OpenSkillIndex← back to search
claude-code

Claude-skill-registry gcp-services

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/gcp-services" ~/.claude/skills/majiayu000-claude-skill-registry-gcp-services && rm -rf "$T"
manifest: skills/data/gcp-services/SKILL.md
source content

GCP Services Skill (IAM, Secret Manager, Networking)

Metadata (Tier 1)

Keywords: iam, service account, secret manager, vpc, firewall, permissions, least privilege, policy, network

File Patterns: .tf (google_project_iam_, google_secret_*, google_compute_network)

Modes: gcp_dev, deployment

Instructions (Tier 2)

IAM Least Privilege

Service Account Creation

gcloud iam service-accounts create SERVICE-sa \
  --display-name="Service Account for SERVICE"

Grant Minimal Permissions

# Secret Manager access
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:SERVICE-sa@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

# Cloud SQL client
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:SERVICE-sa@PROJECT.iam.gserviceaccount.com" \
  --role="roles/cloudsql.client"

NEVER Use Basic Roles

  • roles/owner
  • roles/editor
  • roles/viewer (on service accounts)

Use predefined roles (roles/run.invoker) Use custom roles for specific needs

Secret Manager

Create Secret

echo -n "SECRET_VALUE" | gcloud secrets create SECRET_NAME --data-file=-

Grant Access

gcloud secrets add-iam-policy-binding SECRET_NAME \
  --member="serviceAccount:SA@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

Access in Cloud Run

# As environment variable (less secure)
gcloud run deploy SERVICE --update-secrets=VAR=secret:version

# As mounted file (more secure)
gcloud run deploy SERVICE --update-secrets=/secrets/file=secret:version

Best Practices

  • Pin to specific versions in production (not :latest)
  • Enable rotation for sensitive secrets
  • Use automatic replication unless data residency required
  • Never pass secrets via environment variables in logs

VPC & Firewall

Create Custom VPC

gcloud compute networks create NETWORK \
  --subnet-mode=custom

gcloud compute networks subnets create SUBNET \
  --network=NETWORK \
  --region=REGION \
  --range=10.0.0.0/24

Firewall Rules (Deny by Default)

# Allow HTTPS from anywhere
gcloud compute firewall-rules create allow-https \
  --network=NETWORK \
  --allow=tcp:443 \
  --source-ranges=0.0.0.0/0

# Allow SSH from specific bastion
gcloud compute firewall-rules create allow-ssh-bastion \
  --network=NETWORK \
  --allow=tcp:22 \
  --source-ranges=10.0.1.0/24 \
  --target-tags=ssh-enabled

VPC Connector for Cloud Run

gcloud compute networks vpc-access connectors create CONNECTOR \
  --network=NETWORK \
  --region=REGION \
  --range=10.8.0.0/28

Anti-Patterns

  • Using default VPC in production
  • Overly permissive firewall rules (0.0.0.0/0 on SSH)
  • Service account keys (use Workload Identity)
  • Secrets in environment variables
  • Basic IAM roles on service accounts