本文說明如何將機構、資料夾或專案的資產快照匯出至 BigQuery 資料表,然後對庫存清單執行資料分析。BigQuery 提供類似 SQL 的體驗,讓使用者分析資料並產生有意義的洞察資料,不必使用自訂指令碼。
事前準備
在您執行 Cloud Asset Inventory 指令的專案中,啟用 Cloud Asset Inventory API。
請確認您的帳戶具有呼叫 Cloud Asset Inventory API 的正確角色。 如要瞭解各通話類型的個別權限,請參閱「權限」。
如果沒有,請建立 BigQuery 資料集來匯出資料。
限制
匯出 BigQuery 資料表資料時,Cloud Asset Inventory 不支援所有欄位。
經常變更的資產欄位 (例如
numBytes、numLongTermBytes、numPhysicalBytes和numRows) 可能會匯出null值。不支援匯出至 BigQuery 叢集資料表。
不支援使用自訂 Cloud Key Management Service (Cloud KMS) 金鑰加密的 BigQuery 資料表。
除非匯出至分區資料表,否則系統不支援將匯出輸出內容附加至現有資料表。目的地資料表不得包含任何內容,或您必須覆寫該資料表。如要覆寫,請搭配 gcloud CLI 使用
--output-bigquery-force標記,或搭配 REST API 使用"force": true。匯出至每個資源類型各別的表格時,系統不支援 Google Kubernetes Engine (GKE) 資源類型,但
container.googleapis.com/Cluster和container.googleapis.com/NodePool除外。如果先前傳送至相同目的地的要求在 15 分鐘前啟動,且仍在執行中,Cloud Asset Inventory 會拒絕匯出要求。不過,如果匯出作業超過 15 分鐘仍未完成,系統會將其標示為完成,並允許對相同目的地提出新的匯出要求。
ACCESS_POLICY內容類型只能在機構層級匯出。如果匯入目的地資料表已存在,且正在匯入資料,系統會傳回
400錯誤。
用於匯出的 BigQuery 結構定義
每個 BigQuery 資料表都按結構定義定義,其中包含資料欄名稱、資料類型和其他資訊。設定匯出作業的內容類型會決定資料表的結構定義:
資源或未指定:將內容類型設為
RESOURCE或未指定,並將per-asset-type旗標設為false或未使用,即可建立具有下列結構定義的 BigQuery 資料表。資源結構定義
[ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "version", "type": "STRING" }, { "mode": "NULLABLE", "name": "discovery_document_uri", "type": "STRING" }, { "mode": "NULLABLE", "name": "discovery_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource_url", "type": "STRING" }, { "mode": "NULLABLE", "name": "parent", "type": "STRING" }, { "mode": "NULLABLE", "name": "data", "type": "STRING" }, { "mode": "NULLABLE", "name": "location", "type": "STRING" } ], "mode": "NULLABLE", "name": "resource", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ]
resource.data欄是資源中繼資料,以 JSON 字串表示。如果將內容類型設為
RESOURCE或未設定內容類型,並將per-asset-type標記設為true,系統會為每種資產類型建立個別資料表。每個資料表的結構定義都包含 RECORD 類型的資料欄,這些資料欄會對應至該資產類型Resource.data欄位中的巢狀欄位 (最多可達 BigQuery 支援的 15 個巢狀層級)。如需範例表格,請參閱 Google Cloud 控制台中的export-assets-examples。IAM 政策:在 REST API 中將內容類型設為
IAM_POLICY,或在 gcloud CLI 中設為iam-policy時,您會建立具有下列結構定義的 BigQuery 資料表。IAM 政策結構定義
[ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "version", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "role", "type": "STRING" }, { "mode": "REPEATED", "name": "members", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "expression", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "location", "type": "STRING" } ], "mode": "NULLABLE", "name": "condition", "type": "RECORD" } ], "mode": "REPEATED", "name": "bindings", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "service", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "log_type", "type": "INTEGER" }, { "mode": "REPEATED", "name": "exempted_members", "type": "STRING" } ], "mode": "REPEATED", "name": "audit_log_configs", "type": "RECORD" } ], "mode": "REPEATED", "name": "audit_configs", "type": "RECORD" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" } ], "mode": "NULLABLE", "name": "iam_policy", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ]
機構政策:在 REST API 中將內容類型設為
ORG_POLICY,或在 gcloud CLI 中設為org-policy時,您會建立具有下列結構定義的 BigQuery 資料表。機構政策結構定義
[ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "version", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "constraint", "type": "STRING" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" }, { "fields": [ { "mode": "REPEATED", "name": "allowed_values", "type": "STRING" }, { "mode": "REPEATED", "name": "denied_values", "type": "STRING" }, { "mode": "NULLABLE", "name": "all_values", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "suggested_value", "type": "STRING" }, { "mode": "NULLABLE", "name": "inherit_from_parent", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "list_policy", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "enforced", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "boolean_policy", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "_present", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "restore_default", "type": "RECORD" } ], "mode": "REPEATED", "name": "org_policy", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ]
VPCSC 政策:在 REST API 中將內容類型設為
ACCESS_POLICY,或在 gcloud CLI 中設為access-policy時,您會建立具有下列結構定義的 BigQuery 資料表。VPCSC 政策結構定義
[ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "parent", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "REPEATED", "name": "scopes", "type": "STRING" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" } ], "mode": "NULLABLE", "name": "access_policy", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "fields": [ { "fields": [ { "mode": "REPEATED", "name": "ip_subnetworks", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "require_screenlock", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "allowed_encryption_statuses", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "os_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "minimum_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "require_verified_chrome_os", "type": "BOOLEAN" } ], "mode": "REPEATED", "name": "os_constraints", "type": "RECORD" }, { "mode": "REPEATED", "name": "allowed_device_management_levels", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "require_admin_approval", "type": "BOOLEAN" }, { "mode": "NULLABLE", "name": "require_corp_owned", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "device_policy", "type": "RECORD" }, { "mode": "REPEATED", "name": "required_access_levels", "type": "STRING" }, { "mode": "NULLABLE", "name": "negate", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "members", "type": "STRING" }, { "mode": "REPEATED", "name": "regions", "type": "STRING" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "network", "type": "STRING" }, { "mode": "REPEATED", "name": "vpc_ip_subnetworks", "type": "STRING" } ], "mode": "NULLABLE", "name": "vpc_subnetwork", "type": "RECORD" } ], "mode": "REPEATED", "name": "vpc_network_sources", "type": "RECORD" } ], "mode": "REPEATED", "name": "conditions", "type": "RECORD" }, { "mode": "NULLABLE", "name": "combining_function", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "basic", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "expression", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "location", "type": "STRING" } ], "mode": "NULLABLE", "name": "expr", "type": "RECORD" } ], "mode": "NULLABLE", "name": "custom", "type": "RECORD" } ], "mode": "NULLABLE", "name": "access_level", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "perimeter_type", "type": "INTEGER" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "mode": "REPEATED", "name": "access_levels", "type": "STRING" }, { "mode": "REPEATED", "name": "restricted_services", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "enable_restriction", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "allowed_services", "type": "STRING" } ], "mode": "NULLABLE", "name": "vpc_accessible_services", "type": "RECORD" }, { "fields": [ { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "ingress_from", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "ingress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "ingress_policies", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "NULLABLE", "name": "source_restriction", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "egress_from", "type": "RECORD" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "external_resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "egress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "egress_policies", "type": "RECORD" } ], "mode": "NULLABLE", "name": "status", "type": "RECORD" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "mode": "REPEATED", "name": "access_levels", "type": "STRING" }, { "mode": "REPEATED", "name": "restricted_services", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "enable_restriction", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "allowed_services", "type": "STRING" } ], "mode": "NULLABLE", "name": "vpc_accessible_services", "type": "RECORD" }, { "fields": [ { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "ingress_from", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "ingress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "ingress_policies", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "NULLABLE", "name": "source_restriction", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "egress_from", "type": "RECORD" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "external_resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "egress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "egress_policies", "type": "RECORD" } ], "mode": "NULLABLE", "name": "spec", "type": "RECORD" }, { "mode": "NULLABLE", "name": "use_explicit_dry_run_spec", "type": "BOOLEAN" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" } ], "mode": "NULLABLE", "name": "service_perimeter", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "authorization_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "asset_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "authorization_direction", "type": "INTEGER" }, { "mode": "REPEATED", "name": "orgs", "type": "STRING" } ], "mode": "NULLABLE", "name": "authorized_orgs_desc", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ]
