Table: gcp_kms_key_ring - Query Google Cloud Key Management Service Key Rings using SQL
Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your cloud services. Key Rings are used to group keys together for easier management. Each Key Ring belongs to a specific Google Cloud Project and resides in a specific location.
Table Usage Guide
The gcp_kms_key_ring table provides insights into Key Rings within Google Cloud Key Management Service (KMS). As a security engineer, you can explore key ring-specific details through this table, including their names, creation times, and locations. Utilize it to manage and review the cryptographic keys for your cloud services.
Examples
Basic info
Explore which key rings have been created within Google Cloud's Key Management Service. This can help monitor the timeline of key ring creation for better security and resource management.
select name, create_timefrom gcp_kms_key_ring;select name, create_timefrom gcp_kms_key_ring;List key rings older than 30 days
Discover the segments that have key rings older than 30 days. This is useful for identifying and managing outdated or potentially unused key rings in your Google Cloud Platform.
select name, create_timefrom gcp_kms_key_ringwhere create_time <= (current_date - interval '30' day)order by create_time;select name, create_timefrom gcp_kms_key_ringwhere date(create_time) <= date('now', '-30 days')order by create_time;Query examples
Schema for gcp_kms_key_ring
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| create_time | timestamp with time zone | The time at which this KeyRing was created. | |
| iam_policy | jsonb | An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. | |
| location | text | = | The GCP multi-region, region, or zone in which the resource is located. |
| name | text | = | The resource name for the KeyRing. |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_kms_key_ring