gcp_apikeys_keygcp_app_engine_applicationgcp_artifact_registry_repositorygcp_audit_policygcp_bigquery_datasetgcp_bigquery_jobgcp_bigquery_tablegcp_bigtable_instancegcp_billing_accountgcp_billing_budgetgcp_cloud_assetgcp_cloud_identity_groupgcp_cloud_identity_group_membershipgcp_cloud_run_servicegcp_cloudfunctions_functiongcp_compute_addressgcp_compute_autoscalergcp_compute_backend_bucketgcp_compute_backend_servicegcp_compute_diskgcp_compute_disk_metric_read_opsgcp_compute_disk_metric_read_ops_dailygcp_compute_disk_metric_read_ops_hourlygcp_compute_disk_metric_write_opsgcp_compute_disk_metric_write_ops_dailygcp_compute_disk_metric_write_ops_hourlygcp_compute_firewallgcp_compute_forwarding_rulegcp_compute_global_addressgcp_compute_global_forwarding_rulegcp_compute_ha_vpn_gatewaygcp_compute_imagegcp_compute_instancegcp_compute_instance_groupgcp_compute_instance_metric_cpu_utilizationgcp_compute_instance_metric_cpu_utilization_dailygcp_compute_instance_metric_cpu_utilization_hourlygcp_compute_instance_templategcp_compute_machine_imagegcp_compute_machine_typegcp_compute_networkgcp_compute_node_groupgcp_compute_node_templategcp_compute_project_metadatagcp_compute_regiongcp_compute_resource_policygcp_compute_routegcp_compute_routergcp_compute_snapshotgcp_compute_ssl_policygcp_compute_subnetworkgcp_compute_target_https_proxygcp_compute_target_poolgcp_compute_target_ssl_proxygcp_compute_target_vpn_gatewaygcp_compute_url_mapgcp_compute_vpn_tunnelgcp_compute_zonegcp_dataproc_clustergcp_dns_managed_zonegcp_dns_policygcp_dns_record_setgcp_iam_policygcp_iam_rolegcp_kms_keygcp_kms_key_ringgcp_kms_key_versiongcp_kubernetes_clustergcp_kubernetes_node_poolgcp_logging_bucketgcp_logging_exclusiongcp_logging_log_entrygcp_logging_metricgcp_logging_sinkgcp_monitoring_alert_policygcp_monitoring_groupgcp_monitoring_notification_channelgcp_organizationgcp_projectgcp_project_organization_policygcp_project_servicegcp_pubsub_snapshotgcp_pubsub_subscriptiongcp_pubsub_topicgcp_redis_instancegcp_service_accountgcp_service_account_keygcp_sql_backupgcp_sql_databasegcp_sql_database_instancegcp_sql_database_instance_metric_connectionsgcp_sql_database_instance_metric_connections_dailygcp_sql_database_instance_metric_connections_hourlygcp_sql_database_instance_metric_cpu_utilizationgcp_sql_database_instance_metric_cpu_utilization_dailygcp_sql_database_instance_metric_cpu_utilization_hourlygcp_storage_bucketgcp_storage_objectgcp_tag_bindinggcp_vertex_ai_endpointgcp_vertex_ai_model
Table: gcp_iam_policy - Query Google Cloud IAM Policies using SQL
Google Cloud Identity and Access Management (IAM) provides the right tools to manage resource permissions with minimum fuss and high automation. It offers unified control across the entire suite of Google Cloud resources. IAM Policies are the primary resources in IAM that bind a set of members to a role, thus defining what actions the members can take on the resources.
Table Usage Guide
The gcp_iam_policy table provides insights into IAM Policies within Google Cloud Identity and Access Management (IAM). As a Security Analyst, explore policy-specific details through this table, including bindings, roles, and associated members. Utilize it to uncover information about the policies, such as those with broad access, the binding of members to roles, and the verification of permissions.
Examples
List of project members with their roles
Explore which roles are assigned to different project members. This can help in managing access control and ensuring appropriate permissions are allocated.
select entity, p ->> 'role' as rolefrom gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entity;select e.value as entity, json_extract(p.value, '$.role') as rolefrom gcp_iam_policy, json_each(bindings) as p, json_each(json_extract(p.value, '$.members')) as e;List of members with owner roles
Explore which members have been assigned the 'owner' role in your Google Cloud Platform IAM policy. This is useful for gaining insights into access control and ensuring appropriate permissions are in place.
select entity, p ->> 'role' as rolefrom gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entitywhere split_part(p ->> 'role', '/', 2) = 'owner';Error: SQLite does not support split functions.Control examples
- 1.1 Ensure that corporate login credentials are used
- 1.1 Ensure that corporate login credentials are used
- 1.1 Ensure that corporate login credentials are used
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.11 Ensure that Separation of duties is enforced while assigning KMS related roles to users
- 1.5 Ensure that Service Account has no Admin privileges
- 1.5 Ensure that Service Account has no Admin privileges
- 1.5 Ensure that Service Account has no Admin privileges
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.6 Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
- 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
- 1.8 Ensure that Separation of duties is enforced while assigning service account related roles to users
- Cloudfunction functions no roles/editor or roles/owner permission
- Cloudfunction functions should restrict disrupt logging permission
- Compute Instances should restrict data destruction permission
- Compute Instances should restrict database write permission
- Compute Instances should restrict deployments manager permission
- Compute Instances should restrict disrupt logging permission
- Compute Instances should restrict high level basic role
- Compute Instances should restrict IAM write permission
- Compute Instances should restrict service account impersonate permission
- Compute Instances should restrict write permission on deny policy
- Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Ensure that Separation of duties is enforced while assigning KMS related roles to users
- Ensure that Separation of duties is enforced while assigning KMS related roles to users
- Ensure that Separation of duties is enforced while assigning service account related roles to users
- Ensure that Service Account has no Admin privileges
- Only allow members from my domain to be added to IAM roles
- Prevent public users from having access to resources via IAM
Schema for gcp_iam_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| bindings | jsonb | A list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member. | |
| etag | text | Etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| project | text | The GCP Project in which the resource is located. | |
| title | text | Title of the resource. | |
| version | bigint | Version specifies the format of the policy. Valid values are `0`, `1`, and `3`. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_iam_policy