Claude Code skill · Google Cloud

Stop an AI agent from nuking your GCP project.

You let Claude Code touch Google Cloud because it's fast. The same speed applies to gcloud projects delete and a stray set-iam-policy that wipes every binding you had. This is the drop-in seatbelt that blocks destructive commands before they run.

✓ 31/31 tests pass out of the box
✓ Drop-in, ~5 min
✓ Just bash + grep

claude-code · gcp

➜

✗ BLOCKED — refusing to delete a GCP project

↳ matched deny rule gcloud projects delete

↳ try gcloud projects describe instead, or remove the guardrail in patterns.txt

Live behavior — the hook returns a reason, not a dead end.

Guards gcloud gsutil bq gcloud storage · read-only commands pass through untouched

One confidently-wrong tool call is all it takes

Agentic coding tools are fast and mostly right. "Mostly" is the problem when the command is gsutil rm -r on your production bucket, or an IAM overwrite that locks you out of your own project. By the time you read the diff, it's applied.

delete

a whole project, instances, disks, snapshots — gone in one line.

expose

an allUsers binding quietly opens a bucket to the whole internet.

lock out

a stray set-iam-policy wipes every binding you had.

two layers · both included · pre-wired

Defense in depth, in one drop-in

Static deny rules

A settings.json you merge into Claude Code. Destructive commands are refused before the agent even proposes them — deny / ask / allow tiers, ready to go.

A PreToolUse hook

Reads the actual command at runtime and regex-matches a curated denylist — catching what static rules miss: reordered flags, quoting tricks, and public allUsers bindings.

What it blocks

Read commands — list, describe, get-iam-policy, bq query — always pass through.

✗Deleting a whole project
✗Overwriting an IAM policy / removing bindings
✗Deleting service accounts, keys, custom roles
✗Making buckets public (allUsers)
✗Recursive wipes (gsutil rm -r, rb)
✗Deleting Compute instances, disks, networks
✗Dropping BigQuery datasets/tables (bq rm)
✗Disabling audit logs & logging sinks
✗A broad gcloud … delete catch-all (toggle)

What's in the pack

›settings.json — deny / ask / allow tiers + the PreToolUse wiring
›hooks/block-destructive-gcloud.sh — the working hook (bash + grep, jq if present)
›hooks/patterns.txt — the editable regex denylist; extend it for your org
›SKILL.md — a real Claude Code skill the agent can install & reason about
›examples/test.sh — 31 assertions proving block/allow behavior
›INSTALL.md — 5-step install (project vs global, chmod, wiring, testing)

GCP IAM Guardrails for Claude Code — cover showing a blocked 'gcloud projects delete prod' command

one-time · yours forever

$24 no subscription

✓ Both protection layers, pre-wired
✓ Editable rules — make them yours
✓ 31/31 tests pass on arrival
✓ Works on any Mac/Linux box
✓ Free updates to this product
✓ 14-day refund, no questions

Defense-in-depth, not a replacement for least-privilege IAM — the local seatbelt you drop in this afternoon.

Questions, answered

Will this slow the agent down or block safe work?＋

No. Read-only commands — list, describe, get-iam-policy, bq query — pass straight through. Only genuinely destructive commands are stopped, and the agent gets a clear reason so it can self-correct.

What do I need to run it?＋

Claude Code, plus bash and grep (every Mac/Linux box has these). jq is optional but recommended. Install is a 5-step INSTALL.md.

Can I customize what gets blocked?＋

Yes — every rule lives in patterns.txt as plain regex with comments. Add your org's policies, re-run test.sh, ship.

Is this a replacement for proper IAM?＋

No, and it doesn't pretend to be. It's a local seatbelt for agentic work — defense-in-depth on top of least-privilege IAM, catching the accidents that policy alone won't.

Point Claude Code at prod — with a seatbelt on.

Drop it in this afternoon. Keep the speed, lose the blast radius.