OSConfig 執行個體清單:在 REST API 中將內容類型設為
OS_INVENTORY,或在 gcloud CLI 中設為os-inventory時,您會建立具有下列結構定義的 BigQuery 資料表。OS 庫存架構
[ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "hostname", "type": "STRING" }, { "mode": "NULLABLE", "name": "long_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "short_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "kernel_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "kernel_release", "type": "STRING" }, { "mode": "NULLABLE", "name": "osconfig_agent_version", "type": "STRING" } ], "mode": "NULLABLE", "name": "os_info", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "key", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "id", "type": "STRING" }, { "mode": "NULLABLE", "name": "origin_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "create_time", "type": "TIMESTAMP" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" }, { "mode": "NULLABLE", "name": "type", "type": "INTEGER" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "yum_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "apt_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "googet_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "patch_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "category", "type": "STRING" }, { "mode": "NULLABLE", "name": "severity", "type": "STRING" }, { "mode": "NULLABLE", "name": "summary", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_patch", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "id", "type": "STRING" }, { "mode": "NULLABLE", "name": "name", "type": "STRING" } ], "mode": "REPEATED", "name": "categories", "type": "RECORD" }, { "mode": "REPEATED", "name": "kb_article_ids", "type": "STRING" }, { "mode": "NULLABLE", "name": "support_url", "type": "STRING" }, { "mode": "REPEATED", "name": "more_info_urls", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "revision_number", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "last_deployment_change_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "wua_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "caption", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "hot_fix_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "install_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "qfe_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "cos_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "display_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "display_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "publisher", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "year", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "month", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "day", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "install_date", "type": "RECORD" }, { "mode": "NULLABLE", "name": "help_link", "type": "STRING" } ], "mode": "NULLABLE", "name": "windows_application", "type": "RECORD" } ], "mode": "NULLABLE", "name": "installed_package", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "yum_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "apt_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "googet_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "patch_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "category", "type": "STRING" }, { "mode": "NULLABLE", "name": "severity", "type": "STRING" }, { "mode": "NULLABLE", "name": "summary", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_patch", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "id", "type": "STRING" }, { "mode": "NULLABLE", "name": "name", "type": "STRING" } ], "mode": "REPEATED", "name": "categories", "type": "RECORD" }, { "mode": "REPEATED", "name": "kb_article_ids", "type": "STRING" }, { "mode": "NULLABLE", "name": "support_url", "type": "STRING" }, { "mode": "REPEATED", "name": "more_info_urls", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "revision_number", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "last_deployment_change_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "wua_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "caption", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "hot_fix_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "install_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "qfe_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "cos_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "display_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "display_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "publisher", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "year", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "month", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "day", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "install_date", "type": "RECORD" }, { "mode": "NULLABLE", "name": "help_link", "type": "STRING" } ], "mode": "NULLABLE", "name": "windows_application", "type": "RECORD" } ], "mode": "NULLABLE", "name": "available_package", "type": "RECORD" } ], "mode": "NULLABLE", "name": "value", "type": "RECORD" } ], "mode": "REPEATED", "name": "items", "type": "RECORD" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "os_inventory", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ]
關係:在 REST API 中將內容類型設為
RELATIONSHIP,或在 gcloud CLI 中設為relationship時,您會建立具有下列結構定義的 BigQuery 資料表。關係結構定義
[ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "asset", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "relationship_type", "type": "STRING" } ], "mode": "NULLABLE", "name": "related_asset", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ]
匯出資產快照
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --snapshot-time="SNAPSHOT_TIME" \ --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \ --output-bigquery-force
提供以下這些值:
-
SCOPE:請使用下列其中一個值:-
project=PROJECT_ID,其中PROJECT_ID是要匯出資產中繼資料的專案 ID。 -
folder=FOLDER_ID,其中FOLDER_ID是要匯出資產中繼資料的資料夾 ID。如何找出 Google Cloud 資料夾的 ID
Google Cloud 控制台
如要找出 Google Cloud 資料夾的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 搜尋資料夾名稱。資料夾 ID 會顯示在資料夾名稱旁邊。
gcloud CLI
您可以使用下列指令,擷取位於機構組織層級的 Google Cloud 資料夾 ID:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
其中 TOP_LEVEL_FOLDER_NAME 是資料夾名稱的部分或完整字串比對。移除
--format標記,即可查看找到的資料夾詳細資訊。先前的指令不會傳回資料夾中子資料夾的 ID。如要執行這項操作,請使用頂層資料夾的 ID 執行下列指令:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID,其中ORGANIZATION_ID是擁有您要匯出資產中繼資料的機構 ID。如何查看機構的 ID Google Cloud
Google Cloud 控制台
如要找出 Google Cloud 機構的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 按一下「全部」分頁標籤。機構 ID 會顯示在機構名稱旁邊。
gcloud CLI
您可以使用下列指令擷取機構的 ID: Google Cloud
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID:選用。預設 Cloud Asset Inventory 服務代理程式所在的專案 ID,該服務代理程式有權管理您的 BigQuery 資料集和資料表。 進一步瞭解如何設定帳單專案。 ASSET_TYPE_#:選用。以半形逗號分隔的 可搜尋素材資源類型清單。 支援與 RE2 相容的規則運算式。如果規則運算式與任何支援的資產類型都不相符,系統會傳回INVALID_ARGUMENT錯誤。如未指定--asset-types,系統會傳回所有資產類型。CONTENT_TYPE:選用。要擷取的中繼資料 內容類型。如果未指定--content-type,則只會傳回基本資訊,例如資產名稱、資產上次更新時間,以及資產所屬的專案、資料夾和機構。-
RELATIONSHIP_TYPE_#:選用。您必須有 Security Command Center Premium 或 Enterprise 級別的存取權,或是 Gemini Cloud Assist 存取權,以半形逗號分隔的資產關係類型清單,列出您要擷取的類型。您必須將CONTENT_TYPE設為RELATIONSHIP, 這項功能才能正常運作。 -
SNAPSHOT_TIME:選用。您要擷取資產快照的時間,請採用 gcloud 主題日期時間格式。這個值不得超過 35 天前。如果未指定--snapshot-time,系統會在目前時間拍攝快照。 -
BIGQUERY_PROJECT_ID:要匯出至其中的 BigQuery 資料表所在專案 ID。 -
DATASET_ID:BigQuery 資料集的 ID。 -
TABLE_NAME:要將中繼資料匯出至其中的 BigQuery 資料表。如果不存在,系統會建立該目錄。
--output-bigquery-force 旗標會覆寫現有的目的地資料表。
如要瞭解所有選項,請參閱 gcloud CLI 參考資料。
範例
執行下列指令,將 resource 中繼資料 (2024 年 1 月 30 日的狀態) 從 my-project 專案匯出至 BigQuery 資料表 my-table。
gcloud asset export \ --project=my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --bigquery-table=projects/my-project/datasets/my-dataset/tables/my-table \ --output-bigquery-force
回覆範例
Export in progress for root asset [projects/my-project]. Use [gcloud asset operations describe projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000] to check the status of the operation.
REST
HTTP 方法和網址:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
標頭:
X-Goog-User-Project: BILLING_PROJECT_ID
JSON 要求內文:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "readTime": "SNAPSHOT_TIME", "outputConfig": { "bigqueryDestination": { "dataset": "projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID", "table": "TABLE_NAME", "force": true } } }
提供以下這些值:
-
SCOPE_PATH:請使用下列其中一個值:允許的值如下:
-
projects/PROJECT_ID,其中PROJECT_ID是要匯出資產中繼資料的專案 ID。 -
projects/PROJECT_NUMBER,其中PROJECT_NUMBER是專案編號,該專案包含您要匯出的資產中繼資料。如何找出 Google Cloud 專案編號
Google Cloud 控制台
如要找出專案編號,請完成下列步驟: Google Cloud
gcloud CLI
您可以使用下列指令擷取專案編號: Google Cloud
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID,其中FOLDER_ID是要匯出資產中繼資料的資料夾 ID。如何找出 Google Cloud 資料夾的 ID
Google Cloud 控制台
如要找出 Google Cloud 資料夾的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 搜尋資料夾名稱。資料夾 ID 會顯示在資料夾名稱旁邊。
gcloud CLI
您可以使用下列指令,擷取位於機構組織層級的 Google Cloud 資料夾 ID:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
其中 TOP_LEVEL_FOLDER_NAME 是資料夾名稱的部分或完整字串比對。移除
--format標記,即可查看找到的資料夾詳細資訊。先前的指令不會傳回資料夾中子資料夾的 ID。如要執行這項操作,請使用頂層資料夾的 ID 執行下列指令:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID,其中ORGANIZATION_ID是擁有您要匯出資產中繼資料的機構 ID。如何查看機構的 ID Google Cloud
