SkillRepo
Sign InSign Up
Catalog
google/workload-manager-basics

google

workload-manager-basics

Use this skill to manage Google Cloud Workload Manager evaluations, rules, scanned resources, and validation results by using public client libraries and the REST API. Use when you need to inspect workload best-practice rules, create and run evaluations for Google Cloud general best practices, SAP, SQL Server, or custom organizational rules, review violations, export results to BigQuery, or automate Workload Manager through client libraries because no service-specific public CLI or MCP server is available. Don't use for general Google Compute Engine instance management, VPC configuration, or standard IAM auditing.

global
New~1.7k
v1.0Saved Jun 13, 2026

Workload Manager Basics

Workload Manager validates enterprise workloads against Google Cloud best practices and recommendations. The public client libraries are centered on evaluations: define a resource scope, choose built-in or custom rules, run an evaluation, then inspect results and scanned resources.

Use This Flow

flowchart LR
    Rules["List rules"] --> Eval["Create or update evaluation"]
    Resources["Project, folder, or org scope"] --> Eval
    Eval --> Run["Run evaluation"]
    Run --> Results["Inspect evaluation results"]
    Results --> Remediate["Remediate findings"]
    Results --> Export["Optional BigQuery export"]

Core API Constraints

To ensure compatibility, security, and successful integration:

  • Public Surface Only: You MUST strictly interact with Workload Manager using the official public google-cloud-workloadmanager client library or the public REST API (workloadmanager.googleapis.com/v1).
  • No Internal or Undocumented APIs: Do NOT attempt to use internal RPC protocols, private service backends, or undocumented discovery mechanisms. They are not supported for public integrations and will fail.
  • No Service-Specific CLI: There is no public gcloud workload-manager CLI command group. Use gcloud only for authentication, IAM role assignment, and fetching raw REST tokens.
  • Sandbox Execution Robustness (Auth/Mock Fallbacks): When gcloud authentication or Workload Manager API calls fail in sandboxed or restricted environments (e.g., due to Context Aware Access token blocks, missing API enablement, or mock resources returning 404/403), immediately fall back to presenting example code and static findings from your references instead of entering retry loops. Present the correct client library code structure or REST API payload example, clearly explain the auth or resource limitation, and list typical rules or mock findings statically to satisfy the request.

Prerequisites

  1. Enable the Workload Manager API:

    gcloud services enable workloadmanager.googleapis.com --quiet

  2. Authenticate locally using Application Default Credentials (ADC) before using client libraries:

    gcloud auth application-default login

  3. Ensure the Workload Manager service agent has the required roles granted in your project (mandatory for API/client library usage, see IAM & Security).

  4. Grant the least-privileged role needed for the task. Start with roles/workloadmanager.viewer for read-only access to evaluation resources and use roles/workloadmanager.evaluationAdmin or roles/workloadmanager.admin only when creating, updating, running, or deleting evaluations.

Quick Client Library Example

Use the Python client library for the first working automation path:

python3 -m pip install --upgrade google-cloud-workloadmanager

from google.cloud import workloadmanager_v1

project_id = "PROJECT_ID"
location = "LOCATION"
parent = f"projects/{project_id}/locations/{location}"

client = workloadmanager_v1.WorkloadManagerClient()

rules = client.list_rules(
    request=workloadmanager_v1.ListRulesRequest(
        parent=parent,
        evaluation_type=workloadmanager_v1.Evaluation.EvaluationType.OTHER,
    )
)

for rule in rules.rules:
    print(rule.name, rule.display_name, rule.severity)

Reference Directory

  • Core Concepts: Evaluations, rules, results, scanned resources, supported workload types, and API shape.

  • General Best Practices: Google Cloud general best-practice posture checks, OTHER evaluation guidance, custom Rego rules, and scale/automation patterns.

  • Client Libraries: Python and Go client library examples for listing rules, creating evaluations, running evaluations, and reading findings.

  • REST Usage: Direct REST examples for the public Workload Manager API and operations polling.

