LinuxCommandLibrary

gcpdiag

Diagnose Google Cloud Platform configuration issues

TLDR

Run gcpdiag on your project, returning all rules

$ gcpdiag lint --project [gcp_project_id]
copy

Hide rules that are ok
$ gcpdiag lint --project [gcp_project_id] --hide-ok
copy

Authenticate using a service account private key file
$ gcpdiag lint --project [gcp_project_id] --auth-key [path/to/private_key]
copy

Search logs and metrics from a number of days back (default: 3 days)
$ gcpdiag lint --project [gcp_project_id] --within-days [number]
copy

Display help
$ gcpdiag lint --help
copy

SYNOPSIS

gcpdiag run [--project PROJECT] [--scope SCOPE] [--resource RES] [--resource-type TYPE] [--filter FILTER] [OPTIONS]

PARAMETERS

--project PROJECT
    GCP project ID to diagnose (auto-detects if omitted)

--scope SCOPE
    Scan scope: auto, project, folder:ID, or org:ID (default: auto)

--resource RES
    Full resource name, e.g., projects/p/zones/z/instances/i

--resource-type TYPE
    Resource type filter, e.g., compute_instance, gke_cluster

--filter FILTER
    JQ-style filter for findings, e.g., .category == "compute"

--group-by GROUP
    Group output by resource or finding (default: resource)

--format FORMAT
    Output format: text, json, html (default: text)

--output FILE
    Save output to file

--skip-log-scanner
    Skip scanning audit logs (faster, less comprehensive)

--debug
    Enable debug logging

DESCRIPTION

gcpdiag is an open-source command-line tool developed by Google Cloud for automatically diagnosing common issues and misconfigurations in Google Cloud Platform (GCP) environments. It supports scanning at project, folder, or organization scope, inspecting resources like Compute Engine VMs, GKE clusters, Cloud SQL instances, Pub/Sub topics, and IAM policies. The tool analyzes configurations, metrics, audit logs, and operational data to detect problems such as high CPU usage, missing firewalls, deprecated images, permission issues, and more. It provides detailed findings with severity levels (FAIL, WARN, OK), explanations, and remediation steps.

Run diagnostics with filters for specific resources or use cases, outputting results in text, JSON, or HTML formats. Ideal for SREs, DevOps teams, and support engineers to triage incidents quickly without manual log diving. Requires GCP authentication and appropriate IAM roles like roles/logging.viewer and roles/monitoring.viewer. Actively maintained on GitHub with community contributions.

CAVEATS

Requires gcloud CLI authenticated with sufficient IAM permissions (e.g., Logging Viewer, Monitoring Viewer); scans can be slow/resource-intensive on large orgs; limited to supported finders/resources; preview findings may change.

INSTALLATION

pip install gcpdiag
Ensure gcloud auth application-default login and project set.

EXAMPLE USAGE

gcpdiag run --project=my-project --resource-type=gke_cluster
Diagnoses all GKE clusters in the project.

HISTORY

Developed by Google Cloud Customer Engineering team; first public release in 2021; open-sourced on GitHub (google/gcpdiag); regular updates add new finders for emerging GCP services; widely used in production support.

SEE ALSO

gcloud(1), gsutil(1)

Copied to clipboard