Google Cloud 控制台
如要找出 Google Cloud 機構的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 按一下「全部」分頁標籤。機構 ID 會顯示在機構名稱旁邊。
gcloud CLI
您可以使用下列指令擷取機構的 ID: Google Cloud
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID:預設 Cloud Asset Inventory 服務代理程式所在的專案 ID,該專案具有管理 BigQuery 資料集和資料表的權限。 進一步瞭解如何設定帳單專案。 ASSET_TYPE_#:選用。可搜尋的素材資源類型陣列。 支援與 RE2 相容的規則運算式。如果規則運算式與任何支援的資產類型都不相符,系統會傳回INVALID_ARGUMENT錯誤。如未指定assetTypes,系統會傳回所有資產類型。CONTENT_TYPE:選用。要擷取的中繼資料 內容類型。如果未指定contentType,則只會傳回基本資訊,例如資產名稱、資產上次更新時間,以及資產所屬的專案、資料夾和機構。-
RELATIONSHIP_TYPE_#:選用。您必須有 Security Command Center Premium 或 Enterprise 級別的存取權,或是 Gemini Cloud Assist 存取權,以半形逗號分隔的資產關係類型清單,列出您要擷取的類型。您必須將CONTENT_TYPE設為RELATIONSHIP, 這項功能才能正常運作。 -
SNAPSHOT_TIME:選用。要擷取資產快照的時間,採用 RFC 3339 格式。這個值不得超過 35 天前。如果未指定readTime,系統會在目前時間拍攝快照。 -
BIGQUERY_PROJECT_ID:要匯出至其中的 BigQuery 資料表所在專案 ID。 -
DATASET_ID:BigQuery 資料集的 ID。 -
TABLE_NAME:要將中繼資料匯出至其中的 BigQuery 資料表。如果不存在,系統會建立該目錄。
如果目的地資料表存在,"force": true 鍵/值組會覆寫該資料表。
如要瞭解所有選項,請參閱 REST 參考資料。
指令範例
執行下列任一指令,將 resource 專案中 2024 年 1 月 30 日的 my-project 中繼資料匯出至 BigQuery 資料表 my-table。
curl (Linux、macOS 或 Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
回覆範例
{ "name": "projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000", "metadata": { "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest", "parent": "projects/000000000000", "readTime": "2024-01-30T00:00:00Z", "contentType": "RESOURCE", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true } } } }
Go
如要瞭解如何安裝及使用 Cloud Asset Inventory 的用戶端程式庫,請參閱這篇文章。
如要驗證 Cloud Asset Inventory,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。
Java
如要瞭解如何安裝及使用 Cloud Asset Inventory 的用戶端程式庫,請參閱這篇文章。
如要驗證 Cloud Asset Inventory,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。
Node.js
如要瞭解如何安裝及使用 Cloud Asset Inventory 的用戶端程式庫,請參閱這篇文章。
如要驗證 Cloud Asset Inventory,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。
Python
如要瞭解如何安裝及使用 Cloud Asset Inventory 的用戶端程式庫,請參閱這篇文章。
如要驗證 Cloud Asset Inventory,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。
將資產快照匯出至各資產類型的獨立表格
您可以使用 gcloud CLI 中的 --per-asset-type 旗標,以及 REST API 要求中的 "separateTablesPerAssetType": true,將資產匯出至各資產類型的個別 BigQuery 資料表。無法透過這種方式匯出RELATIONSHIP內容類型。
在此模式中,每個資料表的名稱都會以 TABLE_NAME 串連 _ (底線) 和資產類型名稱。非英數字元會替換為 _。
如果匯出至任何資料表失敗,整個匯出作業就會失敗,並傳回第一個錯誤。先前成功匯出的結果會保留。
下列型別會封裝在 JSON 字串中,以解決 Proto3 和 BigQuery 型別之間的相容性問題。
google.protobuf.Timestampgoogle.protobuf.Durationgoogle.protobuf.FieldMaskgoogle.protobuf.ListValuegoogle.protobuf.Valuegoogle.protobuf.Structgoogle.api.*
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --snapshot-time="SNAPSHOT_TIME" \ --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \ --per-asset-type \ --output-bigquery-force
提供以下這些值:
-
SCOPE:請使用下列其中一個值:-
project=PROJECT_ID,其中PROJECT_ID是要匯出資產中繼資料的專案 ID。 -
folder=FOLDER_ID,其中FOLDER_ID是要匯出資產中繼資料的資料夾 ID。如何找出 Google Cloud 資料夾的 ID
Google Cloud 控制台
如要找出 Google Cloud 資料夾的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 搜尋資料夾名稱。資料夾 ID 會顯示在資料夾名稱旁邊。
gcloud CLI
您可以使用下列指令,擷取位於機構組織層級的 Google Cloud 資料夾 ID:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
其中 TOP_LEVEL_FOLDER_NAME 是資料夾名稱的部分或完整字串比對。移除
--format標記,即可查看找到的資料夾詳細資訊。先前的指令不會傳回資料夾中子資料夾的 ID。如要執行這項操作,請使用頂層資料夾的 ID 執行下列指令:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID,其中ORGANIZATION_ID是擁有您要匯出資產中繼資料的機構 ID。如何查看機構的 ID Google Cloud
Google Cloud 控制台
如要找出 Google Cloud 機構的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 按一下「全部」分頁標籤。機構 ID 會顯示在機構名稱旁邊。
gcloud CLI
您可以使用下列指令擷取機構的 ID: Google Cloud
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID:選用。預設 Cloud Asset Inventory 服務代理程式所在的專案 ID,該服務代理程式有權管理您的 BigQuery 資料集和資料表。 進一步瞭解如何設定帳單專案。 ASSET_TYPE_#:選用。以半形逗號分隔的 可搜尋素材資源類型清單。 支援與 RE2 相容的規則運算式。如果規則運算式與任何支援的資產類型都不相符,系統會傳回INVALID_ARGUMENT錯誤。如未指定--asset-types,系統會傳回所有資產類型。-
CONTENT_TYPE:選用。要擷取的中繼資料 內容類型。RELATIONSHIP內容類型無法與--per-asset-type搭配使用。如果未指定
--content-type,則只會傳回基本資訊,例如資產名稱、資產上次更新時間,以及資產所屬的專案、資料夾和機構。 -
SNAPSHOT_TIME:選用。您要擷取資產快照的時間,請採用 gcloud 主題日期時間格式。這個值不得超過 35 天前。如果未指定--snapshot-time,系統會在目前時間拍攝快照。 -
BIGQUERY_PROJECT_ID:要匯出至其中的 BigQuery 資料表所在專案 ID。 -
DATASET_ID:BigQuery 資料集的 ID。 -
TABLE_NAME:您要將中繼資料匯出至其中的 BigQuery 資料表前置字元。資料表全名是前置字串,後面接上_和資產類型。
--output-bigquery-force 旗標會覆寫現有的目的地資料表。
如要瞭解所有選項,請參閱 gcloud CLI 參考資料。
範例
執行下列指令,將 resource 專案中 2024 年 1 月 30 日的 resource 中繼資料匯出至多個 BigQuery 資料表,這些資料表的前置字元為 my-table。my-project
gcloud asset export \ --project=my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --bigquery-table=projects/my-project/datasets/my-dataset/tables/my-table \ --per-asset-type \ --output-bigquery-force
REST
HTTP 方法和網址:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
