gcp-services

Configure GCP IAM, Secret Manager, and VPC networking with security best practices. PROACTIVELY activate for: (1) setting up service accounts and IAM permissions, (2) managing secrets in Secret Manager, (3) configuring VPC and firewall rules. Triggers: "iam", "secret manager", "vpc"

Agentient 2 1 Updated 4mo ago

GitHub

Install

npx skillscat add agentient/vibekit/gcp-services

Install via the SkillsCat registry.

SKILL.md

GCP Services Skill (IAM, Secret Manager, Networking)

Metadata (Tier 1)

Keywords: iam, service account, secret manager, vpc, firewall, permissions, least privilege, policy, network

File Patterns: .tf (google_project_iam_, google_secret_*, google_compute_network)

Modes: gcp_dev, deployment

Instructions (Tier 2)

IAM Least Privilege

Service Account Creation

gcloud iam service-accounts create SERVICE-sa \
  --display-name="Service Account for SERVICE"

Grant Minimal Permissions

# Secret Manager access
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:SERVICE-sa@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

# Cloud SQL client
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:SERVICE-sa@PROJECT.iam.gserviceaccount.com" \
  --role="roles/cloudsql.client"

NEVER Use Basic Roles

roles/owner
roles/editor
roles/viewer (on service accounts)

Use predefined roles (roles/run.invoker)
Use custom roles for specific needs

Secret Manager

Create Secret

echo -n "SECRET_VALUE" | gcloud secrets create SECRET_NAME --data-file=-

Grant Access

gcloud secrets add-iam-policy-binding SECRET_NAME \
  --member="serviceAccount:SA@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

Access in Cloud Run

# As environment variable (less secure)
gcloud run deploy SERVICE --update-secrets=VAR=secret:version

# As mounted file (more secure)
gcloud run deploy SERVICE --update-secrets=/secrets/file=secret:version

Best Practices

Pin to specific versions in production (not :latest)
Enable rotation for sensitive secrets
Use automatic replication unless data residency required
Never pass secrets via environment variables in logs

VPC & Firewall

Create Custom VPC

gcloud compute networks create NETWORK \
  --subnet-mode=custom

gcloud compute networks subnets create SUBNET \
  --network=NETWORK \
  --region=REGION \
  --range=10.0.0.0/24

Firewall Rules (Deny by Default)

# Allow HTTPS from anywhere
gcloud compute firewall-rules create allow-https \
  --network=NETWORK \
  --allow=tcp:443 \
  --source-ranges=0.0.0.0/0

# Allow SSH from specific bastion
gcloud compute firewall-rules create allow-ssh-bastion \
  --network=NETWORK \
  --allow=tcp:22 \
  --source-ranges=10.0.1.0/24 \
  --target-tags=ssh-enabled

VPC Connector for Cloud Run

gcloud compute networks vpc-access connectors create CONNECTOR \
  --network=NETWORK \
  --region=REGION \
  --range=10.8.0.0/28

Anti-Patterns

Using default VPC in production
Overly permissive firewall rules (0.0.0.0/0 on SSH)
Service account keys (use Workload Identity)
Secrets in environment variables
Basic IAM roles on service accounts

gcp-services

Install

GCP Services Skill (IAM, Secret Manager, Networking)

Metadata (Tier 1)

Instructions (Tier 2)

IAM Least Privilege

Service Account Creation

Grant Minimal Permissions

NEVER Use Basic Roles

Secret Manager

Create Secret

Grant Access

Access in Cloud Run

Best Practices

VPC & Firewall

Create Custom VPC

Firewall Rules (Deny by Default)

VPC Connector for Cloud Run

Anti-Patterns

Categories

Install

Recommended Skills