steampipe plugin install gcp

Table: gcp_storage_bucket - Query Google Cloud Storage Buckets using SQL

Google Cloud Storage is a service within Google Cloud Platform that provides scalable, durable, and highly available object storage. It offers multiple storage classes, versioning, fine-grained access controls, and other features for managing data. Google Cloud Storage is designed to help organizations of all sizes securely store and retrieve any amount of data at any time.

Table Usage Guide

The gcp_storage_bucket table provides insights into Storage Buckets within Google Cloud Storage. As a Cloud Engineer, explore bucket-specific details through this table, including configurations, access controls, and associated metadata. Utilize it to uncover information about buckets, such as their storage class, location, versioning status, and access control policies.

Examples

List of buckets where versioning is not enabled

Discover the segments that have not enabled versioning within their storage buckets. This is particularly useful to identify potential risk areas where data loss could occur due to overwriting or deleting of files.

select
name,
location,
versioning_enabled
from
gcp_storage_bucket
where
not versioning_enabled;
select
name,
location,
versioning_enabled
from
gcp_storage_bucket
where
versioning_enabled is not 1;

List of members and their associated iam roles for the bucket

Discover the segments that illustrate the relationship between members and their respective roles for a specific storage bucket in GCP. This could be useful in assessing access permissions and managing security within your cloud storage environment.

select
name,
location,
p -> 'members' as member,
p ->> 'role' as role
from
gcp_storage_bucket,
jsonb_array_elements(iam_policy -> 'bindings') as p;
select
name,
location,
json_extract(p.value, '$.members') as member,
json_extract(p.value, '$.role') as role
from
gcp_storage_bucket,
json_each(iam_policy, '$.bindings') as p;

Lifecycle rule of each storage bucket

Explore the lifecycle rules of your storage buckets to understand how they're configured. This can help in managing resources more effectively by determining when certain actions, such as transitioning to a different storage class or deleting objects, are set to occur.

select
name,
p -> 'action' ->> 'storageClass' as storage_class,
p -> 'action' ->> 'type' as action_type,
p -> 'condition' ->> 'age' as age_in_days
from
gcp_storage_bucket,
jsonb_array_elements(lifecycle_rules) as p;
select
name,
json_extract(p.value, '$.action.storageClass') as storage_class,
json_extract(p.value, '$.action.type') as action_type,
json_extract(p.value, '$.condition.age') as age_in_days
from
gcp_storage_bucket,
json_each(lifecycle_rules) as p;

List of storage buckets whose retention period is less than 7 days

Explore which storage buckets have a retention period of less than a week. This can be useful in identifying potential data loss risks due to short retention periods.

select
name,
retention_policy ->> 'retentionPeriod' as retention_period
from
gcp_storage_bucket
where
retention_policy ->> 'retentionPeriod' < 604800 :: text;
select
name,
json_extract(retention_policy, '$.retentionPeriod') as retention_period
from
gcp_storage_bucket
where
cast(
json_extract(retention_policy, '$.retentionPeriod') as integer
) < 604800;

Control examples

Schema for gcp_storage_bucket

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
acljsonbAn access-control list
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
billing_requester_paysbooleanWhen set to true, Requester Pays is enabled for this bucket.
corsjsonbThe bucket's Cross-Origin Resource Sharing (CORS) configuration.
default_event_based_holdbooleanThe default value for event-based hold on newly created objects in this bucket. Event-based hold is a way to retain objects indefinitely until an event occurs, signified by the hold's release. After being released, such objects will be subject to bucket-level retention (if any).
default_kms_key_nametextA Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified.
default_object_acljsonbLists of object access control entries
etagtextHTTP 1.1 Entity tag for the bucket.
iam_configuration_bucket_policy_only_enabledbooleanThe bucket's uniform bucket-level access configuration. The feature was formerly known as Bucket Policy Only. For backward compatibility, this field will be populated with identical information as the uniformBucketLevelAccess field.
iam_configuration_public_access_preventiontextThe bucket's Public Access Prevention configuration. Currently, 'unspecified' and 'enforced' are supported.
iam_configuration_uniform_bucket_level_access_enabledbooleanThe bucket's uniform bucket-level access configuration.
iam_policyjsonbAn Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`.
idtextThe ID of the bucket. For buckets, the id and name properties are the same.
kindtextThe kind of item this is. For buckets, this is always storage#bucket.
labelsjsonbLabels that apply to this bucket.
lifecycle_rulesjsonbThe bucket's lifecycle configuration. See lifecycle management for more information.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
location_typetextThe type of the bucket location.
log_buckettextThe destination bucket where the current bucket's logs should be placed.
log_object_prefixtextA prefix for log object names.
metagenerationbigintThe metadata generation of this bucket.
nametext=The name of the bucket.
owner_entitytextThe entity, in the form project-owner-projectId. This is always the project team's owner group.
owner_entity_idtextThe ID for the entity.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
project_numberdouble precisionThe project number of the project the bucket belongs to.
retention_policyjsonbThe bucket's retention policy. The retention policy enforces a minimum retention time for all objects contained in the bucket, based on their creation time. Any attempt to overwrite or delete objects younger than the retention period will result in a PERMISSION_DENIED error.
self_linktextThe URI of this bucket.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
storage_classtextThe bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD.
tagsjsonbA map of tags for the resource.
time_createdtimestamp with time zoneThe creation time of the bucket in RFC 3339 format.
titletextTitle of the resource.
updatedtimestamp with time zoneThe modification time of the bucket.
versioning_enabledbooleanWhile set to true, versioning is fully enabled for this bucket.
website_main_page_suffixtextIf the requested object path is missing, the service will ensure the path has a trailing '/', append this suffix, and attempt to retrieve the resulting object. This allows the creation of index.html objects to represent directory pages.
website_not_found_pagetextIf the requested object path is missing, and any mainPageSuffix object is missing, if applicable, the service will return the named object from this bucket as the content for a 404 Not Found result.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_storage_bucket