標頭:
X-Goog-User-Project: BILLING_PROJECT_ID
JSON 要求內文:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "readTime": "SNAPSHOT_TIME", "outputConfig": { "bigqueryDestination": { "dataset": "projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID", "table": "TABLE_NAME", "force": true, "separateTablesPerAssetType": true } } }
提供以下這些值:
-
SCOPE_PATH:請使用下列其中一個值:允許的值如下:
-
projects/PROJECT_ID,其中PROJECT_ID是要匯出資產中繼資料的專案 ID。 -
projects/PROJECT_NUMBER,其中PROJECT_NUMBER是專案編號,該專案包含您要匯出的資產中繼資料。如何找出 Google Cloud 專案編號
Google Cloud 控制台
如要找出專案編號,請完成下列步驟: Google Cloud
gcloud CLI
您可以使用下列指令擷取專案編號: Google Cloud
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID,其中FOLDER_ID是要匯出資產中繼資料的資料夾 ID。如何找出 Google Cloud 資料夾的 ID
Google Cloud 控制台
如要找出 Google Cloud 資料夾的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 搜尋資料夾名稱。資料夾 ID 會顯示在資料夾名稱旁邊。
gcloud CLI
您可以使用下列指令,擷取位於機構組織層級的 Google Cloud 資料夾 ID:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
其中 TOP_LEVEL_FOLDER_NAME 是資料夾名稱的部分或完整字串比對。移除
--format標記,即可查看找到的資料夾詳細資訊。先前的指令不會傳回資料夾中子資料夾的 ID。如要執行這項操作,請使用頂層資料夾的 ID 執行下列指令:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID,其中ORGANIZATION_ID是擁有要匯出資產中繼資料的機構 ID。如何查看機構的 ID Google Cloud
Google Cloud 控制台
如要找出 Google Cloud 機構的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 按一下「全部」分頁標籤。機構 ID 會顯示在機構名稱旁邊。
gcloud CLI
您可以使用下列指令擷取機構的 ID: Google Cloud
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID:預設 Cloud Asset Inventory 服務代理程式所在的專案 ID,該專案具有管理 BigQuery 資料集和資料表的權限。 進一步瞭解如何設定帳單專案。 ASSET_TYPE_#:選用。可搜尋的素材資源類型陣列。 支援與 RE2 相容的規則運算式。如果規則運算式與任何支援的資產類型都不相符,系統會傳回INVALID_ARGUMENT錯誤。如未指定assetTypes,系統會傳回所有資產類型。-
CONTENT_TYPE:選用。要擷取的中繼資料 內容類型。RELATIONSHIP內容類型無法與"separateTablesPerAssetType": true搭配使用。如果未指定
contentType,則只會傳回基本資訊,例如資產名稱、資產上次更新時間,以及資產所屬的專案、資料夾和機構。 -
SNAPSHOT_TIME:選用。要擷取資產快照的時間,採用 RFC 3339 格式。這個值不得超過 35 天前。如果未指定readTime,系統會在目前時間拍攝快照。 -
BIGQUERY_PROJECT_ID:要匯出至其中的 BigQuery 資料表所在專案 ID。 -
DATASET_ID:BigQuery 資料集的 ID。 -
TABLE_NAME:您要將中繼資料匯出至其中的 BigQuery 資料表前置字元。資料表全名是前置字串,後面接上_和資產類型。
如果目的地資料表存在,"force": true 鍵/值組會覆寫該資料表。
指令範例
執行下列任一指令,將 resource 專案中 2024 年 1 月 30 日的 resource 中繼資料匯出至多個 BigQuery 資料表,這些資料表的前置字元為 my-table。my-project
curl (Linux、macOS 或 Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true, "separateTablesPerAssetType": true } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true, "separateTablesPerAssetType": true } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
將資產快照匯出至時間單位資料欄分區資料表
您可以將專案中的資產匯出至以時間單位資料欄為依據的分區資料表。匯出的快照會儲存在名為 TABLE_NAME 的 BigQuery 資料表中,並以每日為單位,以及兩個額外時間戳記資料欄 readTime 和 requestTime,其中一個您指定為分割資料欄,值為 PARTITION_KEY。
如要將專案中的資產匯出至分區資料表,請提出下列其中一項要求。
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --snapshot-time="SNAPSHOT_TIME" \ --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \ --partition-key=PARTITION_KEY \ --output-bigquery-force
提供以下這些值:
-
SCOPE:請使用下列其中一個值:-
project=PROJECT_ID,其中PROJECT_ID是要匯出資產中繼資料的專案 ID。 -
folder=FOLDER_ID,其中FOLDER_ID是要匯出資產中繼資料的資料夾 ID。如何找出 Google Cloud 資料夾的 ID
Google Cloud 控制台
如要找出 Google Cloud 資料夾的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 搜尋資料夾名稱。資料夾 ID 會顯示在資料夾名稱旁邊。
gcloud CLI
您可以使用下列指令,擷取位於機構組織層級的 Google Cloud 資料夾 ID:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
其中 TOP_LEVEL_FOLDER_NAME 是資料夾名稱的部分或完整字串比對。移除
--format標記,即可查看找到的資料夾詳細資訊。先前的指令不會傳回資料夾中子資料夾的 ID。如要執行這項操作,請使用頂層資料夾的 ID 執行下列指令:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID,其中ORGANIZATION_ID是擁有您要匯出資產中繼資料的機構 ID。如何查看機構的 ID Google Cloud
Google Cloud 控制台
如要找出 Google Cloud 機構的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 按一下「全部」分頁標籤。機構 ID 會顯示在機構名稱旁邊。
gcloud CLI
您可以使用下列指令擷取機構的 ID: Google Cloud
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID:選用。預設 Cloud Asset Inventory 服務代理程式所在的專案 ID,該服務代理程式有權管理您的 BigQuery 資料集和資料表。 進一步瞭解如何設定帳單專案。 ASSET_TYPE_#:選用。以半形逗號分隔的 可搜尋素材資源類型清單。 支援與 RE2 相容的規則運算式。如果規則運算式與任何支援的資產類型都不相符,系統會傳回INVALID_ARGUMENT錯誤。如未指定--asset-types,系統會傳回所有資產類型。CONTENT_TYPE:選用。要擷取的中繼資料 內容類型。如果未指定--content-type,則只會傳回基本資訊,例如資產名稱、資產上次更新時間,以及資產所屬的專案、資料夾和機構。-
RELATIONSHIP_TYPE_#:選用。您必須有 Security Command Center Premium 或 Enterprise 級別的存取權,或是 Gemini Cloud Assist 存取權,以半形逗號分隔的資產關係類型清單,列出您要擷取的類型。您必須將CONTENT_TYPE設為RELATIONSHIP, 這項功能才能正常運作。 -
SNAPSHOT_TIME:選用。您要擷取資產快照的時間,請採用 gcloud 主題日期時間格式。這個值不得超過 35 天前。如果未指定--snapshot-time,系統會在目前時間拍攝快照。 -
BIGQUERY_PROJECT_ID:要匯出至其中的 BigQuery 資料表所在專案 ID。 -
DATASET_ID:BigQuery 資料集的 ID。 -
TABLE_NAME:要將中繼資料匯出至其中的 BigQuery 資料表。如果不存在,系統會建立該目錄。 -
PARTITION_KEY:匯出至 BigQuery 分區資料表時,分區鍵資料欄會用於分區。有效值為read-time和request-time。
--output-bigquery-force 旗標會覆寫目的地資料表中相應分區的資料。不同分區中的資料會保持不變。
如未指定 --output-bigquery-force,匯出的資料會附加到對應的分區。
