Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cnquery "operation failed" for GCP snapshot scanning #1582

Open
prashantkul opened this issue Aug 25, 2023 · 2 comments
Open

cnquery "operation failed" for GCP snapshot scanning #1582

prashantkul opened this issue Aug 25, 2023 · 2 comments

Comments

@prashantkul
Copy link

cnquery shell gcp snapshot ubuntu-snapshot --project-id ps-arg-prj2 -v --log-level trace

→ no Mondoo configuration file provided. using defaults
DBG parsing asset asset-type=13 provider=GCP_COMPUTE_INSTANCE_SNAPSHOT
→ discover related assets for 1 asset(s)
DBG run resolver resolver="GCP Compute Instance Resolver" resolver-id=gcp-compute-instance
→ resolved assets resolved-assets=1
DBG resolved 1 assets
DBG establish connection to asset connection=gcp-compute-instance insecure=false
DBG establish motor connection
DBG local> run command uname -s
DBG local> run command uname -m
DBG platform> cannot parse lsb config on this linux system error="open /etc/lsb-release: no such file or directory"
DBG local> run command uname -m
DBG local> run command uname -m
DBG platform> detected os family=["debian","linux","unix","os"] platform=debian
DBG local> run command curl --noproxy '*' -H Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/project/project-id?alt=json
DBG local> run command curl --noproxy '*' -H Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/instance/id?alt=json
DBG local> run command curl --noproxy '*' -H Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/instance/name?alt=json
DBG local> run command curl --noproxy '*' -H Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/instance/zone?alt=json
DBG created disk from snapshot disk=https://www.googleapis.com/compute/v1/projects/ps-arg-prj2/zones/us-west1-b/disks/cnspec--snapshot-2023-08-25t17-14-55z00-00
FTL could not connect to asset error="operation failed: [0xc002c59580]"
@czunker czunker mentioned this issue Sep 18, 2023
Closed
@czunker
Copy link
Contributor

czunker commented Sep 18, 2023
edited
Loading

Hey @prashantkul ,

thanks for reporting this issue. The error message is fixed on main as part of #1616

Running the same command again, should now show you the real cause of the problem.

@chris-rock
Copy link
Member

Thank you for the report @prashantkul. We are optimizing those errors to make them more useful. For snapshot scanning you need a few permissions in GCP:

  1. Spin up a gcp instance and assign it is own service account
  2. Create a new iam role cnspec-snapshot-scanner with the following permissions
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.instances.attachDisk
compute.instances.detachDisk
compute.instances.get
compute.snapshots.create
compute.snapshots.get
compute.snapshots.list
compute.snapshots.useReadOnly
compute.zoneOperations.get
  1. Assign the cnspec-snapshot-scanner and Service Account User role to the vm service account

Once you have those permissions set, cnspec scans the snapshot. Let us know if you run into any other issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@czunker @chris-rock @prashantkul