The Google Cloud CLI Docker Images (comprising the :latest, :slim, :alpine, :emulators, and :debian_component_based images located within this repository) are a set of images enabling the usage of the Google Cloud CLI as well as its bundled components.
The :latest tag is Debian-based and includes default command
line tools of Google Cloud CLI (gcloud, gsutil, bq) as well several
additional components.
The Google Cloud CLI Docker Image is hosted on Container Registry.
The full repository name for Container Registry is gcr.io/google.com/cloudsdktool/google-cloud-cli.
:latest,:VERSION: (large image with additional components pre-installed, Debian-based):slim,:VERSION-slim: (smaller image with no components pre-installed, Debian-based):alpine,:VERSION-alpine: (smallest image with no additional components installed, Alpine-based):debian_component_based,:VERSION-debian_component_based: (Similar to :latest but component installer based):emulators,:VERSION: (as small as possible with all the emulators)
→ Check out Container Registry for available tags.
To use this image, pull from Container Registry and then run the following command:
docker pull gcr.io/google.com/cloudsdktool/google-cloud-cli:latest
Verify the install
docker run gcr.io/google.com/cloudsdktool/google-cloud-cli:latest gcloud version
Google Cloud CLI 368.0.0or use a particular version number:
docker run gcr.io/google.com/cloudsdktool/google-cloud-cli:368.0.0 gcloud versionYou can authenticate gcloud with your user credentials by running gcloud auth login:
docker run -ti --name gcloud-config gcr.io/google.com/cloudsdktool/google-cloud-cli gcloud auth login
If you need to authenticate any program that uses the Google Cloud APIs, you need to pass the --update-adc option:
docker run -ti --name gcloud-config gcr.io/google.com/cloudsdktool/google-cloud-cli gcloud auth login --update-adc
If you want to use a specific project for future uses, you can set this inside the gcloud-config container:
docker run -ti --name gcloud-config gcr.io/google.com/cloudsdktool/google-cloud-cli /bin/bash -c 'gcloud auth login && gcloud config set project your-project'
Once you authenticate successfully, credentials are preserved in the volume of
the gcloud-config container.
To list compute instances using these credentials, run the container with
--volumes-from:
docker run --rm --volumes-from gcloud-config gcr.io/google.com/cloudsdktool/google-cloud-cli gcloud compute instances list --project your_project
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
instance-1 us-central1-a n1-standard-1 10.240.0.2 8.34.219.29 RUNNING
⚠️ Warning: Thegcloud-configcontainer now has a volume containing your Google Cloud credentials. Do not usegcloud-configvolume in other containers.
Alternatively, you can use auth/credential_file_override property to set a path to a mounted service account
and then the config to read that using CLOUDSDK_CONFIG environment variable.
for example, mycloud configuration below has the auth/credential_file_override already set and points towards a certificate file
that will be present within the container as a separate volume mount.
See issue#152
$ docker run -ti -e CLOUDSDK_CONFIG=/config/mygcloud \
-v `pwd`/mygcloud:/config/mygcloud \
-v `pwd`:/certs gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine /bin/bash
bash-4.4# gcloud config list
[auth]
credential_file_override = /certs/svc_account.json
bash-4.4# head -10 /certs/svc_account.json
{
"type": "service_account",
"project_id": "project_id1",
....
bash-4.4# gcloud projects list
PROJECT_ID NAME PROJECT_NUMBER
project_id1 GCPAppID 1071284184432
You can set any Cloud SDK property via an ENV, please read and here.
