turbot/gcp

steampipe plugin install gcpsteampipe plugin install gcp
gcp_audit_policygcp_bigquery_datasetgcp_bigquery_jobgcp_bigquery_tablegcp_bigtable_instancegcp_cloudfunctions_functiongcp_compute_addressgcp_compute_backend_bucketgcp_compute_backend_servicegcp_compute_diskgcp_compute_disk_metric_read_opsgcp_compute_disk_metric_read_ops_dailygcp_compute_disk_metric_read_ops_hourlygcp_compute_disk_metric_write_opsgcp_compute_disk_metric_write_ops_dailygcp_compute_disk_metric_write_ops_hourlygcp_compute_firewallgcp_compute_forwarding_rulegcp_compute_global_addressgcp_compute_global_forwarding_rulegcp_compute_imagegcp_compute_instancegcp_compute_instance_metric_cpu_utilizationgcp_compute_instance_metric_cpu_utilization_dailygcp_compute_instance_metric_cpu_utilization_hourlygcp_compute_instance_templategcp_compute_machine_typegcp_compute_networkgcp_compute_node_groupgcp_compute_node_templategcp_compute_project_metadatagcp_compute_regiongcp_compute_resource_policygcp_compute_routergcp_compute_snapshotgcp_compute_ssl_policygcp_compute_subnetworkgcp_compute_target_https_proxygcp_compute_target_poolgcp_compute_target_ssl_proxygcp_compute_target_vpn_gatewaygcp_compute_url_mapgcp_compute_vpn_tunnelgcp_compute_zonegcp_dns_managed_zonegcp_dns_policygcp_dns_record_setgcp_iam_policygcp_iam_rolegcp_kms_keygcp_kms_key_ringgcp_logging_bucketgcp_logging_exclusiongcp_logging_metricgcp_logging_sinkgcp_monitoring_alert_policygcp_monitoring_groupgcp_monitoring_notification_channelgcp_organizationgcp_projectgcp_project_organization_policygcp_project_servicegcp_pubsub_snapshotgcp_pubsub_subscriptiongcp_pubsub_topicgcp_service_accountgcp_service_account_keygcp_sql_backupgcp_sql_databasegcp_sql_database_instancegcp_sql_database_instance_metric_connectionsgcp_sql_database_instance_metric_connections_dailygcp_sql_database_instance_metric_connections_hourlygcp_sql_database_instance_metric_cpu_utilizationgcp_sql_database_instance_metric_cpu_utilization_dailygcp_sql_database_instance_metric_cpu_utilization_hourlygcp_storage_bucket

Table: gcp_kms_key

A Cloud KMS key is a named object containing one or more key versions, along with metadata for the key. A key exists on exactly one key ring tied to a specific location.

Examples

Basic info

select
name,
create_time,
rotation_period
from
gcp_kms_key;

List keys older than 30 days

select
name,
create_time,
rotation_period
from
gcp_kms_key
where
create_time <= (current_date - interval '30' day)
order by
create_time;

List keys with rotation period greater than 90 days (7776000 seconds)

select
name,
create_time,
rotation_period
from
gcp_kms_key
where
split_part(rotation_period, 's', 1) :: int > 7776000;

List publicly accessible keys

select
distinct name,
key_ring_name,
location
from
gcp_kms_key,
jsonb_array_elements(iam_policy -> 'bindings') as b
where
b -> 'members' ?| array['allAuthenticatedUsers', 'allUsers'];

.inspect gcp_kms_key

GCP KMS Key

NameTypeDescription
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
create_timetimestamp without time zoneThe time at which this CryptoKey was created.
iam_policyjsonbAn Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`.
key_ring_nametextThe resource name for the KeyRing.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
nametextThe resource name for the CryptoKey.
next_rotation_timetimestamp without time zoneAt next rotation time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2.Mark the new version as primary.
primaryjsonbA copy of the primary CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name.
projecttextThe GCP Project in which the resource is located.
purposetextThe immutable purpose of this CryptoKey.
rotation_periodtextNext rotation time will be advanced by this period when the service automatically rotates a key.
self_linktextServer-defined URL for the resource.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
version_templatejsonbA template describing settings for new CryptoKeyVersion instances.