Stats
Actions
Tags
From gcp-tools
Configure GCP IAM, Secret Manager, and VPC networking with security best practices. PROACTIVELY activate for: (1) setting up service accounts and IAM permissions, (2) managing secrets in Secret Manager, (3) configuring VPC and firewall rules. Triggers: "iam", "secret manager", "vpc"
How this skill is triggered — by the user, by Claude, or both
Slash command
/gcp-tools:gcp-servicesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Keywords**: iam, service account, secret manager, vpc, firewall, permissions, least privilege, policy, network
Keywords: iam, service account, secret manager, vpc, firewall, permissions, least privilege, policy, network
File Patterns: .tf (google_project_iam_, google_secret_*, google_compute_network)
Modes: gcp_dev, deployment
gcloud iam service-accounts create SERVICE-sa \
--display-name="Service Account for SERVICE"
# Secret Manager access
gcloud projects add-iam-policy-binding PROJECT \
--member="serviceAccount:[email protected]" \
--role="roles/secretmanager.secretAccessor"
# Cloud SQL client
gcloud projects add-iam-policy-binding PROJECT \
--member="serviceAccount:[email protected]" \
--role="roles/cloudsql.client"
Use predefined roles (roles/run.invoker) Use custom roles for specific needs
echo -n "SECRET_VALUE" | gcloud secrets create SECRET_NAME --data-file=-
gcloud secrets add-iam-policy-binding SECRET_NAME \
--member="serviceAccount:[email protected]" \
--role="roles/secretmanager.secretAccessor"
# As environment variable (less secure)
gcloud run deploy SERVICE --update-secrets=VAR=secret:version
# As mounted file (more secure)
gcloud run deploy SERVICE --update-secrets=/secrets/file=secret:version
gcloud compute networks create NETWORK \
--subnet-mode=custom
gcloud compute networks subnets create SUBNET \
--network=NETWORK \
--region=REGION \
--range=10.0.0.0/24
# Allow HTTPS from anywhere
gcloud compute firewall-rules create allow-https \
--network=NETWORK \
--allow=tcp:443 \
--source-ranges=0.0.0.0/0
# Allow SSH from specific bastion
gcloud compute firewall-rules create allow-ssh-bastion \
--network=NETWORK \
--allow=tcp:22 \
--source-ranges=10.0.1.0/24 \
--target-tags=ssh-enabled
gcloud compute networks vpc-access connectors create CONNECTOR \
--network=NETWORK \
--region=REGION \
--range=10.8.0.0/28
npx claudepluginhub agentient/vibekit --plugin gcp-toolsProvides deep expertise on production GCP workloads: IAM/Workload Identity, VPC networking, GKE/Cloud Run, Cloud SQL/Spanner/Bigtable/BigQuery, Pub/Sub, security/observability with Cloud Armor/KMS/Logging/Monitoring, and cost optimization.
Provides production GCP patterns for Cloud Run with Terraform, Workload Identity Federation (no SA keys), private Cloud SQL and Memorystore Redis, BigQuery analytics, Cloud Armor WAF, Secret Manager, VPC Service Controls, IAM least privilege. Use for architecture design, Terraform IaC, IAM reviews.
Implements and audits GCP VPC firewall rules for network segmentation, ingress/egress restrictions, hierarchical policies, and VPC Flow Logs monitoring. For securing GCP workloads and auditing permissive rules.