  • Public CLI Status: No documented service-specific gcloud workload-manager command group; use gcloud only for auth, IAM, API enablement, and REST tokens.

  • Public MCP Status: No documented public Workload Manager MCP server; use client libraries or REST API instead.

  • Setup Prerequisites: Terraform examples only for adjacent prerequisites such as API enablement, IAM, BigQuery export datasets, and KMS keys. This is not Workload Manager resource management.

  • IAM & Security: Workload Manager roles, least-privilege guidance, service agents, data handling, and CMEK notes.

If product behavior or API fields are not covered here, check the current Workload Manager product documentation and client library reference before implementing.

Authoritative References

Additional Context

Files9
9 files · 49.9 KB

Select a file to preview

Overall Score

88/100

Grade

A

Excellent

Safety

87

Quality

90

Clarity

88

Completeness

86

Summary

This skill provides comprehensive guidance for managing Google Cloud Workload Manager evaluations, rules, scanned resources, and validation results using public client libraries (Python, Go) and the REST API. It teaches users how to list best-practice rules, create and run evaluations across different workload types (general, SAP, SQL Server), review violations, and optionally export results to BigQuery.

Detected Capabilities

api-callspython-code-generationgo-code-generationbigquery-integrationkms-integrationiam-configurationterraform-code-generationrest-api-usageenvironment-variable-usageshell-commandsproject-scoped-operations

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

workload manager evaluationgoogle cloud posture checkvalidate sap workloadcustom rego rulesbigquery export evaluationcloud best practices audit

Risk Signals

INFO

gcloud auth application-default login and gcloud auth print-access-token usage

public-cli-status.md, rest-usage.md, multiple sections
INFO

BigQuery dataset creation and result export

setup-prerequisites.md, core-concepts.md, general-best-practices.md
INFO

KMS key configuration for evaluation encryption

setup-prerequisites.md, iam-security.md
INFO

Evaluation scope spanning organization-level resources

core-concepts.md, rest-usage.md, client-library-usage.md
INFO

Service agent permissions for metadata scanning

iam-security.md

Referenced Domains

External domains referenced in skill content, detected by static analysis.

discuss.google.devdocs.cloud.google.compypi.orgworkloadmanager.googleapis.comwww.apache.org

Use Cases

  • Inspect Google Cloud best-practice rules and create evaluations for general posture checks
  • Validate SAP or SQL Server workload compliance against built-in rules
  • Write and evaluate custom organizational policies using Rego rules
  • Review evaluation findings and remediation steps
  • Export Workload Manager results to BigQuery for historical analysis and dashboarding
  • Automate workload evaluations through Python or Go client libraries

Quality Notes

  • Excellent scope boundaries: skill explicitly defines what is and is not covered (public APIs only, no internal/undocumented APIs, no gcloud CLI management of evaluations)
  • Clear separation of concerns with eight reference documents covering prerequisites, IAM, core concepts, client libraries, REST usage, and setup
  • Strong error-handling guidance: skill documents fallback patterns for sandboxed environments (auth failures, API blocks) and explicitly states to present example code instead of retrying
  • Practical guardrails documented: least-privilege IAM selection, organization vs. project scope trade-offs, regional BigQuery dataset requirements
  • Multiple working code examples in Python and Go for every major operation (list rules, create evaluations, run, read findings)
  • Good defensive patterns: skill recommends listing rules at runtime rather than hardcoding, using request_id for idempotency, checking current API reference before assuming resource availability
  • Mermaid diagrams clarify workflows and decision trees (e.g., general best practices decision flow, resource model, automation boundaries)
  • Limitations clearly stated: no public CLI, no public MCP server, sandbox robustness guidance documented
  • Terraform examples appropriately scoped to prerequisites only (API enablement, IAM, BigQuery, KMS) rather than implying Terraform manages Workload Manager resources
Model: claude-haiku-4-5-20251001Analyzed: Jun 13, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add google/workload-manager-basics to your library

Get Started Free

Command Palette

Search for a command to run...