Table: gcp_pubsub_snapshot - Query Google Cloud Pub/Sub Snapshots using SQL

Google Cloud Pub/Sub is a messaging service that allows you to send and receive messages between independent applications. A Pub/Sub Snapshot is a point-in-time capture of the message acknowledgment state of a subscription. Snapshots can be used to seek a subscription to a time in the past or to a different subscription's time in the future.

Table Usage Guide

The gcp_pubsub_snapshot table provides insights into Google Cloud Pub/Sub Snapshots within a Google Cloud project. As a DevOps engineer, explore snapshot-specific details through this table, including the snapshot's name, topic, and expiration time. Utilize it to uncover information about snapshots, such as their associated metadata and the state of message acknowledgment at the time the snapshot was created.

Examples

Basic info

Explore snapshots in your Google Cloud Pub/Sub service to identify their names, associated topics, expiration times, and any applied tags. This can help you manage and organize your snapshots more effectively.

select
  name,
  topic_name,
  expire_time,
  tags
from
  gcp_pubsub_snapshot;

select
  name,
  topic_name,
  expire_time,
  tags
from
  gcp_pubsub_snapshot;

Find pubsub snapshots with policies that grant public access

Determine the areas in which public access is granted to pubsub snapshots. This query is useful in identifying potential security risks by pinpointing which snapshots have policies that allow public access.

select
  name,
  split_part(s ->> 'role', '/', 2) as role,
  entity
from
  gcp_pubsub_snapshot,
  jsonb_array_elements(iam_policy -> 'bindings') as s,
  jsonb_array_elements_text(s -> 'members') as entity
where
  entity = 'allUsers'
  or entity = 'allAuthenticatedUsers';

select
  g.name,
  substr(
    json_extract(s.value, '$.role'),
    instr(json_extract(s.value, '$.role'), '/') + 1
  ) as role,
  e.value as entity
from
  gcp_pubsub_snapshot g,
  json_each(g.iam_policy, '$.bindings') as s,
  json_each(json_extract(s.value, '$.members')) as e
where
  e.value = 'allUsers'
  or e.value = 'allAuthenticatedUsers';

Query examples

pubsub_snapshots_for_pubsub_topic

Schema for gcp_pubsub_snapshot

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
expire_time	timestamp with time zone		The snapshot is guaranteed to exist up until this time. A newly-created snapshot expires no later than 7 days from the time of its creation. Its exact lifetime is determined at creation by the existing backlog in the source subscription. Specifically, the lifetime of the snapshot is `7 days - (age of oldest unacked message in the subscription)`.
iam_policy	jsonb		An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`.
labels	jsonb		A set of labels attached with the snapshot.
location	text		The GCP multi-region, region, or zone in which the resource is located.
name	text	=	The name of the snapshot
project	text	=, !=, ~~, ~~, !~~, !~~	The GCP Project in which the resource is located.
self_link	text		Server-defined URL for the resource.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A map of tags for the resource.
title	text		Title of the resource.
topic	text		The name of the topic from which this snapshot is retaining messages
topic_name	text		The short name of the topic from which this snapshot is retaining messages.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_pubsub_snapshot