gcp-nuke

January 26, 2026 ยท View on GitHub

license release Go Report Card Maintainability

This is potentially very destructive! Use at your own risk!

Status: Beta. Tool is stable, but could experience odd behaviors with some resources.

Overview

Remove all resources from a GCP Project.

gcp-nuke is in beta, but it is likely that not all GCP resources are covered by it. Be encouraged to add missing resources and create a Pull Request or to create an Issue.

Documentation

All documentation is in the docs/ directory and is built using Material for Mkdocs.

It is hosted at https://ekristen.github.io/gcp-nuke/.

This tool was written using libnuke at it's core. It shares similarities and commonalities with aws-nuke and azure-nuke. These tools would not have been possible without the hard work that came before me on the original tool by the team and contributors over at rebuy-de and their original work on rebuy-de/aws-nuke.

This tool is licensed under the MIT license as well. See the LICENSE file for more information. Reference was made to dshelley66/gcp-nuke during the creation of this tool therefore I included them in the license copyright although no direct code was used.

Usage

Note: All CLI flags can also be expressed as environment variables.

By default, no destructive actions will be taken.

Example - Dry Run only

gcp-nuke run \
  --config test-config.yaml \
  --project-id playground-12345

Example - No Dry Run (DESTRUCTIVE)

To actually destroy you must add the --no-dry-run cli parameter.

gcp-nuke run \
  --config=test-config.yaml \
  --project-id playground-12345 \
  --no-dry-run

Authentication

Authentication uses Application Default Credentials (ADC). The following methods are supported:

gcloud auth application-default login

Service Account Key (File Path)

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json

Service Account Key (JSON String)

For CI/CD pipelines and containerized environments where you want to pass credentials directly without creating a file:

export GOOGLE_APPLICATION_CREDENTIALS_JSON='{"type":"service_account","project_id":"...","private_key":"..."}'

If both GOOGLE_APPLICATION_CREDENTIALS and GOOGLE_APPLICATION_CREDENTIALS_JSON are set, GOOGLE_APPLICATION_CREDENTIALS_JSON takes precedence.

Workload Identity (GKE, Cloud Run, etc.)

When running on GCP infrastructure, credentials are automatically provided via the attached service account.

Configuring

The entire configuration of the tool is done via a single YAML file.

Example Configuration

Note: you must add at least one entry to the blocklist.

regions:
  - global # Nuke global resources
  - us-east1 # Nuke resources in the us-east1 region

resource-types:
  excludes:
    - StorageBucketObject # Exclude Storage Bucket Objects

blocklist:
  - production-12345 # Never nuke this project

accounts: # i.e. Google Cloud projects
  playground-12345:
    presets:
      - common
    filters:
      # Protect specific service accounts by email
      IAMServiceAccount:
        - 'custom-service-account@playground-12345.iam.gserviceaccount.com'

      # Protect service account keys by service account email
      IAMServiceAccountKey:
        - property: ServiceAccountEmail
          value: 'custom-service-account@playground-12345.iam.gserviceaccount.com'

      # Protect a DNS zone from deletion
      DNSManagedZone:
        - 'my-dns-zone'

      # Protect IAM policy bindings for specific users
      IAMPolicyBinding:
        - property: Member
          value: 'user:admin@example.com'

      # Delete DNS records only in a specific zone
      DNSRecordSet:
        - property: Zone
          value: 'my-dns-zone'
          invert: true

presets:
  common:
    filters:
      VPC:
        - default