A Google-managed Debian VM you access from the browser. It comes with `gcloud` and other tools preinstalled, uses your Google identity, and has a small persistent home directory.

The collection of command-line tools for Google Cloud, including the `gcloud` CLI, `gsutil`, and `bq`, installed on your local machine.

A named set of `gcloud` settings (such as account, project, region, and zone) that acts like a profile for a specific environment (for example, dev, test, prod).

The collection of command-line tools for Google Cloud, including the `gcloud` CLI, `gsutil`, and `bq`, typically installed on a local workstation.

A browser-based, Google-managed Debian VM with preinstalled Cloud SDK tools that uses your Google identity and a small persistent home directory.

Command-Line Power: Cloud Shell, gcloud, and SDK Configuration — Google Cloud Associate Cloud Engineer: Complete Exam-Ready Masterclass

Q: You are in Cloud Shell and run `gcloud compute instances list`, but no instances appear. You know there are VMs in another project tied to your account. What is the FIRST command you should run to diagnose this?

gcloud config list. `gcloud config list` shows the active account and project. In Cloud Shell the most common issue is that you are in the wrong project. Only after confirming that should you adjust auth or list projects.

Cloud Shell vs Local Cloud SDK: Your Two Main Toolkits

Two Main Toolkits

You will use two main command-line toolkits: Cloud Shell (browser-based, managed by Google) and the Cloud SDK installed on your own machine. Both expose the `gcloud` CLI.

Cloud Shell Basics

Cloud Shell is a Google-managed Debian VM you open from the Console. It has `gcloud` and other tools preinstalled, uses your Google identity, and keeps a small 5 GB home directory persistent.

Cloud SDK Basics

The Cloud SDK is the local package that includes `gcloud`, `gsutil`, and `bq`. Installing it on your machine lets you script, integrate with your OS, and manage multiple environments.

Exam Relevance

For the Associate Cloud Engineer exam, you must be comfortable running `gcloud` in Cloud Shell and in a local Cloud SDK, switching projects and running core resource commands quickly.

Setting Up Cloud Shell and Local Cloud SDK

Starting Cloud Shell

Open Cloud Shell from the Console’s top bar. Google starts a small VM, mounts your persistent home directory, and pre-authenticates `gcloud` with your user account and active project.

Checking Cloud Shell

In Cloud Shell, run `gcloud --version` to see components and `gcloud config list` to see the active account and project. This confirms the environment you are about to operate in.

Local Cloud SDK Install

On your machine, install the Cloud SDK using an installer or package manager, then run `gcloud init` to log in, select a project, and optionally set default region/zone.

Key Differences

Cloud Shell is managed and auto-updated; local SDK is your responsibility to update and secure. Cloud Shell runs in Google’s project; local SDK runs from your own OS and network.

Hands-On: First-Time Cloud SDK Initialization

Use this as a reference script when you install and initialize the Cloud SDK on a new machine. Commands are shown for understanding; do not run with `sudo` unless your OS instructions require it.

```bash

1. Verify Cloud SDK is installed

which gcloud || echo "gcloud not found in PATH"

2. Show version and installed components

gcloud --version

3. Initialize SDK (interactive)

gcloud init

- You will be prompted to open a browser to log in.

- Choose the Google account you use for Google Cloud.

- Select an existing project or create a new one.

- Optionally set default region/zone.

4. Confirm your active account and project

gcloud config list

5. (Optional) Set or change defaults explicitly

PROJECT_ID="my-ace-lab-project"

REGION="us-central1"

ZONE="us-central1-a"

gcloud config set project $PROJECT_ID

gcloud config set compute/region $REGION

gcloud config set compute/zone $ZONE

6. (Optional) Update components

gcloud components update

```

On the exam you will not install the SDK, but you might see questions about `gcloud init`, verifying the active project, or setting region/zone defaults.

gcloud Configurations, Accounts, and Projects

What is a Configuration?

A `gcloud` configuration is a named set of settings like account, project, region, and zone. Think of it as a profile for a specific environment (dev, test, prod).

Inspecting Configs

Use `gcloud config list` to see active settings and `gcloud config configurations list` to list all profiles. This is your first check when commands affect the wrong resources.

Managing Configs

Create and switch profiles with `gcloud config configurations create dev` and `gcloud config configurations activate dev`, then set `gcloud config set project PROJECT_ID`.

Exam Trap: Wrong Project

Many mistakes come from using the wrong project. Before creating or deleting resources, confirm `core/project` and `core/account` using `gcloud config list`, especially in Cloud Shell.

Example: Multi-Environment Configurations (dev, test, prod)

Scenario: 3 Projects

You manage `my-company-dev`, `my-company-test`, and `my-company-prod`. You want fast, safe switching between them without constantly resetting project and zone.

Create dev Config

Run `gcloud config configurations create dev` then activate and set project and region/zone. This profile now always points to the dev project when activated.

Create test and prod

Repeat the pattern for `test` and `prod`, possibly with different accounts and regions. Each configuration holds its own project and compute defaults.

