Home

Awesome

CloudGraph GCP Provider

Use the CloudGraph GCP Provider to scan and normalize cloud infrastructure using the GCP Client Libraries

<!-- toc --> <!-- tocstop -->

Install

Install the GCP provider in CloudGraph

cg init gcp

Authentication

Authenticate the CloudGraph GCP Provider using service account keys:

Multi Account

CloudGraph is able to scan multiple GCP service accounts at once. This is done by entering a project ID and the service account key file location for each service account when running cg init. All resources will be tagged with a projectId so you can query resources specific to a project or query resources across accounts!

Configuration

CloudGraph creates a configuration file at:

NOTE: CloudGraph will output where it stores the configuration file and provider data as part of the cg init command

CloudGraph will generate this configuration file when you run cg init gcp. You may update it manually or by running cg init gcp again.

"gcp": {
  "accounts": [
    {
      "projectId": "autocloud-sandbox",
      "keyFilename": "/Users/me/autocloud-sandbox.json"
    },
    {
      "projectId": "cloudgraph-sample",
      "keyFilename": "/Users/me/cloudgraph-sample.json"
    }
  ],
  "regions": "us-central1,us-east1",
  "resources": "vpc,project"
}

CloudGraph GCP Provider will ask you what regions you would like to crawl and will by default crawl for all supported resources in selected regions in the default account. You can update the regions or resources fields in the cloud-graphrc.json file to change this behavior. You can also select which resources to crawl in the cg init gcp command by passing the the -r flag: cg init gcp -r

Supported Services

ServiceRelations
accessApprovalproject
aiPlatformNotebooksproject, kmsCryptoKeys, network, subnet
alertPolicyproject
apiGatewayGatewaysproject, apiGatewayApis, apiGatewayApiConfigs
apiGatewayApisproject, apiGatewayGateways
apiGatewayApiConfigsproject, apiGatewayGateways
apiKeysproject
assetsproject
bigQueryDatasetproject
bigQueryConnectionproject
bigQueryDataTransferbigQueryDataTransferRun, project
bigQueryDataTransferRunproject
bigQueryReservationproject
bigQueryReservationCapacityCommitmentproject
cdnBackendBucketproject, cdnUrlMap
cdnBackendServiceproject, cdnUrlMap, network
cdnUrlMapproject, cdnBackendBucket, cdnBackendService
cloudFunctionproject, vpcConnectors
cloudRoutersproject
computeProjectproject
dataprocClustersproject, dataprocJobs, dataprocWorkflowTemplates
dataprocAutoscalingPoliciesproject
dataprocJobsproject, dataprocClusters
dataprocWorkflowTemplatesproject, dataprocClusters
kmsCryptoKeysaiPlatformNotebooks, iamPolicy, kmsKeyRing, project
dnsManagedZoneproject
dnsPolicyproject, network
essentialContactsproject
firestoreDatabasesproject
firewallnetwork, project
folderiamPolicy, organization, project
kmsKeyRingkmsCryptoKeys, project
iamPolicyfolder, kmsCryptoKeys, project
logBucketlogView, project
logMetricproject
logSinkproject
logViewlogBucket, project
networkcloudRouters, dnsPolicy, firewall, project, sqlInstances, subnet, vmInstance, vpcConnectors, cdnBackendService, aiPlatformNotebooks
organizationfolder, project
projectALL SERVICES
secretManagerproject
serviceAccountsproject
sqlInstancesproject, network
sslPoliciesproject, targetHttpsProxies, targetSslProxies
storageBucketproject
subnetproject, network, vmInstance, vpcConnectors, aiPlatformNotebooks
targetSslProxiesproject, sslPolicies
targetHttpsProxiesproject, sslPolicies
vmInstanceproject, network, subnet
vpcConnectorscloudFunction, project, network, subnet