Query Google Cloud
Query Google Cloud projects, compute instances, storage, and networking with cnquery
Mondoo's gcp provider lets you use cnquery to query and inventory your Google Cloud resources. You can explore projects, Compute Engine instances, Cloud Storage buckets, DNS configurations, networking, and more.
Requirements
To analyze your Google Cloud environment with cnquery, you must have:
Configure access to Google Cloud
Log into Google Cloud using the gcloud CLI:
gcloud auth login --update-adcSet the project you want to query:
gcloud config set project YOUR_PROJECT_IDTo verify your configuration:
gcloud config listConnect to Google Cloud
To query an entire organization:
cnquery shell gcp org ORGANIZATION_IDTo query a specific project:
cnquery shell gcp project PROJECT_IDTo query a specific folder:
cnquery shell gcp folder FOLDER_IDExample queries
Projects
Verify cnquery can access your project:
cnquery> gcp.project
gcp.project: gcp.project name="luna-edge"Compute Engine instances
List all Compute Engine instances:
cnquery> gcp.project.computeService.instances
gcp.project.computeService.instances: [
0: gcp.project.computeService.instance name="web-server-01"
1: gcp.project.computeService.instance name="db-server-01"
2: gcp.project.computeService.instance name="luna-edge"
...
]Retrieve details about instances including their status and scheduling:
cnquery> gcp.project.computeService.instances { name status scheduling }
gcp.project.computeService.instances: [
0: {
status: "TERMINATED"
scheduling: {
automaticRestart: true
onHostMaintenance: "MIGRATE"
provisioningModel: "STANDARD"
}
name: "web-server-01"
}
1: {
status: "RUNNING"
scheduling: {
automaticRestart: true
onHostMaintenance: "MIGRATE"
provisioningModel: "STANDARD"
}
name: "luna-edge"
}
...
]Filter instances by status:
cnquery> gcp.project.computeService.instances.where(status == "RUNNING") { name lastStartTimestamp }
gcp.project.computeService.instances.where: [
0: {
name: "luna-edge"
lastStartTimestamp: 2025-01-17 02:58:31.254 -0800 PST
}
1: {
name: "windows-gitlab"
lastStartTimestamp: 2025-04-05 11:39:20.217 -0700 PDT
}
]Cloud Storage buckets
List all Cloud Storage buckets:
cnquery> gcp.project.storageService.buckets
gcp.project.storageService.buckets: [
0: gcp.project.storageService.bucket name="luna-assets"
1: gcp.project.storageService.bucket name="luna-backups"
...
]Retrieve details about buckets including their location and storage class:
cnquery> gcp.project.storageService.buckets { name location storageClass created }
gcp.project.storageService.buckets: [
0: {
name: "luna-assets"
location: "US"
storageClass: "STANDARD"
created: 2024-03-15 10:30:00 +0000 UTC
}
1: {
name: "luna-backups"
location: "US-CENTRAL1"
storageClass: "NEARLINE"
created: 2024-06-20 14:00:00 +0000 UTC
}
]DNS
List DNS managed zones:
cnquery> gcp.project.dns.managedZones
gcp.project.dns.managedZones: [
0: gcp.project.dns.managedZone name="example-zone" dnsName="example.com."
...
]Firewalls
List firewall rules:
cnquery> gcp.project.computeService.firewalls { name direction allowed denied }
gcp.project.computeService.firewalls: [
0: {
name: "allow-ssh"
direction: "INGRESS"
allowed: [
0: {
IPProtocol: "tcp"
ports: [
0: "22"
]
}
]
denied: []
}
1: {
name: "allow-https"
direction: "INGRESS"
allowed: [
0: {
IPProtocol: "tcp"
ports: [
0: "443"
]
}
]
denied: []
}
...
]Request full details
For a detailed report on any resource, specify that you want all fields:
cnquery> gcp.project.computeService.instances { * }Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the Google Cloud resources and fields you can query, read the Google Cloud (GCP) Resource Pack Reference.