create a bucket
gcloud storage buckets create --pap --location us-east1 gs://example-bucket-name
Delete storage objects.
gcloud storage rm --recursive gs://example-bucket/some/object
create a service account and its secret key
gcloud iam service-accounts create service-account-name --display-name=service-account-name
gcloud iam service-accounts keys create credentials.json --iam-account=service-account-name@your-project-id.iam.gserviceaccount.com
grant a storage permission to a service account
gcloud storage buckets add-iam-policy-binding gs://example-bucket-name --member=serviceAccount:service-account-name@your-project-id.iam.gserviceaccount.com --role=roles/storage.objectAdmin
prepare a yaml file for custom role
title: customRole
stage: GA
includedPermissions:
- dns.changes.get
- dns.managedZones.list
- dns.resourceRecordSets.list
create a custom role
gcloud iam roles create customRole --project your-project-id --file permissions.yaml
grant a custom role permission to a service account
gcloud projects add-iam-policy-binding your-project-id --member=serviceAccount:service-account-name@your-project-id.iam.gserviceaccount.com --role=projects/your-project-id/roles/customRole
create an Artifact Registry repository
gcloud artifacts repositories create repository_name --repository-format docker --location us-east1
Grant an Artifact Registry repository permission to a service account.
gcloud artifacts repositories add-iam-policy-binding repository-name --location us-east1 --member serviceAccount:service-account@project-id.iam.gserviceaccount.com --role roles/artifactregistry.repoAdmin
create a workload identity pool and add an OIDC provider
gcloud iam workload-identity-pools create workload-identity-pool-id --location global
gcloud iam workload-identity-pools providers create-oidc provider-id --location global --workload-identity-pool workload-identity-pool-id --issuer-uri "https://issuer.example.com/" --attribute-mapping "google.subject=assertion.sub"
To publish a Cloud Run service to the Internet.
gcloud run services add-iam-policy-binding my-service --region='us-east1' --member='allUsers' --role='roles/run.invoker'