Google Cloud Authentication Recipe

This skill produces expert guidance on authentication and authorization for secure access to Google Cloud services and APIs. It covers all scenarios such as human users, service identities, Application Default Credentials (ADC), service account impersonation, Workload Identity Federation, and OIDC ID tokens.

When to use it? For questions like "how does my local script connect to BigQuery", "secure access from Cloud Run to Cloud SQL", "how does code running on AWS connect to GCP without keys", "should I download an SA key JSON", "the IAM role is correct but the API call fails". It first clarifies who/what is being authenticated, where the code runs, what the target is, and whether a client library exists; then it recommends the most secure context-specific method.

Output: A Turkish Markdown guide containing a decision table, executable gcloud and Python/YAML code blocks, least-privilege IAM role recommendations, and a verification checklist. The core principle is always the same: avoid static service account keys — use impersonation locally, and short-lived tokens attached to the resource in production. Recommended roles start with predefined ones (e.g. roles/storage.objectViewer) and are narrowed down with custom roles when necessary.