Table: gcp_cloud_run_service - Query GCP Cloud Run Services using SQL

Google Cloud Run is a managed compute platform that enables you to run stateless containers that are invocable via HTTP requests. Cloud Run is serverless: it abstracts away all infrastructure management, so you can focus on what matters most — building great applications. It automatically scales up or down from zero to N depending on traffic.

Table Usage Guide

The gcp_cloud_run_service table provides insights into Cloud Run services within Google Cloud Platform (GCP). As a developer or DevOps engineer, explore service-specific details through this table, including configurations, revisions, and routes. Utilize it to uncover information about services, such as the application's traffic flow, deployment history, and the current state of the service.

Examples

Basic info

Explore the basic details of your Google Cloud Run services, including their names, descriptions, and client versions. This information can help you understand the configuration and status of your services, which is useful for managing and optimizing your cloud resources.

select
  name,
  description,
  client,
  client_version,
  create_time,
  creator,
  generation,
  launch_stage
from
  gcp_cloud_run_service;

select
  name,
  description,
  client,
  client_version,
  create_time,
  creator,
  generation,
  launch_stage
from
  gcp_cloud_run_service;

Count of services by launch stage

Determine the distribution of services based on their launch stages. This can help in understanding how many services are in different stages of their lifecycle, providing insights for resource allocation and strategic planning.

select
  launch_stage,
  count(*)
from
  gcp_cloud_run_service
group by
  launch_stage;

select
  launch_stage,
  count(*)
from
  gcp_cloud_run_service
group by
  launch_stage;

List cloud-run services that are reconciling

Analyze the settings to understand which cloud-run services are currently in the process of reconciling. This can be useful for tracking and managing services that may be undergoing changes or updates.

select
  name,
  description,
  client,
  client_version,
  create_time,
  creator,
  generation,
  launch_stage,
  reconciling
from
  gcp_cloud_run_service
where
  reconciling;

select
  name,
  description,
  client,
  client_version,
  create_time,
  creator,
  generation,
  launch_stage,
  reconciling
from
  gcp_cloud_run_service
where
  reconciling = 1;

List services created in the last 30 days

Discover the services that were established in the past 30 days to gain insights into recent activities and understand the context of their creation. This could be useful in tracking the growth of services over time or identifying any unexpected or unauthorized service creation.

select
  name,
  description,
  create_time,
  creator,
  launch_stage
from
  gcp_cloud_run_service
where
  create_time >= now() - interval '30' day;

select
  name,
  description,
  create_time,
  creator,
  launch_stage
from
  gcp_cloud_run_service
where
  create_time >= datetime('now', '-30 day');

List services of ingress type INGRESS_TRAFFIC_ALL

Analyze the settings to understand which cloud run services are configured to allow all types of ingress traffic. This can be useful for assessing potential security risks associated with unrestricted ingress access.

select
  name,
  description,
  client,
  client_version,
  create_time,
  ingress
from
  gcp_cloud_run_service
where
  ingress = 'INGRESS_TRAFFIC_ALL';

select
  name,
  description,
  client,
  client_version,
  create_time,
  ingress
from
  gcp_cloud_run_service
where
  ingress = 'INGRESS_TRAFFIC_ALL';

Get condition details of services

This example allows you to gain insights into the status and condition details of various services in the Google Cloud Run environment. It can be used to understand the health of services, the reasons for their current state, and when they last transitioned, which can assist in troubleshooting and maintaining service stability.

select
  name,
  c ->> 'ExecutionReason' as execution_reason,
  c ->> 'LastTransitionTime' as last_transition_time,
  c ->> 'Message' as message,
  c ->> 'Reason' as reason,
  c ->> 'RevisionReason' as revision_reason,
  c ->> 'State' as state,
  c ->> 'Type' as type
from
  gcp_cloud_run_service,
  jsonb_array_elements(conditions) as c;

select
  name,
  json_extract(c.value, '$.ExecutionReason') as execution_reason,
  json_extract(c.value, '$.LastTransitionTime') as last_transition_time,
  json_extract(c.value, '$.Message') as message,
  json_extract(c.value, '$.Reason') as reason,
  json_extract(c.value, '$.RevisionReason') as revision_reason,
  json_extract(c.value, '$.State') as state,
  json_extract(c.value, '$.Type') as type
from
  gcp_cloud_run_service,
  json_each(conditions) as c;

Get associated members or principals, with a role of services

Attaching an Identity and Access Management (IAM) policy to a Google Cloud Run service involves setting permissions for that particular service. Google Cloud Run services use IAM for access control, and by configuring IAM policies, you can define who has what type of access to your Cloud Run services.

select
  name,
  i -> 'Condition' as condition,
  i -> 'Members' as members,
  i ->> 'Role' as role
from
  gcp_cloud_run_service,
  jsonb_array_elements(iam_policy -> 'Bindings') as i;

select
  name,
  json_extract(i.value, '$.Condition') as condition,
  json_extract(i.value, '$.Members') as members,
  json_extract(i.value, '$.Role') as role
from
  gcp_cloud_run_service,
  json_each(json_extract(iam_policy, '$.Bindings')) as i;