如果結構定義更新或嘗試附加資料失敗,匯出作業就會失敗。包括目的地資料表已存在,但沒有匯出作業預期的結構定義。
如要瞭解所有選項,請參閱 gcloud CLI 參考資料。
範例
執行下列指令,將 resource 專案中 2024 年 1 月 30 日的 my-project 中繼資料匯出至 BigQuery 資料表 my-table。
gcloud asset export \ --project=projects/my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --bigquery-table=projects/my-project/datasets/my-dataset/tables/my-table \ --partition-key=my-partition-key \ --output-bigquery-force
REST
HTTP 方法和網址:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
標頭:
X-Goog-User-Project: BILLING_PROJECT_ID
JSON 要求內文:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "readTime": "SNAPSHOT_TIME", "outputConfig": { "bigqueryDestination": { "dataset": "projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID", "table": "TABLE_NAME", "partitionSpec": { "partitionKey": "PARTITION_KEY" }, "force": true, } } }
提供以下這些值:
-
SCOPE_PATH:請使用下列其中一個值:允許的值如下:
-
projects/PROJECT_ID,其中PROJECT_ID是要匯出資產中繼資料的專案 ID。 -
projects/PROJECT_NUMBER,其中PROJECT_NUMBER是專案編號,該專案包含您要匯出的資產中繼資料。如何找出 Google Cloud 專案編號
Google Cloud 控制台
如要找出專案編號,請完成下列步驟: Google Cloud
gcloud CLI
您可以使用下列指令擷取專案編號: Google Cloud
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID,其中FOLDER_ID是要匯出資產中繼資料的資料夾 ID。如何找出 Google Cloud 資料夾的 ID
Google Cloud 控制台
如要找出 Google Cloud 資料夾的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 搜尋資料夾名稱。資料夾 ID 會顯示在資料夾名稱旁邊。
gcloud CLI
您可以使用下列指令,擷取位於機構組織層級的 Google Cloud 資料夾 ID:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
其中 TOP_LEVEL_FOLDER_NAME 是資料夾名稱的部分或完整字串比對。移除
--format標記,即可查看找到的資料夾詳細資訊。先前的指令不會傳回資料夾中子資料夾的 ID。如要執行這項操作,請使用頂層資料夾的 ID 執行下列指令:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID,其中ORGANIZATION_ID是擁有您要匯出資產中繼資料的機構 ID。如何查看機構的 ID Google Cloud
Google Cloud 控制台
如要找出 Google Cloud 機構的 ID,請完成下列步驟:
-
前往 Google Cloud 控制台。
- 按一下選單列中的「切換器」清單方塊。
- 從清單方塊中選取機構。
- 按一下「全部」分頁標籤。機構 ID 會顯示在機構名稱旁邊。
gcloud CLI
您可以使用下列指令擷取機構的 ID: Google Cloud
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID:預設 Cloud Asset Inventory 服務代理程式所在的專案 ID,該專案具有管理 BigQuery 資料集和資料表的權限。 進一步瞭解如何設定帳單專案。 ASSET_TYPE_#:選用。可搜尋的素材資源類型陣列。 支援與 RE2 相容的規則運算式。如果規則運算式與任何支援的資產類型都不相符,系統會傳回INVALID_ARGUMENT錯誤。如未指定assetTypes,系統會傳回所有資產類型。CONTENT_TYPE:選用。要擷取的中繼資料 內容類型。如果未指定contentType,則只會傳回基本資訊,例如資產名稱、資產上次更新時間,以及資產所屬的專案、資料夾和機構。-
RELATIONSHIP_TYPE_#:選用。您必須有 Security Command Center Premium 或 Enterprise 級別的存取權,或是 Gemini Cloud Assist 存取權,以半形逗號分隔的資產關係類型清單,列出您要擷取的類型。您必須將CONTENT_TYPE設為RELATIONSHIP, 這項功能才能正常運作。 -
SNAPSHOT_TIME:選用。要擷取資產快照的時間,採用 RFC 3339 格式。這個值不得超過 35 天前。如果未指定readTime,系統會在目前時間拍攝快照。 -
BIGQUERY_PROJECT_ID:要匯出至其中的 BigQuery 資料表所在專案 ID。 -
DATASET_ID:BigQuery 資料集的 ID。 -
TABLE_NAME:要將中繼資料匯出至其中的 BigQuery 資料表。如果不存在,系統會建立該目錄。 -
PARTITION_KEY:匯出至 BigQuery 分區資料表時,分區鍵資料欄。有效值為READ_TIME和REQUEST_TIME。
"force": true 鍵/值組合會覆寫目的地資料表中相應分區的資料。不同分區中的資料會保持不變。
如果未設定 force 或將其設為 false,匯出的資料會附加至相應的分區。
如果結構定義更新或附加資料的嘗試失敗,匯出作業就會失敗。包括目的地資料表已存在,但沒有匯出作業預期的結構定義。
指令範例
執行下列任一指令,將 resource 專案中 2024 年 1 月 30 日的 my-project 中繼資料匯出至 BigQuery 資料表 my-table。
curl (Linux、macOS 或 Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "partitionSpec": { "partitionKey": "my-partition-key" }, "force": true, } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "partitionSpec": { "partitionKey": "my-partition-key" }, "force": true, } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
查看匯出狀態
匯出作業需要一段時間才能完成。如要確認匯出作業是否完成,可以使用作業 ID 查詢作業。
請注意,即使匯出作業已完成,其他人也可能以不同作業,向相同目的地提出匯出要求。先前的要求完成後,或經過 15 分鐘以上,即可對相同目的地提出新的匯出要求。如果匯出要求不符合上述條件,Cloud Asset Inventory 會拒絕。
gcloud
如要查看匯出狀態,請完成下列步驟:
從匯出要求的回應中取得
OPERATION_PATH,其中包含作業 ID。回應匯出要求時會顯示OPERATION_PATH,格式如下:projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID如要檢查匯出作業的狀態,請執行下列指令並加上
OPERATION_PATH:gcloud asset operations describe OPERATION_PATH
REST
如要查看匯出狀態,請完成下列步驟:
從匯出要求的回應中取得
OPERATION_PATH,其中包含作業 ID。在匯出作業的回應中,OPERATION_PATH會顯示為name欄位的值,格式如下:projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID如要查看匯出狀態,請提出下列要求。
REST
HTTP 方法和網址:
GET https://cloudasset.googleapis.com/v1/OPERATION_PATH
指令範例
curl (Linux、macOS 或 Cloud Shell)
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/OPERATION_PATH
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/OPERATION_PATH" | Select-Object -Expand Content
在 BigQuery 中查看資產快照
控制台
前往 Google Cloud 控制台的「BigQuery Studio」頁面。
如要顯示資料集中的資料表和檢視表,請開啟導覽面板。在「Resources」(資源) 區段中,選取專案並展開,然後選取資料集。
從清單中選取所需表格。
選取「詳細資料」,並記下「列數」中的值。使用 gcloud CLI 或 REST API 時,您可能需要這個值來控管結果的起點。
如要查看資料樣本集,請選取「預覽」。
REST
如要瀏覽資料表中的資料,請呼叫 tabledata.list。在 tableId 參數中指定資料表名稱。
您可以設定下列選用參數來控管輸出。
maxResults是要傳回的結果數上限。selectedFields是以逗號分隔的資料欄清單,如果未指定,則會傳回所有資料欄。startIndex是讀取的起始列,索引從零開始。
傳回的值會以 JSON 物件包裝,而您必須剖析這個物件,如 tabledata.list 參考說明文件所述。
在 BigQuery 中查詢資產快照
