GCP Provider

The CloudQuery GCP provider pulls configuration out of GCP resources, normalizes them and stores them in PostgreSQL database.


cloudquery init gcp


To authenticate cloudquery with your GCP account you need to set GOOGLE_APPLICATION_CREDENTIALS environment variable.


The following configuration section can be automaticlly generated by cloudquery init gcp:

provider "gcp" { configuration { // Optional. Filter as described https://cloud.google.com/sdk/gcloud/reference/projects/list --filter // project_filter = "" // Optional. If not specified either using all projects accessible. // project_ids = [<CHANGE_THIS_TO_YOUR_PROJECT_ID>] // Optional. ServiceAccountKeyJSON passed as value instead of a file path, can be passed also via env: CQ_SERVICE_ACCOUNT_KEY_JSON // service_account_key_json = <YOUR_JSON_SERVICE_ACCOUNT_KEY_DATA> } }

By default cloudquery will fetch all configurations from all resources in all regions in the default project. You can customize this behaviour with the following arguments:

  • project_ids - Specify multiple projects that you want to fetch configurations from.

Query Examples:

Find all buckets that have public facing read permissions

SELECT gcp_storage_buckets.name FROM gcp_storage_buckets JOIN gcp_storage_bucket_policy_bindings ON gcp_storage_bucket_policy_bindings.bucket_id = gcp_storage_buckets.id JOIN gcp_storage_bucket_policy_bindings_members ON gcp_storage_bucket_policy_bindings_members.bucket_policy_binding_id = gcp_storage_bucket_policy_bindings.id WHERE gcp_storage_bucket_policy_bindings_members.name = 'allUsers' AND gcp_storage_bucket_policy_bindings.role = 'roles/storage.objectViewer';




Published at

Sun Nov 21 2021