SkarpChapter 4 of 27
Cloud SDK, gcloud CLI, and Essential Tools
Command-line skills are core to the exam and the job; get comfortable installing, configuring, and using the tools that power real-world automation.
Big Picture: Why the Cloud SDK Matters
What Is the Cloud SDK?
The Google Cloud SDK is a collection of command-line tools for managing Google Cloud resources. Its core tools are gcloud, gsutil, and bq, all updated frequently as a single toolkit.
How It Connects to Earlier Modules
You learned about organizations, folders, projects, and billing. The Cloud SDK is how you act on that knowledge: creating projects, switching between them, and deploying resources via scripts.
Why It Matters for the Exam
The Associate Cloud Engineer exam expects you to configure projects, regions, and zones with `gcloud`, use correct authentication flows, work with `gsutil` and `bq`, and operate confidently in Cloud Shell.
Installing the Cloud SDK on Major Operating Systems
Common Requirements
You need a supported Windows, macOS, or Linux system, internet access, and permission to install software. Modern Cloud SDK installers bundle Python, so you usually do not install Python separately.
Windows Install Flow
On Windows, you run `GoogleCloudSDKInstaller.exe`, accept the license, optionally add `gcloud` to PATH, and let the wizard install components. At the end, it can launch `gcloud init` for you.
macOS and Linux Install Flow
On macOS/Linux, you open a terminal, run the official install script, let it download and unpack the SDK, and allow it to update your shell profile. Then restart the terminal so `gcloud` is on PATH.
Verifying Installation
Run `gcloud version` to confirm the SDK is installed and `gcloud components list` to see components. If you get `command not found`, your PATH is not set to include the Cloud SDK bin directory.
Hands-on: First gcloud Commands and Component Management
Check the SDK Version
Run `gcloud version` to confirm installation. You should see a Google Cloud SDK version plus components like `core`, `gsutil`, and `bq`. If not, your install or PATH is broken.
List and Update Components
Run `gcloud components list` to see installed and available components. Use `gcloud components update` to upgrade the SDK and `gcloud components install beta` to add optional components.
Exam Tip: Missing Commands
If a `gcloud` subcommand is missing, the likely fix is to install or update the relevant component, not to reinstall everything. Remember: `gcloud`, `gsutil`, and `bq` come from the same SDK.
Initializing and Configuring gcloud: Projects, Regions, and Zones
What gcloud init Does
`gcloud init` authenticates you, creates or selects a configuration, sets a default project, and can set default region and zone. You can rerun it any time to reconfigure.
Using Configurations
Configurations are named sets of properties like project and region. Use `gcloud config configurations list` and `gcloud config configurations activate NAME` to switch environments safely.
Setting Defaults
Set defaults with `gcloud config set project my-project-id`, `gcloud config set compute/region us-central1`, and `gcloud config set compute/zone us-central1-a` to avoid repeating flags.
Exam Trap: Wrong Project
If commands cannot find resources, check the active project with `gcloud config list`. Many exam scenarios hide issues in misconfigured defaults rather than broken services.
Authentication: User Credentials vs Application Default Credentials
User Credentials with gcloud
`gcloud init` and `gcloud auth login` authenticate you as a user. The CLI stores local credentials and uses them when you run `gcloud`, `gsutil`, or `bq` interactively.
What ADC Is
Application Default Credentials (ADC) is a standard way for client libraries and tools to automatically discover credentials, usually from the environment or from a local configuration.
Local ADC Flows
Locally, you can run `gcloud auth application-default login` or set `GOOGLEAPPLICATIONCREDENTIALS` to a service account key file so applications can authenticate using ADC.
Key Distinction
`gcloud auth login` is for the CLI acting as you. `gcloud auth application-default login` is for applications using ADC. On Google Cloud resources, ADC typically uses the attached service account without keys.
Quiz: Authentication Basics
Test your understanding of gcloud authentication and ADC.
You are developing a local Python app that uses the BigQuery client library. You already ran `gcloud auth login` to use the CLI. The app still fails with an authentication error. What is the BEST next step?