Using Configs on Exam

When a task says "use the test environment", activate the `test` configuration first, then run `gcloud` commands so they affect the correct project.

Authenticating gcloud: Users, Service Accounts, and Application Default Credentials

User Authentication

Use `gcloud auth login` to sign in via browser. Check and switch accounts with `gcloud auth list` and `gcloud config set account`. This is how humans authenticate for CLI use.

Service Accounts Refresher

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Service Accounts with gcloud

Use `gcloud auth activate-service-account ... --key-file=KEY.json` when you must run commands as a service account (legacy scripts, CI). Revoke with `gcloud auth revoke`.

Application Default Credentials

ADC are credentials that client libraries use automatically. Set them locally with `gcloud auth application-default login`. This is separate from `gcloud auth login` used by `gcloud`.

Core gcloud Commands: Compute Engine, Cloud Storage, and IAM

Compute Engine Basics

Use `gcloud compute instances list` to see VMs and `gcloud compute instances create` with flags like `--zone`, `--machine-type`, and `--image-family` to create new instances.

Creating a VM

Example: `gcloud compute instances create vm-1 --zone=us-central1-a --machine-type=e2-micro --image-family=debian-12 --image-project=debian-cloud` creates a small Debian VM.

Cloud Storage via gcloud

Use `gcloud storage buckets list` and `gcloud storage buckets create gs://my-bucket --location=us-central1`, then copy files with `gcloud storage cp`.

IAM Policy Bindings

Add a role with `gcloud projects add-iam-policy-binding PROJECT_ID --member="user:alice@example.com" --role="roles/storage.admin"`. Avoid `set-iam-policy` unless you intend to replace.

Thought Exercise: Predict the Effect of These Commands

Mentally simulate what each command does and where it might fail. This builds the habit of reading `gcloud` commands carefully before running them.

Command A

```bash

gcloud config set project my-lab-project

gcloud compute instances list

```

Question: What project will `instances list` operate on? What if `my-lab-project` does not exist or you lack permissions?

Command B

```bash

gcloud compute instances create web-1 \

--zone=us-central1-a \

--machine-type=e2-medium \

--tags=http-server

```

Question: Will this automatically create firewall rules to allow HTTP? Under what conditions could this fail (think quotas, permissions, API enablement)?

Command C

```bash

gcloud projects add-iam-policy-binding my-lab-project \

--member="serviceAccount:sa-app@my-lab-project.iam.gserviceaccount.com" \

--role="roles/storage.objectViewer"

```

Question: What new capability does `sa-app` gain? On which resource level is this applied (project, folder, or organization)?

Command D

```bash

gcloud storage buckets create gs://my-lab-bucket \

--location=us-central1

```

Question: Why might this command fail even if you have `storage.admin`? Think about bucket name uniqueness and existing buckets in other projects.

Write down your predictions, then run similar commands in a lab project or Cloud Shell later to confirm your intuition.

Using Client Libraries and REST Alongside gcloud

gcloud and REST

`gcloud` is a wrapper over Google Cloud REST APIs. Use `--log-http` to see underlying requests and responses, which helps explain errors and understand what is really happening.

Calling REST Directly

You can call APIs directly with tools like `curl`, passing an access token from `gcloud auth print-access-token`. This is useful for low-level debugging and automation.

Client Libraries

Language-specific client libraries (Python, Java, etc.) use the same APIs. They often rely on Application Default Credentials so code can run as a service account without manual keys.

Exam Relevance

You should be able to link `gcloud` errors to what an app would see via REST or client libraries, and reason about which service account and IAM roles are needed.

Troubleshooting Common gcloud Auth and Permission Errors

PERMISSION_DENIED

If you see `PERMISSION_DENIED`, your user or service account lacks a required permission. Check the active account and grant an IAM role that includes the missing permission.

Insufficient Scopes

On older VMs, `insufficient authentication scopes` means the VM’s OAuth scopes are too narrow, even if IAM roles are correct. Fix by recreating with broader scopes or using modern defaults.

Listing Resources Fails

If `gcloud projects list` or `gcloud storage buckets list` fails or seems incomplete, check your IAM roles at the organization, folder, or project level, not just the resource itself.

NOT_FOUND vs PERMISSION_DENIED

`NOT_FOUND` can hide permission issues. If you know a resource exists but `gcloud` says not found, suspect missing `get` or `list` permissions in IAM.

Quiz 1: Configurations, Auth, and Projects

Check your understanding of configurations and authentication with `gcloud`.

You are in Cloud Shell and run `gcloud compute instances list`, but no instances appear. You know there are VMs in another project tied to your account. What is the FIRST command you should run to diagnose this?

gcloud auth login
gcloud config list
gcloud projects list
gcloud compute instances list --global

Show Answer

Answer: B) gcloud config list

`gcloud config list` shows the active account and project. In Cloud Shell the most common issue is that you are in the wrong project. Only after confirming that should you adjust auth or list projects.

Quiz 2: IAM and Error Interpretation

Test your ability to interpret common `gcloud` error messages.

