Table: gcp_compute_project_metadata - Query Google Cloud Compute Engine Project Metadata using SQL
Google Cloud Compute Engine Project Metadata is a set of data about a Google Cloud Compute Engine project. It includes common instance metadata that applies to all instances in the project, and enable-oslogin metadata that controls the OS Login feature for all instances in the project. This metadata can be used to configure or manage the behavior of the instances in the project.
Table Usage Guide
The gcp_compute_project_metadata table provides insights into the metadata of projects within Google Cloud Compute Engine. As a Cloud Engineer, you can explore project-specific details through this table, including common instance metadata and enable-oslogin metadata. Utilize it to manage and configure the behavior of all instances in your projects, and to control the OS Login feature for all instances.
Examples
Basic info
Analyze the settings to understand the default service accounts and their creation timestamps within your Google Cloud Platform project. This can help you manage your resources and monitor any changes made over time.
select name, id, default_service_account, creation_timestampfrom gcp_compute_project_metadata;select name, id, default_service_account, creation_timestampfrom gcp_compute_project_metadata;Check if OS Login is enabled for Linux instances in the project
Determine the areas in which OS Login is not activated for Linux instances within a project. This insight can help enhance security by ensuring that all instances are properly configured for OS Login.
select name, idfrom gcp_compute_project_metadata, jsonb_array_elements(common_instance_metadata -> 'items') as qwhere common_instance_metadata -> 'items' @> '[{"key": "enable-oslogin"}]' and q ->> 'key' ilike 'enable-oslogin' and q ->> 'value' not ilike 'TRUE';select m.name, m.idfrom gcp_compute_project_metadata as m, json_each(common_instance_metadata, '$.items') as qwhere json_extract(common_instance_metadata, '$.items') like '%"key": "enable-oslogin"%' and json_extract(q.value, '$.key') like 'enable-oslogin' and json_extract(q.value, '$.value') not like 'TRUE';Query examples
Control examples
- CIS v1.2.0 > 4 Virtual Machines > 4.4 Ensure oslogin is enabled for a Project
- CIS v1.3.0 > 4 Virtual Machines > 4.4 Ensure oslogin is enabled for a Project
- CIS v2.0.0 > 4 Virtual Machines > 4.4 Ensure oslogin is enabled for a Project
- CIS v3.0.0 > 4 Virtual Machines > 4.4 Ensure Oslogin Is Enabled for a Project
- Ensure OS login is enabled at Project level
- Ensure OS login is enabled for all instances in the Project
Schema for gcp_compute_project_metadata
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| common_instance_metadata | jsonb | Metadata key/value pairs available to all instances contained in this project. | |
| creation_timestamp | timestamp with time zone | Creation timestamp in RFC3339 text format. | |
| default_network_tier | text | This signifies the default network tier used for configuring resources of the project and can only take the following values: PREMIUM, STANDARD. | |
| default_service_account | text | Default service account used by VMs running in this project. | |
| description | text | An optional textual description of the resource. | |
| enabled_features | jsonb | Restricted features enabled for use on this project. | |
| id | text | The unique identifier for the resource. | |
| kind | text | The type of the resource. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| name | text | The ID of the project. | |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| quotas | jsonb | Quotas assigned to this project. | |
| self_link | text | Server-defined URL for the resource. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| title | text | Title of the resource. | |
| usage_export_location | jsonb | The naming prefix for daily usage reports and the Google Cloud Storage bucket where they are stored. | |
| xpn_project_status | text | The role this project has in a shared VPC configuration. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_compute_project_metadata