In addition to running Google Cloud CLI commands from the command line, you canrun them from scripts or other automations — for example, when usingJenkins to drive automation of Google Cloud tasks.

Google Cloud SDK comes with a variety of tools like filtering,formatting, and the--quiet flag, enabling you to effectively handle outputand automate tasks.

For a step-by-step guide to building basic scripts with thegcloud CLI, see this blog post:Scripting with gcloud: a beginner’s guide to automating Google Cloud tasks.

Authorization

When scripting with Google Cloud SDK, you'll need to considerauthorization methods.Google Cloud SDK provides two options:

• User account authorization
• Service account authorization

User account authorization is recommended if you are running a script orother automation on a single machine.

To authorize access and perform other common Google Cloud SDK setupsteps:

gcloud init

Service account authorization is recommended if you are deploying a scriptor other automation across machines in a production environment. It is also therecommended authorization method if you are running gcloud CLI commands on aCompute Engine virtual machine instance where all users have access toroot.

To use service account authorization, use an existing service account or createa new one on the Service Accounts page:

Go to the Service Accounts page

To create and download the associated private key as a JSON-formatted key file,chooseManage Keys from the action menu for the service account.

To run the authorization, rungcloud auth activate-service-account:

gcloudauthactivate-service-account--key-file[KEY_FILE]

You can SSH into your VM instance by usinggcloud compute ssh,which takes care of authentication. SSH configuration files can be configuredusinggcloud compute config-ssh.

For detailed instructions regarding authorizing Google Cloud SDK tools,seeAuthorizing the gcloud CLI.

Disabling prompts

Some gcloud CLI commands are interactive, prompting users for confirmation of anoperation or requesting additional input for an entered command.

In most cases, this is not desirable when running commands in a script or otherautomation. You can disable prompts from gcloud CLI commands bysetting thedisable_prompts property in yourconfiguration toTrue orby using the global--quiet or-q flag. Mostinteractive commands have default values when additional confirmation or inputis required. If prompts are disabled, these default values are used.

For example:

gcloud debug targets list --quiet

Filtering and formatting output

In order to script with the gcloud CLI, it's important to havepredictable output; this is where--filter and--format flags help. Theyensure that when you run a command using the gcloud CLI, itproduces output that adheres to your format (like json, yaml, csv, and text) andfilter (VM names prefixed with 'test', creation year after 2015, etc.)specifications.

The following examples showcase common uses of formatting and filtering withgcloud CLI commands:

List instances created in zoneus-central1-a:

gcloud compute instances list --filter="zone:us-central1-a"

List in JSON format those projects where the labels match specific values(e.g. label.env is 'test' and label.version is alpha):

gcloud projects list --format="json" \  --filter="labels.env=test AND labels.version=alpha"

List projects with their creation date and time specified in the local timezone:

gcloud projects list \  --format="table(name, project_id, createTime.date(tz=LOCAL))"

List projects that were created after a specific date in table format:

gcloud projects list \  --format="table(projectNumber,projectId,createTime)" \  --filter="createTime.date('%Y-%m-%d', Z)='2016-05-11'"

Note that in the last example, a projection on the key was used. The filter isapplied on thecreateTime key after the date formatting is set.

List a nested table of the quotas of a region:

gcloudcomputeregionsdescribeus-central1\--format="table(quotas:format='table(metric,limit,usage)')"

Print a flattened list of global quotas in CSV format:

gcloud compute project-info describe --flatten='quotas[]' \  --format='csv(quotas.metric,quotas.limit,quotas.usage)'

List compute instance resources with box decorations and titles, sorted by name,in table format:

gcloud compute instances list \  --format='table[box,title=Instances](name:sort=1,zone:label=zone,status)'

List the project authenticated user email address:

gcloud info --format='value(config.account)'

For more involved examples of the output configuring capabilities builtinto gcloud CLI'sfilters,formats, andprojections flags, see thisblog post aboutfiltering and formatting.

Best practices

If you want a script or other automation to perform actions conditionally basedon the output of a gcloud CLI command, observe the following:

• Do depend on command exit status.

  If the exit status is not zero, an error occurred and the output may beincomplete unless the command documentation notes otherwise.For example, a command that creates multiple resources may only create afew, list them on the standard output, and then exit with a non-zero status.Alternatively, you can use theshow_structured_logs property to parseerror logs. Rungcloud config for more details.

• Don't depend on messages printed to standard error.

  The wording of these messages may change in future versions of thegcloud CLI and break your automation.

• Don't depend on the raw output of messages printed to standard output.

  The default output for any command may change in a future release. You canminimize the impact of those changes by using the--format flag to format theoutput with one of thefollowing:--format=json|yaml|csv|text|list to specify values to bereturned.Rungcloud topic formats for more options.

  You can modify the default output from--format by usingprojections. For increasedgranularity, use the--filter flagto return a subset of the values based on an expression. You can then scriptagainst those returned values.

  Examples of formatting and filtering output can be found in the sectionbelow.

Example scripts

Using the functionality of format and filter, you can combinegcloud CLI commands into a script to easily extract embeddedinformation.

List keys for all your projects' service accounts

The following sample scripts list the keys associated with all your projects'service accounts by:

• Iterating over your projects
• For each project, getting the associated service accounts

• For each service account, getting the associated keys

#!/bin/bashforprojectin$(gcloudprojectslist--format="value(projectId)")doecho"ProjectId:$project"forrobotin$(gcloudiamservice-accountslist--project$project--format="value(email)")doecho"    -> Robot$robot"forkeyin$(gcloudiamservice-accountskeyslist--iam-account$robot--project$project--format="value(name.basename())")doecho"$key"donedonedone

foreach ($project in gcloud projects list --format="value(projectId)"){  Write-Host "ProjectId: $project"  foreach ($robot in  gcloud iam service-accounts list --project $project --format="value(email)")  {      Write-Host "    -> Robot $robot"      foreach ($key in gcloud iam service-accounts keys list --iam-account $robot --project $project --format="value(name.basename())")      {        Write-Host "        $key"      }  }}

Parse output for processing

The following sample demonstrates parsing output for processing. In particular,the sample script writes the service account information into an array andsegregates values in the multi-valued CSV-formattedserviceAccounts.scope()field:

#!/bin/bashforscopesInfoin$(gcloudcomputeinstanceslist--filter=name:instance-1\--format="csv[no-heading](name,id,serviceAccounts[].email.list(),                      serviceAccounts[].scopes[].map().list(separator=;))")doIFS=','read-r-ascopesInfoArray<<<"$scopesInfo"NAME="${scopesInfoArray[0]}"ID="${scopesInfoArray[1]}"EMAIL="${scopesInfoArray[2]}"SCOPES_LIST="${scopesInfoArray[3]}"echo"NAME:$NAME, ID:$ID, EMAIL:$EMAIL"echo""IFS=';'read-r-ascopeListArray<<<"$SCOPES_LIST"forSCOPEin"${scopeListArray[@]}"doecho"  SCOPE:$SCOPE"donedone