Official

Premium

GCP

The GCP Source plugin for CloudQuery extracts configuration from a variety of GCP APIs and loads it into any supported CloudQuery destination

Publisher

cloudquery

Latest version

v17.3.0

Type

Source

Platforms

Date Published

November 20, 2024

Price per 1M rows

Starting from $17

monthly free quota

1M rows

Documentation Tables Changelog Destinations

Overview Configuration Table options Licenses

Set up process #

brew install cloudquery/tap/cloudquery

1. Download CLI and login

See installation options

2. Create source and destination configs

Plugin configuration

cloudquery sync gcp.yml postgresql.yml

3. Run the sync

CloudQuery sync

Overview #

The GCP Source plugin for CloudQuery extracts configuration from a variety of GCP APIs and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).

Libraries in Use #

Authentication #

The GCP plugin authenticates using your Application Default Credentials. Available options are all the same options described here in detail:

Local Environment:

gcloud auth application-default login (recommended when running locally)

Google Cloud cloud-based development environment:

When you run on Cloud Shell or Cloud Code credentials are already available.

Google Cloud containerized environment:

When running on GKE use workload identity.

Google Cloud services that support attaching a service account:

Services such as Compute Engine, App Engine and functions supporting attaching a user-managed service account which will CloudQuery will be able to utilize.

On-premises or another cloud provider

The suggested way is to use Workload identity federation
If not available you can always use service account keys and export the location of the key via GOOGLE_APPLICATION_CREDENTIALS. Highly not recommended as long-lived keys are a security risk

Query Examples: #

Find all buckets without uniform bucket-level access #

select project_id, name from gcp_storage_buckets where uniform_bucket_level_access->>'Enabled' = 'true';

Configuration #

GCP Source Plugin Configuration Reference

Example #

This example connects a single GCP project to a Postgres destination. The (top level) source spec section is described in the Source Spec Reference.

kind: source
spec:
  # Source spec section
  name: "gcp"
  path: "cloudquery/gcp"
  registry: "cloudquery"
  version: "v17.3.0"
  tables: ["gcp_storage_buckets"]
  destinations: ["postgresql"]
  # GCP Spec
  # Learn more about the configuration options at https://cql.ink/gcp_source
  spec:
    project_ids: ["my-project"]

GCP Spec #

This is the (nested) spec used by GCP Source Plugin

project_ids ([]string) (default: empty. will use all projects available to the current authenticated account)
Specify projects to connect to. If either folder_ids or project_filter is specified, these projects will be synced in addition to the projects from the folder/filter.
service_account_key_json (string) (default: empty)
GCP service account key content.
Using service accounts is not recommended, but if it is used it is better to use environment or file variable substitution.
folder_ids ([]string) (default: empty)
CloudQuery will sync from all the projects in the specified folders, recursively. folder_ids must be of the format folders/<folder_id> or organizations/<organization_id>. This feature requires the resourcemanager.folders.list permission.
By default, CloudQuery will also sync from sub-folders recursively (up to depth 100). To reduce this, set folder_recursion_depth to a lower value (or to 0 to disable recursion completely).
Mutually exclusive with project_filter.
If you specify * then all folders in all organizations will be synced.
folder_recursion_depth (integer) (default: 100)
The maximum depth to recurse into sub-folders. 0 means no recursion (only the top-level projects in folders will be used for sync).
project_filter (string) (default: empty)
A filter to determine the projects that are synced, mutually exclusive with folder_ids.
For instance, to only sync projects where the name starts with how-, set project_filter to name:how-*.
More examples:
- "name:how-* OR name:test-*" matches projects starting with how- or test-
- "NOT name:test-*" matches all projects not starting with test-
For syntax and example queries refer to API References here and here.
organization_ids ([]string) (default: empty. will use all organizations available to the current authenticated account)
Specify organizations to use when syncing organization level resources (e.g. folders or security findings).
If organization_filter is specified, these organizations will be used in addition to the organizations from the filter.
organization_filter (string) (default: empty)
A filter to determine the organizations to use when syncing organization level resources (e.g. folders or security findings).
For instance, to use only organizations from the cloudquery.io domain, set organization_filter to domain:cloudquery.io.
For syntax and example queries refer to API Reference here.
backoff_retries (integer) (default: 5)
Maximum number of retries to make when rate limited.
backoff_delay (integer) (default: 30)
Maximum delay in seconds between retries when rate limited.
enabled_services_only (boolean) (default: false)
If enabled CloudQuery will skip any resources that belong to a service that has been disabled or not been enabled.
If you use this option on a large organization (with more than 500 projects) you should also set the backoff_retries to a value greater than 0, otherwise you may hit the API rate limits.
In >=v9.0.0 if an error is returned then CloudQuery will assume that all services are enabled and will continue to attempt to sync all specified tables rather than just ending the sync.
concurrency (integer) (default: 50000)
The best effort maximum number of Go routines to use. Lower this number to reduce memory usage.
discovery_concurrency (integer) (default: 100)
The number of concurrent requests that CloudQuery will make to resolve enabled services. This is only used when enabled_services_only is set to true.
scheduler (string) (default: round-robin)
The scheduler to use when determining the priority of resources to sync. Supported values are dfs (depth-first search), round-robin, shuffle and shuffle-queue.
For more information about this, see performance tuning.
service_account_impersonation (Service Account Impersonation spec, optional. Default: empty)
Service Account impersonation configuration.
table_options (map) (default: not used)
Table options is a premium feature. Even if some tables are free, syncing data for them (& their relations) using table options counts towards paid usage.
Please refer to the Table Options documentation for more information.