- Reinstall the Cloud SDK and run `gcloud init` again
- Run `gcloud auth application-default login` to provide ADC for the client library
- Create a new project and set it as default with `gcloud config set project`
- Run `gcloud components update` to get the latest SDK version
Show Answer
Answer: B) Run `gcloud auth application-default login` to provide ADC for the client library
Client libraries typically use Application Default Credentials, not the user credentials from `gcloud auth login`. Running `gcloud auth application-default login` sets up ADC that the local BigQuery client library can use. The other options do not directly address the missing ADC.
Using gsutil for Cloud Storage: Core Commands
Listing and Creating Buckets
Use `gsutil ls` to list buckets. Create a new bucket with `gsutil mb -l us-central1 gs://my-ace-demo-bucket/`. Bucket names must be globally unique across Google Cloud.
Copying Objects
Upload with `gsutil cp ./photo.jpg gs://my-ace-demo-bucket/` and download with `gsutil cp gs://my-ace-demo-bucket/photo.jpg ./photo-downloaded.jpg`. These are core everyday commands.
Bulk and Recursive Operations
Use `gsutil -m cp -r ./data/ gs://my-ace-demo-bucket/data/` for parallel, recursive copies. `-m` speeds up large transfers; `-r` handles directory trees.
Exam Tips for gsutil
`gsutil mb` is the classic way to create buckets; `gcloud storage` is newer. IAM still governs access; gsutil cannot bypass access control on buckets and objects.
Using bq for BigQuery: Core Commands
Listing and Creating Datasets
Use `bq ls` to list datasets. Create one with `bq mk --dataset --location=US myproject:analyticsds`. Remember the `project:dataset` notation and that datasets are regional.
Loading Data from Cloud Storage
Load a CSV file with `bq load --autodetect --sourceformat=CSV myproject:analytics_ds.customers gs://my-ace-demo-bucket/customers.csv` to create and populate a table.
Running Queries
Run queries with `bq query --uselegacysql=false 'SELECT ...'`. Use fully qualified table names like `myproject.analyticsds.customers` in backticks for clarity.
Exam Tips for bq
Watch dataset locations and use standard SQL (`--uselegacysql=false`). On scenario questions, errors often come from region mismatches or mis-typed project.dataset.table names.
Cloud Shell: Browser-Based CLI Without Local Installation
What Cloud Shell Is
Cloud Shell is a browser-based terminal running on a Google-managed VM, with `gcloud`, `gsutil`, `bq`, and common tools preinstalled and authenticated as your user.
How You Use It
You open Cloud Shell from the Console, get a terminal pane, and can immediately run commands like `gcloud config list`. A small home directory persists across sessions.
When to Prefer Cloud Shell
Use Cloud Shell when you lack local admin rights, want a clean up-to-date environment, or follow exam-style lab instructions that assume Cloud Shell usage.
Exam Trap: Separate Environment
Cloud Shell does not see your laptop files automatically. To move data, upload/download files or use Cloud Storage as a bridge between your local machine and Cloud Shell.
Quiz: Choosing the Right Tool or Environment
Check your understanding of when to use gcloud, gsutil, bq, and Cloud Shell.
You are on a locked-down corporate laptop where you cannot install software, but you must quickly create a Cloud Storage bucket and upload a file for a shared project. What is the MOST appropriate approach?
- Ask IT to temporarily grant you admin rights so you can install the Cloud SDK locally
- Use the Cloud Console only, because command-line tools always require local installation
- Open Cloud Shell in the browser and use `gsutil mb` and `gsutil cp` to create the bucket and upload the file
- Create a new project and rely on default buckets to appear automatically
Show Answer
Answer: C) Open Cloud Shell in the browser and use `gsutil mb` and `gsutil cp` to create the bucket and upload the file
Cloud Shell gives you a fully featured Cloud SDK environment in the browser without local installation. You can run `gsutil mb` and `gsutil cp` there. The other options are slower, incorrect, or rely on non-existent default buckets.
