Table: gcp_cloud_identity_group - Query Google Cloud Platform Cloud Identity Groups using SQL

Google Cloud Identity Groups is a service within Google Cloud Platform that helps you manage access to your resources. It allows you to create groups for your workspace, manage group memberships, and provide access to resources based on group membership. Google Cloud Identity Groups makes it easier to manage access to resources at scale.

Table Usage Guide

The gcp_cloud_identity_group table provides insights into Cloud Identity Groups within Google Cloud Platform. As a security engineer, explore group-specific details through this table, including group names, descriptions, dynamic settings, and labels. Utilize it to uncover information about groups, such as the group's access permissions, the members within the group, and the resources accessible to the group.

Important Notes

You must specify the parent resource in the where clause (where parent='C046psxkn') to list the identity groups.

Examples

Basic info

Explore which Google Cloud Identity groups are associated with a specific parent group. This can be useful for understanding group hierarchies and the distribution of resources within your Google Cloud project.

select
  name,
  display_name,
  description,
  create_time,
  location,
  project
from
  gcp_cloud_identity_group
where
  parent = 'C046psxkn';

select
  name,
  display_name,
  description,
  create_time,
  location,
  project
from
  gcp_cloud_identity_group
where
  parent = 'C046psxkn';

Get details for a specific group

Explore the specifics of a particular group in Google Cloud Platform's Cloud Identity service. This can be useful in understanding the group's creation time, location, and associated project, aiding in effective group management and security oversight.

select
  name,
  display_name,
  description,
  create_time,
  location,
  project
from
  gcp_cloud_identity_group
where
  name = 'group_name';

select
  name,
  display_name,
  description,
  create_time,
  location,
  project
from
  gcp_cloud_identity_group
where
  name = 'group_name';

Get dynamic group settings

Analyze the settings to understand the status and configuration of dynamic groups within a specific project in Google Cloud Identity. This can be useful for managing and monitoring group membership based on user-defined rules.

select
  name,
  display_name,
  dynamic_group_metadata ->> 'Status' as dynamic_group_status,
  queries ->> 'Query' as dynamic_group_query,
  queries ->> 'ResourceType' as dynamic_group_query_resource_type,
  project
from
  gcp_cloud_identity_group,
  jsonb_array_elements(dynamic_group_metadata -> 'Queries') as queries
where
  parent = 'C046psxkn';

select
  g.name,
  g.display_name,
  json_extract(g.dynamic_group_metadata, '$.Status') as dynamic_group_status,
  json_extract(queries.value, '$.Query') as dynamic_group_query,
  json_extract(queries.value, '$.ResourceType') as dynamic_group_query_resource_type,
  g.project
from
  gcp_cloud_identity_group as g,
  json_each(
    json_extract(g.dynamic_group_metadata, '$.Queries')
  ) as queries
where
  g.parent = 'C046psxkn';

List groups created in the last 7 days

Explore which groups have been formed within the last week in the GCP Cloud Identity service. This can be useful for keeping track of recent group additions and ensuring proper access controls are in place.

select
  name,
  display_name,
  description,
  create_time,
  location,
  project
from
  gcp_cloud_identity_group
where
  parent = 'C046psxkn'
  and create_time > now() - interval '7' day;

select
  name,
  display_name,
  description,
  create_time,
  location,
  project
from
  gcp_cloud_identity_group
where
  parent = 'C046psxkn'
  and create_time > datetime('now', '-7 day');

Schema for gcp_cloud_identity_group

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
create_time	timestamp with time zone		The time when the group was created.
description	text		A human-readable description for the group.
display_name	text		A human-readable name for the group.
dynamic_group_metadata	jsonb		Dynamic group metadata like queries and status.
group_key	jsonb		The `EntityKey` of the `Group`.
labels	jsonb		The labels that apply to the group.
location	text		The GCP multi-region, region, or zone in which the resource is located.
name	text	=	The friendly name that identifies the group.
parent	text	=	The resource name of the entity under which this `Group` resides in the Cloud Identity resource hierarchy.
project	text	=, !=, ~~, ~~, !~~, !~~	The GCP Project in which the resource is located.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A map of tags for the resource.
title	text		Title of the resource.
update_time	timestamp with time zone		The time when the group was last updated.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_cloud_identity_group