steampipe plugin install gcp

Table: gcp_service_account_key - Query Google Cloud Platform Service Account Keys using SQL

A Service Account Key in Google Cloud Platform is a cryptographic key associated with a service account that can be used to authenticate as the service account. Service Account Keys are used to sign tokens for service accounts. They are essential for server-to-server interactions that are not tied to a user identity.

Table Usage Guide

The gcp_service_account_key table provides insights into Service Account Keys within Google Cloud Platform. As a security engineer, explore key-specific details through this table, including the associated service account, key algorithm, and key origin. Utilize it to understand the distribution of keys, their validity, and their associated service accounts for better management and security.

Examples

List of service accounts using user managed keys

Identify the service accounts that utilize user-managed keys. This is useful to gain insights into potential security risks, as these keys are not automatically rotated and require manual management.

select
service_account_name as service_account,
title,
key_type
from
gcp_service_account_key
where
key_type = 'USER_MANAGED';
select
service_account_name as service_account,
title,
key_type
from
gcp_service_account_key
where
key_type = 'USER_MANAGED';

Validity time for the service account keys

Assess the elements within your Google Cloud Platform by identifying the validity period of your service account keys. This allows you to manage access and security by knowing when these keys are active.

select
title,
service_account_name as service_account,
valid_after_time,
valid_before_time
from
gcp_service_account_key;
select
title,
service_account_name as service_account,
valid_after_time,
valid_before_time
from
gcp_service_account_key;

Get public key data for a service account key

Explore the public key data associated with a specific service account key, allowing you to gain insights into the key type, origin, and format. This can be useful for verifying the key's authenticity and ensuring its proper configuration.

select
name,
key_type,
key_origin,
public_key_data_raw,
public_key_data_pem
from
gcp_service_account_key
where
service_account_name = 'test@myproject.iam.gserviceaccount.com';
select
name,
key_type,
key_origin,
public_key_data_raw,
public_key_data_pem
from
gcp_service_account_key
where
service_account_name = 'test@myproject.iam.gserviceaccount.com';

Schema for gcp_service_account_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
key_algorithmtextSpecifies the algorithm (and possibly key size) for the key.
key_origintextSpecifies the origin of the key.
key_typetextThe type of the service account key.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
nametext=The friendly name that identifies the service account key.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
public_key_data_pemtextSpecifies the public key data in PEM format.
public_key_data_rawtextSpecifies the public key data in raw format.
service_account_nametext=Service account in which the key is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
valid_after_timetimestamp with time zoneSpecifies the timestamp, after which the key can be used.
valid_before_timetimestamp with time zoneSpecifies the timestamp, after which the key gets invalid.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_service_account_key