steampipe plugin install gcp

Table: gcp_pubsub_snapshot - Query Google Cloud Pub/Sub Snapshots using SQL

Google Cloud Pub/Sub is a messaging service that allows you to send and receive messages between independent applications. A Pub/Sub Snapshot is a point-in-time capture of the message acknowledgment state of a subscription. Snapshots can be used to seek a subscription to a time in the past or to a different subscription's time in the future.

Table Usage Guide

The gcp_pubsub_snapshot table provides insights into Google Cloud Pub/Sub Snapshots within a Google Cloud project. As a DevOps engineer, explore snapshot-specific details through this table, including the snapshot's name, topic, and expiration time. Utilize it to uncover information about snapshots, such as their associated metadata and the state of message acknowledgment at the time the snapshot was created.


Basic info

Explore snapshots in your Google Cloud Pub/Sub service to identify their names, associated topics, expiration times, and any applied tags. This can help you manage and organize your snapshots more effectively.


Find pubsub snapshots with policies that grant public access

Determine the areas in which public access is granted to pubsub snapshots. This query is useful in identifying potential security risks by pinpointing which snapshots have policies that allow public access.

split_part(s ->> 'role', '/', 2) as role,
jsonb_array_elements(iam_policy -> 'bindings') as s,
jsonb_array_elements_text(s -> 'members') as entity
entity = 'allUsers'
or entity = 'allAuthenticatedUsers';
json_extract(s.value, '$.role'),
instr(json_extract(s.value, '$.role'), '/') + 1
) as role,
e.value as entity
gcp_pubsub_snapshot g,
json_each(g.iam_policy, '$.bindings') as s,
json_each(json_extract(s.value, '$.members')) as e
e.value = 'allUsers'
or e.value = 'allAuthenticatedUsers';

Schema for gcp_pubsub_snapshot

_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
expire_timetimestamp with time zoneThe snapshot is guaranteed to exist up until this time. A newly-created snapshot expires no later than 7 days from the time of its creation. Its exact lifetime is determined at creation by the existing backlog in the source subscription. Specifically, the lifetime of the snapshot is `7 days - (age of oldest unacked message in the subscription)`.
iam_policyjsonbAn Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`.
labelsjsonbA set of labels attached with the snapshot.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
nametext=The name of the snapshot
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
self_linktextServer-defined URL for the resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
topictextThe name of the topic from which this snapshot is retaining messages
topic_nametextThe short name of the topic from which this snapshot is retaining messages.


This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the script:

/bin/sh -c "$(curl -fsSL" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_pubsub_snapshot