Service Account Impersonation Spec #

target_principal (string) (required)
The email address of the service account to impersonate.
scopes ([]string) (default: ["https://www.googleapis.com/auth/cloud-platform"])
Scopes that the impersonated credential should have.
See available scopes in the documentation.
delegates ([]string) (default: empty)
Delegates are the service account email addresses in a delegation chain. Each service account must be granted roles/iam.serviceAccountTokenCreator on the next service account in the chain.
subject (string) (default: empty)
The subject field of a JWT (sub). This field should only be set if you wish to impersonate a user. This feature is useful when using domain wide delegation.

GCP + Kubernetes (GKE) #

kind: source
spec:
  name: gcp
  path: "cloudquery/gcp"
  registry: cloudquery
  version: "v17.3.0"
  tables: ["gcp_container_clusters"]
  destinations: ["<destination>"]
---
kind: source
spec:
  name: k8s
  path: "cloudquery/k8s"
  registry: cloudquery
  version: "v7.3.0"
  tables: ["*"]
  destinations: ["<destination>"]

Kubernetes users may see the following message when running the K8s plugin on GKE Clusters:

WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.

As part of an initiative to remove platform specific code from Kubernetes, authentication will begin to be delegated to authentication plugins, starting in version 1.26.

What does this mean for CloudQuery users? #

CloudQuery does not use any specific resources which hinder the upgrade.

Install #

The easiest way to upgrade, is to install gke-gcloud-auth-plugin from gcloud components on Mac or Windows:

gcloud components install gke-gcloud-auth-plugin

and apt on Deb based systems:

sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin

Verify #

Mac or Linux:

gke-gcloud-auth-plugin --version

Windows:

gke-gcloud-auth-plugin.exe --version

Switch authentication methods #

Set the flag:

export USE_GKE_GCLOUD_AUTH_PLUGIN=True

Update components:

gcloud components update

Force credential update:

gcloud container clusters get-credentials {$CLUSTER_NAME}

Now you should be able to use kubectl as normal, and you should no longer see the warning in the CloudQuery output.

For more information, read Google's press release.

Table options #

This feature enables users to override the default options for specific tables. The root of the object takes a table name, and the next level takes an API method name. The final level is the actual input object as defined by the API.

The format of the table_options object is as follows:

table_options:
  <table_name>:
    <api_method_name>:
      - <input_object>

A list of <input_object> objects should be provided. The plugin will iterate through these to make multiple API calls. This is useful for APIs like the Compute AggregatedListInstances method that only supports a single filter per call. For example:

table_options:
    gcp_compute_instances:
      aggregated_list_instances:
        - include_all_scopes: true
          filter: '(cpuPlatform = "Intel Skylake") AND (scheduling.automaticRestart = true)'
        - include_all_scopes: false
          filter: '(cpuPlatform = "Intel Broadwell") AND (scheduling.automaticRestart = true)'

The following tables and APIs are supported:

table_options:
  gcp_compute_instances:
    aggregated_list_instances:
      - <Compute.AggregatedListInstancesRequest> # PageToken, MaxResults and Project are prohibited

The full list of supported options are documented under the Table Options section of each table in the GCP plugin tables documentation.

