steampipe plugin install gcp

Table: gcp_iam_policy - Query Google Cloud IAM Policies using SQL

Google Cloud Identity and Access Management (IAM) provides the right tools to manage resource permissions with minimum fuss and high automation. It offers unified control across the entire suite of Google Cloud resources. IAM Policies are the primary resources in IAM that bind a set of members to a role, thus defining what actions the members can take on the resources.

Table Usage Guide

The gcp_iam_policy table provides insights into IAM Policies within Google Cloud Identity and Access Management (IAM). As a Security Analyst, explore policy-specific details through this table, including bindings, roles, and associated members. Utilize it to uncover information about the policies, such as those with broad access, the binding of members to roles, and the verification of permissions.

Examples

List of project members with their roles

Explore which roles are assigned to different project members. This can help in managing access control and ensuring appropriate permissions are allocated.

select
entity,
p ->> 'role' as role
from
gcp_iam_policy,
jsonb_array_elements(bindings) as p,
jsonb_array_elements_text(p -> 'members') as entity;
select
e.value as entity,
json_extract(p.value, '$.role') as role
from
gcp_iam_policy,
json_each(bindings) as p,
json_each(json_extract(p.value, '$.members')) as e;

List of members with owner roles

Explore which members have been assigned the 'owner' role in your Google Cloud Platform IAM policy. This is useful for gaining insights into access control and ensuring appropriate permissions are in place.

select
entity,
p ->> 'role' as role
from
gcp_iam_policy,
jsonb_array_elements(bindings) as p,
jsonb_array_elements_text(p -> 'members') as entity
where
split_part(p ->> 'role', '/', 2) = 'owner';
Error: SQLite does not support split functions.

Control examples

Schema for gcp_iam_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
bindingsjsonbA list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.
etagtextEtag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
versionbigintVersion specifies the format of the policy. Valid values are `0`, `1`, and `3`.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_iam_policy