Skip to main content

How to Collect Google Cloud Resource Data

The Google Cloud collector is configured within the Fix Inventory Worker configuration via the config command in Fix Inventory Shell.

Prerequisites

This guide assumes that you have already installed Fix Inventory.

Directions

1. Enable the Google Cloud Collector

  1. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

    > config edit fix.worker
  2. Add gcp to the list of collectors by modifying the configuration as follows:

    Fix Inventory Worker configuration
    fixworker:
    ...
    # List of collectors to run
    collector:
    - 'gcp'
    ...
    ...

2. Authenticate with Google Cloud

You can authenticate with Google Cloud via service account JSON files or automatic discovery.

  1. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:
> config edit fix.worker
  1. Add the contents of your service account JSON file(s) to the fixworker section of the configuration as follows:

    Fix Inventory Worker configuration
    fixworker:
    ...
    write_files_to_home_dir:
    - path: ~/.gcp/service-account-1.json
    content: |
    {
    "type": "service_account",
    "project_id": "example",
    "private_key_id": "7fe5157943fc7fe5157943fc7fe5157943fc",
    "private_key": "-----BEGIN PRIVATE KEY-----\n<private key>\n-----END PRIVATE KEY-----\n",
    "client_email": "account@example.iam.gserviceaccount.com",
    "client_id": "123456789123456789",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40example.iam.gserviceaccount.com"
    }
    - path: ~/.gcp/service-account-2.json
    content: |
    {
    ...
    }
    ...
    note

    If you do not wish to save the contents of your service account JSON file(s) to Fix Inventory's database, you can alternatively mount the directory containing your service account JSON file(s) to the fixworker container.

    info

    Since Fix Inventory is running on your local machine, it can access the file(s) directly. Move or copy your service account JSON file(s) to the ~/.gcp directory.

  2. Modify the gcp section of the configuration as follows, adding the paths to your service account JSON file:

    Fix Inventory Worker configuration
    fixworker:
    ...
    ...
    gcp:
    ...
    # GCP service account file(s)
    service_account:
    - /home/fixinventory/.gcp/service-account-1.json
    - /home/fixinventory/.gcp/service-account-2.json
    ...
    note

    The above example assumes that your service account JSON file(s) are named service-account-1.json, service-account-2.json, etc.

3. Trigger Resource Collection

  1. By default, Fix Inventory performs resource collection each hour. To immediately trigger a collect run, use the workflow run command in Fix Inventory Shell:

    > workflow run collect
  2. Once the collect run completes, you can view a summary of collected Google Cloud resources using the following search:

    > search is(gcp_resource) | count kind