Licenses #

The following tools / packages are used in this plugin:

Name	License
cel.dev/expr	Apache-2.0
cloud.google.com/go/accessapproval	Apache-2.0
cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb	Apache-2.0
cloud.google.com/go/aiplatform	Apache-2.0
cloud.google.com/go/apigateway	Apache-2.0
cloud.google.com/go/apikeys	Apache-2.0
cloud.google.com/go/appengine	Apache-2.0
cloud.google.com/go/artifactregistry	Apache-2.0
cloud.google.com/go/asset	Apache-2.0
cloud.google.com/go/auth	Apache-2.0
cloud.google.com/go/auth/oauth2adapt	Apache-2.0
cloud.google.com/go/baremetalsolution	Apache-2.0
cloud.google.com/go/batch	Apache-2.0
cloud.google.com/go/beyondcorp	Apache-2.0
cloud.google.com/go/bigquery	Apache-2.0
cloud.google.com/go/bigtable	Apache-2.0
cloud.google.com/go/billing	Apache-2.0
cloud.google.com/go/binaryauthorization	Apache-2.0
cloud.google.com/go/certificatemanager	Apache-2.0
cloud.google.com/go/cloudbuild	Apache-2.0
cloud.google.com/go/cloudtasks	Apache-2.0
cloud.google.com/go/compute/apiv1	Apache-2.0
cloud.google.com/go/compute/internal	Apache-2.0
cloud.google.com/go/compute/metadata	Apache-2.0
cloud.google.com/go/container	Apache-2.0
cloud.google.com/go/containeranalysis	Apache-2.0
cloud.google.com/go/dataflow	Apache-2.0
cloud.google.com/go/datafusion	Apache-2.0
cloud.google.com/go/dataproc/v2	Apache-2.0
cloud.google.com/go/deploy	Apache-2.0
cloud.google.com/go/domains	Apache-2.0
cloud.google.com/go/errorreporting	Apache-2.0
cloud.google.com/go/eventarc	Apache-2.0
cloud.google.com/go/filestore	Apache-2.0
cloud.google.com/go/firestore	Apache-2.0
cloud.google.com/go/functions	Apache-2.0
cloud.google.com/go/iam	Apache-2.0
cloud.google.com/go/internal	Apache-2.0
cloud.google.com/go/kms	Apache-2.0
cloud.google.com/go/logging	Apache-2.0
cloud.google.com/go/longrunning	Apache-2.0
cloud.google.com/go/monitoring	Apache-2.0
cloud.google.com/go/networkmanagement	Apache-2.0
cloud.google.com/go/networkservices	Apache-2.0
cloud.google.com/go/orgpolicy/apiv1/orgpolicypb	Apache-2.0
cloud.google.com/go/osconfig	Apache-2.0
cloud.google.com/go/pubsub	Apache-2.0
cloud.google.com/go/redis	Apache-2.0
cloud.google.com/go/resourcemanager	Apache-2.0
cloud.google.com/go/run	Apache-2.0
cloud.google.com/go/scheduler	Apache-2.0
cloud.google.com/go/secretmanager	Apache-2.0
cloud.google.com/go/securitycenter	Apache-2.0
cloud.google.com/go/serviceusage	Apache-2.0
cloud.google.com/go/storage	Apache-2.0
cloud.google.com/go/storagetransfer	Apache-2.0
cloud.google.com/go/trace	Apache-2.0
cloud.google.com/go/translate	Apache-2.0
cloud.google.com/go/video	Apache-2.0
cloud.google.com/go/vision/v2	Apache-2.0
cloud.google.com/go/vmmigration	Apache-2.0
cloud.google.com/go/vpcaccess	Apache-2.0
cloud.google.com/go/websecurityscanner	Apache-2.0
cloud.google.com/go/workflows	Apache-2.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	Apache-2.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	Apache-2.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	Apache-2.0
github.com/adrg/xdg	MIT
github.com/apache/arrow/go/v13	Apache-2.0
github.com/apache/arrow/go/v17	Apache-2.0
github.com/apapsch/go-jsonmerge/v2	MIT
github.com/aws/aws-sdk-go-v2	Apache-2.0
github.com/aws/aws-sdk-go-v2/config	Apache-2.0
github.com/aws/aws-sdk-go-v2/credentials	Apache-2.0
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/configsources	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/ini	Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight	BSD-3-Clause
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/licensemanager	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/marketplacemetering	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sso	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/ssooidc	Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sts	Apache-2.0
