Use the CloudGraph GCP Provider to scan and normalize cloud infrastructure using the GCP Client Libraries
Install the GCP provider in CloudGraph
cg init gcp
Authenticate the CloudGraph GCP Provider using service account keys:
CloudGraph is able to scan multiple GCP service accounts at once. This is done by entering a project ID and the service account key file location for each service account when running cg init
. All resources will be tagged with a projectId
so you can query resources specific to a project or query resources across accounts!
CloudGraph creates a configuration file at:
- UNIX:
~/.config/cloudgraph/.cloud-graphrc.json
- Windows:
%LOCALAPPDATA%\cloudgraph/.cloud-graphrc.json
NOTE: CloudGraph will output where it stores the configuration file and provider data as part of the cg init
command
CloudGraph will generate this configuration file when you run cg init gcp
. You may update it manually or by running cg init gcp
again.
"gcp": {
"accounts": [
{
"projectId": "autocloud-sandbox",
"keyFilename": "/Users/me/autocloud-sandbox.json"
},
{
"projectId": "cloudgraph-sample",
"keyFilename": "/Users/me/cloudgraph-sample.json"
}
],
"regions": "us-central1,us-east1",
"resources": "vpc,project"
}
CloudGraph GCP Provider will ask you what regions you would like to crawl and will by default crawl for all supported resources in selected regions in the default account. You can update the regions
or resources
fields in the cloud-graphrc.json
file to change this behavior. You can also select which resources
to crawl in the cg init gcp
command by passing the the -r
flag: cg init gcp -r
Service | Relations |
---|---|
accessApproval | project |
aiPlatformNotebooks | project, kmsCryptoKeys, network, subnet |
alertPolicy | project |
apiGatewayGateways | project, apiGatewayApis, apiGatewayApiConfigs |
apiGatewayApis | project, apiGatewayGateways |
apiGatewayApiConfigs | project, apiGatewayGateways |
apiKeys | project |
assets | project |
bigQueryDataset | project |
bigQueryConnection | project |
bigQueryDataTransfer | bigQueryDataTransferRun, project |
bigQueryDataTransferRun | project |
bigQueryReservation | project |
bigQueryReservationCapacityCommitment | project |
cdnBackendBucket | project, cdnUrlMap |
cdnBackendService | project, cdnUrlMap, network |
cdnUrlMap | project, cdnBackendBucket, cdnBackendService |
cloudFunction | project, vpcConnectors |
cloudRouters | project |
computeProject | project |
dataprocClusters | project, dataprocJobs, dataprocWorkflowTemplates |
dataprocAutoscalingPolicies | project |
dataprocJobs | project, dataprocClusters |
dataprocWorkflowTemplates | project, dataprocClusters |
kmsCryptoKeys | aiPlatformNotebooks, iamPolicy, kmsKeyRing, project |
dnsManagedZone | project |
dnsPolicy | project, network |
essentialContacts | project |
firestoreDatabases | project |
firewall | network, project |
folder | iamPolicy, organization, project |
kmsKeyRing | kmsCryptoKeys, project |
iamPolicy | folder, kmsCryptoKeys, project |
logBucket | logView, project |
logMetric | project |
logSink | project |
logView | logBucket, project |
network | cloudRouters, dnsPolicy, firewall, project, sqlInstances, subnet, vmInstance, vpcConnectors, cdnBackendService, aiPlatformNotebooks |
organization | folder, project |
project | ALL SERVICES |
secretManager | project |
serviceAccounts | project |
sqlInstances | project, network |
sslPolicies | project, targetHttpsProxies, targetSslProxies |
storageBucket | project |
subnet | project, network, vmInstance, vpcConnectors, aiPlatformNotebooks |
targetSslProxies | project, sslPolicies |
targetHttpsProxies | project, sslPolicies |
vmInstance | project, network, subnet |
vpcConnectors | cloudFunction, project, network, subnet |