  --nat-all-subnet-ip-ranges
```

### Firewall Rules

```bash
# IAP TCP tunneling (SSH/RDP via IAP)
gcloud compute firewall-rules create allow-iap-ssh \
  --network=default \
  --allow=tcp:22 \
  --source-ranges=35.235.240.0/20 \
  --description="Allow SSH via IAP"

# GCP load balancer health checks
gcloud compute firewall-rules create allow-health-checks \
  --network=default \
  --allow=tcp \
  --source-ranges=130.211.0.0/22,35.191.0.0/16 \
  --description="Allow GCP health check probers"
```

| Purpose | CIDR |
|---------|------|
| IAP TCP forwarding | `35.235.240.0/20` |
| GCP health check probers | `130.211.0.0/22`, `35.191.0.0/16` |

---

## Cloud Batch

Cloud Batch is a fully managed service for batch and HPC workloads. It provisions, schedules, and autoscales VMs (including Spot/preemptible) without managing a cluster.

**When to use Cloud Batch vs GKE:**

| Aspect | Cloud Batch | GKE |
|--------|-------------|-----|
| Workload type | Batch jobs, array jobs, MPI | Long-running services, microservices |
| Cluster management | None (fully managed) | Cluster lifecycle managed by operator |
| Spot/preemptible | Built-in, first-class | Node pool configuration |
| GPU / HPC support | A100/H100, HPC VM families | Any accelerator, custom node pools |
| Scheduling | Queue-based, job arrays | Kubernetes scheduler |

```bash
# Submit a simple batch job from JSON spec
gcloud batch jobs submit my-job \
  --location=us-central1 \
  --config=job.json
```

---

## References Index

- **[IAM Guide](references/iam.md)** - Service accounts, role bindings, Workload Identity, and IAM best practices.

## Cross-References

- **Gemini CLI Extensions org**: <https://github.com/gemini-cli-extensions> — community-built Gemini CLI extensions for GCP services and tooling.

## Documentation & References

- **SDK Cheat Sheet**: `gcloud cheat-sheet`
- **Core Services List**: [Google Cloud Products](https://cloud.google.com/products)
- **CLI Reference**: [gcloud CLI docs](https://cloud.google.com/sdk/gcloud/reference)

## Official References

- <https://docs.cloud.google.com/>
- <https://docs.cloud.google.com/sdk/gcloud/reference>
- <https://cloud.google.com/sdk/gcloud/reference/run/deploy>
- <https://docs.cloud.google.com/sdk/docs/authorizing>
- <https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr>
- <https://cloud.google.com/vertex-ai/generative-ai/docs/migrate/migrate-palm-to-gemini>

## Shared Styleguide Baseline

- Use shared styleguides for generic language/framework rules to reduce duplication in this skill.
- [General Principles](https://github.com/cofin/flow/blob/main/templates/styleguides/general.md)
- [GCP Scripting](https://github.com/cofin/flow/blob/main/templates/styleguides/cloud/gcp_scripting.md)
- [Bash](https://github.com/cofin/flow/blob/main/templates/styleguides/languages/bash.md)
- Keep this skill focused on tool-specific workflows, edge cases, and integration details.

<validation>
## Validation

Add validation instructions here.
</validation>

Related Skills

flow-memory-keeper

9
from cofin/flow

Use at task, phase, flow, sync, archive, finish, revise, or failure checkpoints to keep Flow specs clean, capture learnings and failures, elevate durable patterns, and refine this skill with project-specific nuances

vue

9
from cofin/flow

Use when editing Vue projects, .vue files, vue.config.js, Vue 3 components, Composition API, <script setup>, SFC state, deployment workflows, or Vue CI configuration.

vite

9
from cofin/flow

Use when editing Vite projects, vite.config.ts, vite.config.js, Vite plugins, HMR, asset bundling, frontend build settings, deployment config, or Litestar/Vite integration.

uvicorn

9
from cofin/flow

Use when deploying ASGI apps with uvicorn, editing uvicorn CLI commands, Config or Server usage, workers, reload, event loop selection, SSL, lifespan, logging, or development server behavior.

tracer

9
from cofin/flow

Use when tracing execution paths, mapping dependencies, understanding unfamiliar code, following data flow, investigating end-to-end behavior, debugging call chains, or deciding which files to read next.

testing

9
from cofin/flow

Use when writing or refactoring tests, editing test_*.py, *.test.ts, *.spec.ts, conftest.py, vitest.config.ts, pytest fixtures, mocks, coverage, async tests, anyio, or test failure debugging.

terraform

9
from cofin/flow

Use when creating, adopting, refactoring, or operating Terraform, *.tf files, .terraform.lock.hcl, terragrunt.hcl, root modules, backends, state, workspaces, imports, CI plan/apply, tests, or policy checks.

tanstack

9
from cofin/flow

Use when editing TanStack code, @tanstack imports, useQuery, createRouter, React Query, TanStack Router, Table, Form, Store, file-based routing, data fetching, or SPA state management.

tailwind

9
from cofin/flow

Use when styling with Tailwind CSS, editing tailwind.config.ts, tailwind.config.js, @tailwind directives, utility classes, responsive layouts, @apply, cn(), @theme config, dark mode, or forms.

svelte

9
from cofin/flow

Use when editing Svelte components, .svelte files, svelte.config.js, Svelte 5 runes, $state, $derived, SvelteKit, component state, or migrating away from Svelte 4 patterns.

sqlserver

9
from cofin/flow

Use when writing T-SQL, editing SQL Server .sql files, using sqlcmd, SQL Server connection strings, stored procedures, execution plans, indexes, Always On, JSON, security, or connector code.

sqlalchemy

9
from cofin/flow

Use when editing SQLAlchemy code, sqlalchemy imports, mapped_column, DeclarativeBase, ORM models, relationships, select() queries, async sessions, engines, events, or migrations.