Get template details of services

Explore the various attributes of your cloud-based services, such as encryption keys, container details, and scaling parameters. This query is useful to gain an understanding of your service configurations and identify areas for potential adjustments or enhancements.

select
  name,
  template ->> 'Annotations' as template_annotations,
  template ->> 'Containers' as containers,
  template ->> 'EncryptionKey' as encryption_key,
  template ->> 'ExecutionEnvironment' as execution_environment,
  template ->> 'Revision' as revision,
  template ->> 'Scaling' as scaling,
  template ->> 'ServiceAccount' as service_account,
  template ->> 'SessionAffinity' as session_affinity,
  template ->> 'Timeout' as timeout,
  template ->> 'Volumes' as volumes,
  template ->> 'VpcAccess' as vpc_access
from
  gcp_cloud_run_service;

select
  name,
  json_extract(template, '$.Annotations') as template_annotations,
  json_extract(template, '$.Containers') as containers,
  json_extract(template, '$.EncryptionKey') as encryption_key,
  json_extract(template, '$.ExecutionEnvironment') as execution_environment,
  json_extract(template, '$.Revision') as revision,
  json_extract(template, '$.Scaling') as scaling,
  json_extract(template, '$.ServiceAccount') as service_account,
  json_extract(template, '$.SessionAffinity') as session_affinity,
  json_extract(template, '$.Timeout') as timeout,
  json_extract(template, '$.Volumes') as volumes,
  json_extract(template, '$.VpcAccess') as vpc_access
from
  gcp_cloud_run_service;

Get target traffic details of services

Gain insights into the distribution of traffic across different revisions and tags of your services. This is useful for understanding how your traffic is being balanced and identifying potential areas for optimization.

select
  name,
  t ->> 'Percent' as percent,
  t ->> 'Revision' as revision,
  t ->> 'Tag' as tag,
  t ->> 'Type' as type
from
  gcp_cloud_run_service,
  jsonb_array_elements(traffic) as t;

select
  name,
  json_extract(t.value, '$.Percent') as percent,
  json_extract(t.value, '$.Revision') as revision,
  json_extract(t.value, '$.Tag') as tag,
  json_extract(t.value, '$.Type') as type
from
  gcp_cloud_run_service,
  json_each(traffic) as t;

Control examples

Cloud Run service should restrict public access

Schema for gcp_cloud_run_service

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
annotations	jsonb		Unstructured key value map that may be set by external tools to store and arbitrary metadata.
binary_authorization	jsonb		Settings for the Binary Authorization feature.
client	text		Arbitrary identifier for the API client.
client_version	text		Arbitrary version identifier for the API client.
conditions	jsonb		The Conditions of all other associated sub-resources.
create_time	timestamp with time zone		The creation timestamp of the resource.
creator	text		Email address of the authenticated creator.
custom_audiences	jsonb		One or more custom audiences that you want this service to support.
delete_time	timestamp with time zone		The deletion time.
description	text		User-provided description of the Service.
etag	text		A system-generated fingerprint for this version of the resource.
expire_time	timestamp with time zone		For a deleted resource, the time after which it will be permamently deleted.
generation	bigint		A number that monotonically increases every time the user modifies the desired state.
iam_policy	jsonb		An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
ingress	text		Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active.
labels	jsonb		Unstructured key value map that can be used to organize and categorize objects.
last_modifier	text		Email address of the last authenticated modifier.
latest_created_revision	text		Name of the last created revision. See comments in `reconciling` for additional information on reconciliation process in Cloud Run.
latest_ready_revision	text		Name of the latest revision that is serving traffic. See comments in `reconciling` for additional information on reconciliation process in Cloud Run.
launch_stage	text		The launch stage as defined by Google Cloud Platform Launch Stages (https://cloud.google.com/terms/launch-stages). Cloud Run supports `ALPHA`, `BETA`, and `GA`. If no value is specified, GA is assumed.
location	text	=	The GCP multi-region, region, or zone in which the resource is located.
name	text	=	The fully qualified name of this Service.
observed_generation	text		The generation of this Service currently serving traffic.
project	text		The GCP Project in which the resource is located.
reconciling	boolean		Returns true if the Service is currently being acted upon by the system to bring it into the desired state.
satisfies_pzs	boolean		Reserved for future use.
self_link	text		The server-defined URL for the resource.
tags	jsonb		A map of tags for the resource.
template	jsonb		The template used to create revisions for this Service.
terminal_condition	jsonb		The Condition of this Service, containing its readiness status, and detailed error information in case it did not reach a serving state.
title	text		Title of the resource.
traffic	jsonb		Specifies how to distribute traffic over a collection of Revisions belonging to the Service. If traffic is empty or not provided, defaults to 100% traffic to the latest `Ready` Revision.
traffic_statuses	jsonb		Detailed status information for corresponding traffic targets.
traffic_tags_cleanup_threshold	bigint		Override the traffic tag threshold limit. Garbage collection will start cleaning up non-serving tagged traffic targets based on creation item. The default value is 2000.
uid	text		Server assigned unique identifier for the trigger.
update_time	timestamp with time zone		The last-modified time.
uri	text		The main URI in which this Service is serving traffic.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_cloud_run_service