A command-line diagnostics tool for GCP users is called gcpdiag. It identifies and assists in resolving frequent problems in Google Cloud Platform projects. Based on the Google Cloud Support team’s troubleshooting expertise, it is used to test applications against a variety of best practices and common errors.
Contributions are welcome for gcpdiag, an open-source programm! Please be aware that this is a community effort rather than a Google product that is officially supported.
The following are necessary for gcpdiag to function properly:
The following roles (both of them) must be granted at the very least to the credentials you use with gcpdiag:
Viewer of the project being inspected Service Usage Consumer on the project being used for billing/quota enforcement, which can be explicitly configured using the —billing-project option but is often the project being inspected.
The Editor and Owner roles already come with all the necessary permissions, however, if you utilise service account authentication (—auth-key), we advise that you only provide that service account access to the Viewer+Service Usage Consumer role.
2. Required APIs
The following APIs must be enabled in order for gcpdiag to properly inspect resources:
- cloudresourcemanager.googleapis.com (API for Cloud Resource Manager)
- iam.googleapis.com (Identity and Access Management API)
- serviceusage.googleapis.com API for Service Usage
These APIs can be enabled through Cloud Console or the command line:
A shell wrapper that launches gcpdiag in a Docker container can be used to execute gcpdiag. Any computer with Docker or Podman installed, including Cloud Shell, should be able to use this.
curl https://gcpdiag.dev/gcpdiag.sh >gcpdiag chmod +x gcpdiag ./gcpdiag lint --project=MYPROJECT
The primary subcommand that gcpdiag currently provides is lint, which is used to perform diagnostics on one or more GCP project.
usage: gcpdiag lint --project P [OPTIONS] Run diagnostics in GCP projects. optional arguments: -h shows the help window —- auth -adc - Authenticate, Application Default Credentials (default) --auth-key FILE - authenticate using file --project P - project id of the project to inspect --hide-ok - hide rules with result ok --exclude EXCLUDE -Exclude rule pattern --include-extended - Include extended rules -v, --verbose - Increase logs verbosely -output FORMATTER - Format output as jason or anything --logging-fetch-max-entries E - Configure maximum entries --within-days D - How far to check logs --show-skipped - Show skipped rules
Multiple ways for authentication are supported by gcpdiag:
1. OAuth user consent flow
Like gcloud, gcpdiag automatically uses the OAuth user authentication flow. It will print a URL that you must visit in a browser and prompt you to enter the token you are given once you have successfully authenticated there.
You can continue using it for a further hour because the credentials will be cached on disc. The $HOME/.cache/gcpdiag directory can be deleted to get rid of cached authentication information.
2. Application default credentials
The Cloud SDK’s Application Default Credentials are usable with gcpdiag. To refresh the cached credentials, you might need to first run gcloud auth login —update-adc. Because ADC credentials are provisioned automatically in that environment, this is the default in Cloud Shell.
3. Service account key
The —auth-key parameter also allows you to supply a service account’s private key.
Test Products, Classes, and IDs
Products, classes, and ID are used to classify tests.
The GCP service under test is the final product. GKE or GCE, for instance.
The type of test it is based on the class, and we now have:
The ID is currently represented as YYYY NNN, where NNN is a counter and YYYY is the year the test was created. Per product/class combination, the ID must be distinct.
A short description and a long description are also included for each test. The brief description is a claim about the positive state that is being confirmed to be true (i.e., we test for compliance rather than for errors, i.e., for the absence of a problem).
In a conclusion the above the gcpdiag is a useful tool for google cloud users and supports most of the authentication, methods.