Thought Exercise: Debugging a Misconfigured gcloud Environment
Work through this scenario mentally to practice troubleshooting, a key skill for the Associate Cloud Engineer role.
Scenario
You run this command from your laptop:
```bash
gcloud compute instances list
```
You expect to see three VM instances you created earlier in project `ace-lab-123` in zone `us-central1-a`, but the output is empty. No error is shown.
Questions to think through
- What are the first two commands you would run to check your CLI configuration?
- If you discover that the default project is set to `old-project-999`, how would you fix it?
- Suppose the project is correct, but the instances are in region `europe-west1`. How might your command be misleading you?
- How would you modify your command to be explicit and avoid relying on defaults?
Suggested reasoning path
- Step 1: Run `gcloud config list` to see the active account, project, region, and zone.
- Step 2: If the project is wrong, run `gcloud config set project ace-lab-123`.
- Step 3: Remember that `gcloud compute instances list` without flags may show instances in the default zone or region, depending on your configuration.
- Step 4: Make your command explicit:
```bash
gcloud compute instances list --project=ace-lab-123 --zones=us-central1-a
```
or, if instances are in a different region, adjust the `--zones` (or use `--filter` as needed).
Reflect: On the exam, many “missing resource” questions are actually configuration problems, not broken services.
Key Terms and Commands Review
Use these flashcards to reinforce core concepts and commands from this module.
- Cloud SDK
- A collection of command-line tools for Google Cloud, including gcloud, gsutil, and bq, used to manage and automate Google Cloud resources.
- gcloud init
- An interactive command that authenticates you, creates or selects a configuration, and sets defaults such as project, region, and zone for the gcloud CLI.
- gcloud config set project PROJECT_ID
- Command to set the default project for gcloud so that subsequent commands target the specified PROJECT_ID without needing explicit --project flags.
- gcloud auth login vs gcloud auth application-default login
- `gcloud auth login` authenticates the CLI as a user for interactive commands; `gcloud auth application-default login` configures Application Default Credentials for applications and client libraries.
- Application Default Credentials (ADC)
- A mechanism that allows Google Cloud client libraries and tools to automatically find credentials from the environment, such as a service account attached to a resource or locally configured credentials.
- gsutil mb
- The gsutil subcommand used to create (make) a new Cloud Storage bucket, for example: `gsutil mb -l us-central1 gs://my-bucket/`.
- gsutil cp
- The gsutil subcommand used to copy files and objects between local storage and Cloud Storage, or between Cloud Storage buckets.
- bq mk --dataset
- A bq command used to create a new BigQuery dataset, often with an explicit location, e.g., `bq mk --dataset --location=US my_project:analytics_ds`.
- Cloud Shell
- A browser-based command-line environment running on a Google-managed VM, with the Cloud SDK and other tools preinstalled and authenticated, requiring no local installation.
- gcloud config list
- Command that displays the active gcloud configuration, including the current account, project, region, and zone, useful for troubleshooting misconfigurations.
Key Terms
- bq
- A command-line tool in the Cloud SDK specialized for managing BigQuery datasets, tables, and queries.
- gcloud
- The primary command-line interface in the Cloud SDK for managing most Google Cloud services, including compute, networking, IAM, and more.
- gsutil
- A command-line tool in the Cloud SDK specialized for managing Cloud Storage buckets and objects.
- Cloud SDK
- A collection of command-line tools for Google Cloud, including gcloud, gsutil, and bq, used to manage and automate Google Cloud resources.
- Cloud Shell
- A browser-based command-line environment running on a Google-managed VM, with the Cloud SDK and other tools preinstalled and authenticated, requiring no local installation.
- service account
- A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.
- gcloud configuration
- A named set of gcloud properties such as project, region, zone, and account, which determines the default context for gcloud commands.
- Associate Cloud Engineer
- An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.
- Identity and Access Management
- Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.
- Application Default Credentials
- A mechanism that allows Google Cloud client libraries and tools to automatically find credentials from the environment, such as a service account attached to a resource or locally configured credentials.