GCP security skill (stub). Use when: (1) modelling Cloud IAM policies — principals, roles, conditions, policy-simulator,
Status: stub. Production depth pending. Contribute production patterns via PR.
| Area | Key services |
|---|---|
| Identity | Cloud IAM, Workload Identity Federation, IAM Conditions, Policy Simulator |
| Secrets | Secret Manager (replication, rotation, version mgmt) |
| Encryption | Cloud KMS (CMEK, HSM, External Keys, auto-rotation) |
| Edge security | Cloud Armor (WAF rules, bot management, rate limits, DDoS) |
| Data perimeter | VPC Service Controls (egress/ingress rules around GCP APIs) |
| Audit | Cloud Audit Logs, Access Transparency, Access Approval |
# Secret Manager — store + mount
gcloud secrets create db-url --replication-policy automatic
echo -n "postgres://..." | gcloud secrets versions add db-url --data-file=-
# Cloud Run mounts the latest version as an env var
gcloud run services update my-service --region africa-south1 \
--set-secrets DB_URL=db-url:latest
# KMS — create a key ring + key for encrypting Cloud SQL / BQ at rest with CMEK
gcloud kms keyrings create my-ring --location africa-south1
gcloud kms keys create bq-cmek \
--location africa-south1 --keyring my-ring \
--purpose encryption --rotation-period 90d --next-rotation-time +90droles/owner,editor,viewer are too broad for production. Use predefined service-specific roles.:latest version alias and restart the service OR subscribe to Pub/Sub notifications on the secret.