github.com/aws/smithy-go	Apache-2.0
github.com/aws/smithy-go/internal/sync/singleflight	BSD-3-Clause
github.com/bahlo/generic-list-go	BSD-3-Clause
github.com/buger/jsonparser	MIT
github.com/cdfmlr/ellipsis	MIT
github.com/cenkalti/backoff/v4	MIT
github.com/census-instrumentation/opencensus-proto/gen-go	Apache-2.0
github.com/cespare/xxhash/v2	MIT
github.com/cloudquery/cloudquery-api-go	MPL-2.0
github.com/cloudquery/codegen/jsonschema/docs	MPL-2.0
github.com/cloudquery/plugin-pb-go	MPL-2.0
github.com/cloudquery/plugin-sdk/v2/internal/glob	MIT
github.com/cloudquery/plugin-sdk/v2/schema	MIT
github.com/cloudquery/plugin-sdk/v2/types	MPL-2.0
github.com/cloudquery/plugin-sdk/v4	MPL-2.0
github.com/cloudquery/plugin-sdk/v4/glob	MIT
github.com/cloudquery/plugin-sdk/v4/scalar	MIT
github.com/cncf/xds/go	Apache-2.0
github.com/davecgh/go-spew/spew	ISC
github.com/envoyproxy/go-control-plane/envoy	Apache-2.0
github.com/envoyproxy/protoc-gen-validate/validate	Apache-2.0
github.com/felixge/httpsnoop	MIT
github.com/ghodss/yaml	MIT
github.com/go-logr/logr	Apache-2.0
github.com/go-logr/stdr	Apache-2.0
github.com/goccy/go-json	MIT
github.com/golang/groupcache/lru	Apache-2.0
github.com/google/flatbuffers/go	Apache-2.0
github.com/google/s2a-go	Apache-2.0
github.com/google/uuid	BSD-3-Clause
github.com/googleapis/enterprise-certificate-proxy/client	Apache-2.0
github.com/googleapis/gax-go/v2	BSD-3-Clause
github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors	Apache-2.0
github.com/grpc-ecosystem/grpc-gateway/v2	BSD-3-Clause
github.com/hashicorp/go-cleanhttp	MPL-2.0
github.com/hashicorp/go-retryablehttp	MPL-2.0
github.com/invopop/jsonschema	MIT
github.com/julienschmidt/httprouter	BSD-3-Clause
github.com/klauspost/compress	Apache-2.0
github.com/klauspost/compress/internal/snapref	BSD-3-Clause
github.com/klauspost/compress/zstd/internal/xxhash	MIT
github.com/mailru/easyjson	MIT
github.com/mattn/go-colorable	MIT
github.com/mattn/go-isatty	MIT
github.com/oapi-codegen/runtime	Apache-2.0
github.com/pierrec/lz4/v4	BSD-3-Clause
github.com/pmezard/go-difflib/difflib	BSD-3-Clause
github.com/rs/zerolog	MIT
github.com/samber/lo	MIT
github.com/santhosh-tekuri/jsonschema/v6	Apache-2.0
github.com/spf13/cast	MIT
github.com/spf13/cobra	Apache-2.0
github.com/spf13/pflag	BSD-3-Clause
github.com/stretchr/testify	MIT
github.com/thoas/go-funk	MIT
github.com/wk8/go-ordered-map/v2	Apache-2.0
github.com/zeebo/xxh3	BSD-2-Clause
go.opencensus.io	Apache-2.0
go.opentelemetry.io/contrib/detectors/gcp	Apache-2.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	Apache-2.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	Apache-2.0
go.opentelemetry.io/otel	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	Apache-2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	Apache-2.0
go.opentelemetry.io/otel/log	Apache-2.0
go.opentelemetry.io/otel/metric	Apache-2.0
go.opentelemetry.io/otel/sdk	Apache-2.0
go.opentelemetry.io/otel/sdk/log	Apache-2.0
go.opentelemetry.io/otel/sdk/metric	Apache-2.0
go.opentelemetry.io/otel/trace	Apache-2.0
go.opentelemetry.io/proto/otlp	Apache-2.0
golang.org/x/crypto	BSD-3-Clause
golang.org/x/exp	BSD-3-Clause
golang.org/x/net	BSD-3-Clause
golang.org/x/oauth2	BSD-3-Clause
golang.org/x/sync	BSD-3-Clause
golang.org/x/sys	BSD-3-Clause
golang.org/x/text	BSD-3-Clause
golang.org/x/time/rate	BSD-3-Clause
golang.org/x/xerrors	BSD-3-Clause
google.golang.org/api	BSD-3-Clause
google.golang.org/api/internal/third_party/uritemplates	BSD-3-Clause
google.golang.org/genproto/googleapis	Apache-2.0
google.golang.org/genproto/googleapis/api	Apache-2.0
google.golang.org/genproto/googleapis/rpc	Apache-2.0
google.golang.org/grpc	Apache-2.0
google.golang.org/grpc/stats/opentelemetry	Apache-2.0
google.golang.org/protobuf	BSD-3-Clause
gopkg.in/yaml.v2	Apache-2.0
gopkg.in/yaml.v3	MIT