GCP — Practical
GCP — Practical patterns
Section titled “GCP — Practical patterns”Cloud Run deploy from source
Section titled “Cloud Run deploy from source”gcloud run deploy api \ --source . \ --region eu-west1 \ --allow-unauthenticated \ --service-account api@proj.iam.gserviceaccount.com \ --memory 512Mi --cpu 1 \ --min-instances 1 --max-instances 50 \ --concurrency 80 \ --set-env-vars LOG_LEVEL=info \ --set-secrets=DB_PASS=db-password:latestService-to-service auth
Section titled “Service-to-service auth”Caller fetches an ID token signed by Google for the target audience:
import { GoogleAuth } from 'google-auth-library';const auth = new GoogleAuth();const targetUrl = 'https://api-xyz-uc.a.run.app';const client = await auth.getIdTokenClient(targetUrl);const r = await client.request({ url: targetUrl + '/items' });Receiver verifies via Google’s certs (libraries handle this when you require auth).
Workload Identity in GKE
Section titled “Workload Identity in GKE”# bind K8s SA → GCP SAgcloud iam service-accounts add-iam-policy-binding api@proj.iam.gserviceaccount.com \ --role=roles/iam.workloadIdentityUser \ --member="serviceAccount:proj.svc.id.goog[default/api]"
# annotate K8s SAkubectl annotate sa api \ iam.gke.io/gcp-service-account=api@proj.iam.gserviceaccount.comPod uses K8s SA api; calls to Google APIs work as api@...gserviceaccount.com.
Cloud Build trigger (build → push → deploy)
Section titled “Cloud Build trigger (build → push → deploy)”steps: - name: gcr.io/cloud-builders/docker args: ['build','-t','europe-west1-docker.pkg.dev/proj/registry/api:$SHORT_SHA','.'] - name: gcr.io/cloud-builders/docker args: ['push','europe-west1-docker.pkg.dev/proj/registry/api:$SHORT_SHA'] - name: gcr.io/cloud-builders/gcloud args: - run - deploy - api - --image=europe-west1-docker.pkg.dev/proj/registry/api:$SHORT_SHA - --region=europe-west1options: machineType: E2_HIGHCPU_8BigQuery query (cost-aware)
Section titled “BigQuery query (cost-aware)”SELECT user_id, COUNT(*) AS eventsFROM `proj.dataset.events`WHERE _PARTITIONDATE BETWEEN '2026-05-01' AND '2026-05-10' -- partition prune AND event_type = 'click'GROUP BY user_idORDER BY events DESCLIMIT 100;Always:
WHERE _PARTITIONDATEon partitioned tables.- Avoid
SELECT *. - Cluster tables on common filters.
Pub/Sub publisher / subscriber (Node)
Section titled “Pub/Sub publisher / subscriber (Node)”import { PubSub } from '@google-cloud/pubsub';const pubsub = new PubSub();const topic = pubsub.topic('orders');await topic.publishMessage({ data: Buffer.from(JSON.stringify(order)) });
const sub = pubsub.subscription('orders-worker');sub.on('message', async (msg) => { try { await handle(JSON.parse(msg.data.toString())); msg.ack(); } catch { msg.nack(); }});Secret Manager fetch
Section titled “Secret Manager fetch”gcloud secrets create db-password --data-file=- <<< "supersecret"gcloud secrets versions access latest --secret=db-passwordimport { SecretManagerServiceClient } from '@google-cloud/secret-manager';const c = new SecretManagerServiceClient();const [v] = await c.accessSecretVersion({ name: 'projects/proj/secrets/db-password/versions/latest' });const password = v.payload?.data?.toString();Logs query
Section titled “Logs query”gcloud logging read \ 'resource.type="cloud_run_revision" AND resource.labels.service_name="api" AND severity>=ERROR' \ --limit=50 --format=jsonIn Logs Explorer: resource.type="k8s_container" AND jsonPayload.level="ERROR" AND timestamp>="...".
Terraform GCP project skeleton
Section titled “Terraform GCP project skeleton”provider "google" { project = var.project, region = var.region }
resource "google_project_service" "apis" { for_each = toset(["run.googleapis.com","artifactregistry.googleapis.com","secretmanager.googleapis.com"]) service = each.value}
resource "google_artifact_registry_repository" "main" { location = var.region repository_id = "registry" format = "DOCKER"}
resource "google_cloud_run_v2_service" "api" { name = "api" location = var.region template { service_account = google_service_account.api.email containers { image = "europe-west1-docker.pkg.dev/${var.project}/registry/api:${var.tag}" resources { limits = { memory = "512Mi" } } } }}VPC SC perimeter
Section titled “VPC SC perimeter”resource "google_access_context_manager_service_perimeter" "p" { parent = "accessPolicies/${var.policy_id}" name = "accessPolicies/${var.policy_id}/servicePerimeters/data" title = "data" status { restricted_services = ["bigquery.googleapis.com","storage.googleapis.com"] resources = ["projects/${var.project_number}"] }}Helpful gcloud
Section titled “Helpful gcloud”gcloud projects describe $PROJECTgcloud auth application-default login # for SDK authgcloud auth print-identity-token --audiences=https://api...run.appgcloud run services describe api --region eu-west1 --format jsongcloud logging tail 'resource.type="cloud_run_revision"' --format=jsongcloud iam service-accounts listgcloud beta run services proxy api --port=8080 # tunnel local