name: gcp-services version: "1.0" description: > Configure GCP IAM, Secret Manager, and VPC networking with security best practices. PROACTIVELY activate for: (1) setting up service accounts and IAM permissions, (2) managing secrets in Secret Manager, (3) configuring VPC and firewall rules. Triggers: "iam", "secret manager", "vpc" core-integration: techniques: primary: ["structured_decomposition"] secondary: [] contracts: input: "none" output: "none" patterns: "none" rubrics: "none"

GCP Services Skill (IAM, Secret Manager, Networking)

Metadata (Tier 1)

Keywords: iam, service account, secret manager, vpc, firewall, permissions, least privilege, policy, network

File Patterns: .tf (google_project_iam_, google_secret_*, google_compute_network)

Modes: gcp_dev, deployment

Instructions (Tier 2)

IAM Least Privilege

Service Account Creation

gcloud iam service-accounts create SERVICE-sa \
  --display-name="Service Account for SERVICE"

Grant Minimal Permissions

# Secret Manager access
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:SERVICE-sa@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

# Cloud SQL client
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:SERVICE-sa@PROJECT.iam.gserviceaccount.com" \
  --role="roles/cloudsql.client"

NEVER Use Basic Roles

roles/owner
roles/editor
roles/viewer (on service accounts)

Use predefined roles (roles/run.invoker) Use custom roles for specific needs

Secret Manager

Create Secret

echo -n "SECRET_VALUE" | gcloud secrets create SECRET_NAME --data-file=-

Grant Access

gcloud secrets add-iam-policy-binding SECRET_NAME \
  --member="serviceAccount:SA@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

Access in Cloud Run

# As environment variable (less secure)
gcloud run deploy SERVICE --update-secrets=VAR=secret:version

# As mounted file (more secure)
gcloud run deploy SERVICE --update-secrets=/secrets/file=secret:version

Best Practices

Pin to specific versions in production (not :latest)
Enable rotation for sensitive secrets
Use automatic replication unless data residency required
Never pass secrets via environment variables in logs

VPC & Firewall

Create Custom VPC

gcloud compute networks create NETWORK \
  --subnet-mode=custom

gcloud compute networks subnets create SUBNET \
  --network=NETWORK \
  --region=REGION \
  --range=10.0.0.0/24

Firewall Rules (Deny by Default)

# Allow HTTPS from anywhere
gcloud compute firewall-rules create allow-https \
  --network=NETWORK \
  --allow=tcp:443 \
  --source-ranges=0.0.0.0/0

# Allow SSH from specific bastion
gcloud compute firewall-rules create allow-ssh-bastion \
  --network=NETWORK \
  --allow=tcp:22 \
  --source-ranges=10.0.1.0/24 \
  --target-tags=ssh-enabled

VPC Connector for Cloud Run

gcloud compute networks vpc-access connectors create CONNECTOR \
  --network=NETWORK \
  --region=REGION \
  --range=10.8.0.0/28

Anti-Patterns

Using default VPC in production
Overly permissive firewall rules (0.0.0.0/0 on SSH)
Service account keys (use Workload Identity)
Secrets in environment variables
Basic IAM roles on service accounts

ナビゲーション

Skillsとは？

リンク

gcp-services