A developer’s app running on a Compute Engine VM gets `PERMISSION_DENIED` when reading from a Cloud Storage bucket. You can read the bucket with your user account using `gcloud storage cp`. Which is the BEST first fix to try?

Run `gcloud auth login` on the VM as your user account.
Grant the VM’s service account a role like `roles/storage.objectViewer` on the bucket.
Recreate the bucket in the same region as the VM.
Run `gcloud auth application-default login` on your laptop.

Show Answer

Answer: B) Grant the VM’s service account a role like `roles/storage.objectViewer` on the bucket.

The app runs as the VM’s service account, not your user. You should grant that service account a role such as `roles/storage.objectViewer` on the bucket. Logging in as yourself on the VM is not a scalable or secure fix.

Key Term and Command Review

Flip through these cards to reinforce core concepts and commands before moving on.

Cloud Shell: A Google-managed Debian VM you access from the browser. It comes with `gcloud` and other tools preinstalled, uses your Google identity, and has a small persistent home directory.
Cloud SDK: The collection of command-line tools for Google Cloud, including the `gcloud` CLI, `gsutil`, and `bq`, installed on your local machine.
gcloud configuration: A named set of `gcloud` settings (such as account, project, region, and zone) that acts like a profile for a specific environment (for example, dev, test, prod).
Command to initialize gcloud on a new machine: `gcloud init`
Command to switch the active project: `gcloud config set project PROJECT_ID`
Command to list Compute Engine instances: `gcloud compute instances list`
Command to create a Cloud Storage bucket (modern interface): `gcloud storage buckets create gs://BUCKET_NAME --location=REGION`
IAM definition: Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.
Service account definition: A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.
Command to view current account and project: `gcloud config list`
Command to add a project-level IAM binding: `gcloud projects add-iam-policy-binding PROJECT_ID --member="TYPE:IDENTITY" --role="ROLE_NAME"`
Error meaning: PERMISSION_DENIED: The active identity (user or service account) lacks the required IAM permission on the target resource.

Key Terms

Cloud SDK: The collection of command-line tools for Google Cloud, including the `gcloud` CLI, `gsutil`, and `bq`, typically installed on a local workstation.
Cloud Shell: A browser-based, Google-managed Debian VM with preinstalled Cloud SDK tools that uses your Google identity and a small persistent home directory.
service account: A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.
PERMISSION_DENIED: A common error indicating that the active identity lacks the required IAM permission on the target resource.
Cloud Storage bucket: A globally named container in Google Cloud Storage used to store objects (files), identified by a unique `gs://BUCKET_NAME`.
gcloud configuration: A named set of `gcloud` settings such as account, project, region, and zone, used as a profile for different environments.
Compute Engine instance: A virtual machine (VM) running on Google Compute Engine, configurable with machine type, image, zone, and service account.
Associate Cloud Engineer: An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.
Identity and Access Management (IAM): Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.
Application Default Credentials (ADC): A mechanism that allows Google Cloud client libraries and some tools to automatically find credentials in the environment, such as a service account on a VM or credentials set via `gcloud auth application-default login`.

Cloud Shell vs Local Cloud SDK: Your Two Main Toolkits

Two Main Toolkits

Cloud Shell Basics

Cloud SDK Basics

Exam Relevance

Setting Up Cloud Shell and Local Cloud SDK

Starting Cloud Shell

Checking Cloud Shell

Local Cloud SDK Install

Key Differences

Hands-On: First-Time Cloud SDK Initialization

1. Verify Cloud SDK is installed

2. Show version and installed components

3. Initialize SDK (interactive)

- You will be prompted to open a browser to log in.

- Choose the Google account you use for Google Cloud.

- Select an existing project or create a new one.

- Optionally set default region/zone.

4. Confirm your active account and project

5. (Optional) Set or change defaults explicitly

6. (Optional) Update components

gcloud Configurations, Accounts, and Projects

What is a Configuration?

Inspecting Configs

Managing Configs

Exam Trap: Wrong Project

Example: Multi-Environment Configurations (dev, test, prod)

Scenario: 3 Projects

Create dev Config

Create test and prod

Using Configs on Exam

Authenticating gcloud: Users, Service Accounts, and Application Default Credentials

User Authentication

Service Accounts Refresher

Service Accounts with gcloud

Application Default Credentials

Core gcloud Commands: Compute Engine, Cloud Storage, and IAM

Compute Engine Basics

Creating a VM

Cloud Storage via gcloud

IAM Policy Bindings

Thought Exercise: Predict the Effect of These Commands

Using Client Libraries and REST Alongside gcloud

gcloud and REST

Calling REST Directly

Client Libraries

Exam Relevance

Troubleshooting Common gcloud Auth and Permission Errors

PERMISSION_DENIED

Insufficient Scopes

Listing Resources Fails

NOT_FOUND vs PERMISSION_DENIED

Quiz 1: Configurations, Auth, and Projects

Quiz 2: IAM and Error Interpretation

Key Term and Command Review

Key Terms

Finished reading?