| Component | :latest | :alpine | :slim | :debian_component_based | :emulators |
|---|---|---|---|---|---|
| App Engine Go Extensions | x | x | |||
| Appctl | x | ||||
| Artifact Registry Go Module Package Helper | |||||
| BigQuery Command Line Tool | x | x | x | x | x |
| Bundled Python 3.9 | x | x | x | x | x |
| Cloud Bigtable Command Line Tool | x | x | |||
| Cloud Bigtable Emulator | x | x | x | ||
| Cloud Datastore Emulator | x | x | x | ||
| Cloud Firestore Emulator | x | x | |||
| Cloud Pub/Sub Emulator | x | x | x | ||
| Cloud Run Proxy | |||||
| Cloud SQL Proxy | |||||
| Cloud Spanner Emulator | x | x | |||
| Cloud Spanner Migration Tool | |||||
| Cloud Storage Command Line Tool | x | x | x | x | x |
| Google Cloud CLI Core Libraries | x | x | x | x | x |
| Google Cloud CRC32C Hash Tool | x | x | x | x | x |
| Google Container Registry's Docker credential helper | |||||
| Kustomize | x | ||||
| Log Streaming | |||||
| Minikube | x | ||||
| Nomos CLI | x | ||||
| On-Demand Scanning API extraction helper | x | x | |||
| Skaffold | x | ||||
| Terraform Tools | |||||
| anthos-auth | x | ||||
| config-connector | |||||
| gcloud Alpha Commands | x | x | x | ||
| gcloud Beta Commands | x | x | x | x | |
| gcloud app Java Extensions | x | x | |||
| gcloud app Python Extensions | x | x | |||
| gcloud app Python Extensions (Extra Libraries) | x | x | |||
| gke-gcloud-auth-plugin | x | x | |||
| kpt | x | x | |||
| kubectl | x | x | |||
| kubectl-oidc | |||||
| pkg |
cd debian_slim/
docker build --build-arg CLOUD_SDK_VERSION=372.0.0 \
--build-arg INSTALL_COMPONENTS="google-cloud-cli-datastore-emulator=372.0.0-0" \
-t my-cloud-sdk-docker:slim .
To install additional components for Alpine-based images, create a Dockerfile
that uses the cloud-sdk image as the base image. For example, to add kubectl and
app-engine-java components:
FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
RUN apk --update add gcompat openjdk8-jre
RUN gcloud components install app-engine-java kubectland run:
docker build -t my-cloud-sdk-docker:alpine .
Note that in this case, you have to install dependencies of additional components manually.
docker build -t my-cloud-sdk-docker:alpine --build-arg CLOUD_SDK_VERSION=<release_number> .
The original image in this repository was based off of
FROM gcr.io/google_appengine/base
The full Dockerfile for that can be found
here for archival as well as in image tag
google/cloud-sdk-docker:legacy
You can also follow the Cloud SDK Release schedule here
The Google Cloud CLI Team works to ensure that the images within this repository provide fully functional installs of the Google Cloud CLI. This work includes addressing any bugs or issues that prevent the execution of the gcloud command line tool or components installed by default on each image. The team also works to ensure that third party packages necessary for the function of the Google Cloud CLI are using stable release versions, and that base OS images are updated to recent, stable releases in a timely manner.
For workflows separate from or unrelated to the execution of the Cloud CLI that require additional or different dependencies, the Cloud CLI team recommends creating your own image layer on top of the Cloud CLI Docker Image where you can remove and install dependencies as needed. The Cloud CLI Team will not address issues related to workflows or tools unrelated to the execution of the Google Cloud CLI. Similarly, the team will deny requests for additional packages or tooling unrelated to the intended functioning of the Google Cloud CLI.
If you or your organization have detected vulnerabilities within any of the Cloud CLI Docker Images, please file a bug. Your bug must contain the type of each vulnerability and the exact location within the image where each is present. Vulnerabilities within base OS images will not be addressed beyond ensuring the Cloud CLI Docker images are using recent, stable releases of Debian or Alpine Linux.
Images tagged :latest, :alpine, :slim and :debian_component_based use
the most recent version of Google Cloud SDK, which may change its behaviour in
the future. List of components installed by default in each image can also
change between versions. To avoid such changes breaking the tool you are using,
it is not recommended to use these tags in any production tools directly.
Instead use a particular version as listed in Supported tags
and update it periodically.