Running gcpdiag

Prerequisites and how to run gcpdiag.


gcpdiag requires the following in order to be able to run correctly:

1. Permissions

The credentials that you use with gcpdiag needs to have at minimum the following roles granted (both of them):

  • Viewer on the inspected project
  • Service Usage Consumer on the project used for billing/quota enforcement, which is per default the project being inspected, but can be explicitly set using the --billing-project option

The Editor and Owner roles include all the required permissions, but we recommend that if you use service account authentication (--auth-key), you only grant the Viewer+Service Usage Consumer on that service account.

2. Required APIs

gcpdiag requires some APIs to be enabled in order for the inspection of resources to work correctly:

  • (Cloud Resource Manager API)
  • (Identity and Access Management API)
  • (Cloud Logging API)
  • (Service Usage API)

You can enable these APIs using Cloud Console or via command-line:

gcloud --project=MYPROJECT services enable \ \ \ \

Running in Cloud Shell

gcpdiag is integrated in Cloud Shell:

gcpdiag lint --project=MYPROJECT

Running with Docker

You can run gcpdiag using a shell wrapper that starts gcpdiag in a Docker container. This should work on any machine with Docker or Podman installed.

curl >gcpdiag
chmod +x gcpdiag
./gcpdiag lint --project=MYPROJECT