將快照匯出至 BigQuery 後,您就可以查詢資產中繼資料。
根據預設,BigQuery 會執行互動式或隨選查詢工作,這表示查詢會盡快執行。互動式查詢會以您的並行頻率限制和每日上限計算。
查詢結果會儲存到臨時或永久資料表。 您可以選擇要在現有資料表中附加或覆寫資料,或是在沒有任何現有資料表使用同樣名稱的情況下新建資料表。
如要執行互動式查詢,將輸出內容寫入臨時資料表,請完成下列步驟。
控制台
前往 Google Cloud 控制台的「BigQuery Studio」頁面。
選取「撰寫新查詢」。
在「Query editor」(查詢編輯器) 文字區域中,輸入有效的 BigQuery SQL 查詢。
選用:如要變更資料處理位置,請完成下列步驟。
選取「更多」,然後選取「查詢設定」。
在「Processing location」(處理位置) 下,選取「Auto-select」(自動選取),然後選擇資料的位置。
如要更新查詢設定,請選取「儲存」。
選取「Run」。
REST
如要啟動新工作,請呼叫
jobs.insert方法。在工作資源中,設定下列參數。在
configuration欄位中,將query欄位設為 JobConfigurationQuery,說明 BigQuery 查詢工作。在「
jobReference」欄位中,為工作適當設定「location」欄位。
如要輪詢結果,請呼叫
getQueryResults。持續輪詢,直到jobComplete等於true為止。您可以檢查errors清單中的錯誤與警告。
其他 SQL 查詢範例
本節提供範例 SQL 查詢,說明如何分析匯出至 BigQuery 的資產中繼資料。詳情請參閱標準 SQL 查詢語法。
直接查詢可用的資料欄
如要找出每種資產類型的數量,請執行下列查詢:
SELECT asset_type, COUNT(*) AS asset_count
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
GROUP BY asset_type
ORDER BY asset_count DESC
使用重複欄位
如要找出授予 Gmail 帳戶存取權的 Identity and Access Management (IAM) 政策,請執行下列查詢。BigQuery 會使用 UNNEST 將重複欄位扁平化為資料表,方便您直接查詢:
SELECT name, asset_type, bindings.role
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
JOIN UNNEST(iam_policy.bindings) AS bindings
JOIN UNNEST(bindings.members) AS principals
WHERE principals like "%@gmail.com"
如要找出允許使用公開 IP 位址建立的機構、資料夾或專案,請執行下列查詢。這項查詢很有用,因為除非設定 SSL 或 Proxy,否則允許使用 Cloud SQL 執行個體的公開 IP 位址可能會造成安全漏洞:
SELECT name
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
JOIN UNNEST(org_policy) AS op
WHERE
op.constraint = "constraints/sql.restrictPublicIp"
AND (op.boolean_policy IS NULL OR op.boolean_policy.enforced = FALSE);
如要在專案的同一個 VPC Service Controls 服務範圍中尋找機構、資料夾或專案,請執行下列查詢:
SELECT service_perimeter.title, service_perimeter.status.resources
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
CROSS JOIN UNNEST(service_perimeter.status.resources) as resource
WHERE resource = "projects/PROJECT_ID";
使用 JSON 字串
如要找出開放的防火牆規則,請執行下列查詢。進一步瞭解 BigQuery 中使用的 JSON 函式。
CREATE TEMP FUNCTION json2array(json STRING)
RETURNS ARRAY<STRING>
LANGUAGE js AS """
return JSON.parse(json).map(x=>JSON.stringify(x));
""";
SELECT firewall.name, firewall.resource.parent, JSON_EXTRACT(firewall.resource.data, '$.sourceRanges') AS sourceRanges
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME` AS firewall
JOIN UNNEST(json2array(JSON_EXTRACT(firewall.resource.data, '$.sourceRanges'))) AS source_ranges
WHERE asset_type="compute.googleapis.com/Firewall" AND JSON_EXTRACT(firewall.resource.data, '$.sourceRanges') IS NOT NULL AND JSON_EXTRACT_SCALAR(source_ranges, '$') = "0.0.0.0/0"
為每種資源類型建立個別表格,可讓您更輕鬆快速地查詢開放的防火牆規則。
SELECT firewall.name, firewall.resource.parent, sourceRanges
FROM `PROJECT_ID.DATASET_ID.STRUCTURED_INSTANCE_TABLE_NAME` AS firewall
JOIN UNNEST(firewall.resource.data.sourceRanges) AS sourceRanges
WHERE sourceRanges = "0.0.0.0/0";
聯結不同資源類型的資料表
如要彙整不同資源類型的資料表,請執行下列查詢。以下範例說明如何找出所有未附加 VM 的子網路。首先,查詢會找出所有子網路。然後從該清單中,選取 selfLink 值不存在的子網路。
CREATE TEMP FUNCTION json2array(json STRING)
RETURNS ARRAY<STRING>
LANGUAGE js AS """
return JSON.parse(json).map(x=>JSON.stringify(x));
""";
SELECT name, JSON_EXTRACT(subnetwork.resource.data, '$.selfLink') AS selflink
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME` AS subnetwork
WHERE asset_type = "compute.googleapis.com/Subnetwork" AND (JSON_EXTRACT(subnetwork.resource.data, '$.selfLink') NOT IN
(SELECT DISTINCT JSON_EXTRACT(network_interfaces, '$.subnetwork')
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME` as instance
JOIN UNNEST(json2array(JSON_EXTRACT(instance.resource.data, '$.networkInterfaces'))) AS network_interfaces
WHERE asset_type ="compute.googleapis.com/Instance"
AND JSON_EXTRACT(instance.resource.data, '$.networkInterfaces') IS NOT NULL
)) IS NULL
為每個資源類型建立個別的表格,即可更輕鬆快速地查詢所有未連接 VM 的子網路。
SELECT name, subnetwork.resource.data.selfLink
FROM `PROJECT_ID.DATASET_ID.STRUCTURED_SUBNETWORK_TABLE_NAME` AS subnetwork
WHERE
(
subnetwork.resource.data.selfLink
NOT IN (
SELECT DISTINCT networkInterface.subnetwork
FROM `PROJECT_ID.DATASET_ID.STRUCTURED_INSTANCE_TABLE_NAME` as instance
JOIN
UNNEST(instance.resource.data.networkInterfaces) AS networkInterface
WHERE
networkInterface IS NOT NULL
)
) IS NULL;
找出因 CVE-2021-44228 而有安全漏洞的 Dataproc 叢集
CREATE TEMP FUNCTION vulnerable_version(imageVersion STRING)
RETURNS BOOL
LANGUAGE js AS r"""
const version_regexp = /(?<major>\d+)(?:\.)(?<minor>\d+)(?:\.)?(?<sub>\d+)?/g;
let match = version_regexp.exec(imageVersion);
if(match.groups.major < 1){
return true;
}
if (match.groups.major == 1){
if (match.groups.minor < 3){
return true;
}
if(match.groups.minor == 3 && match.groups.sub < 95){
return true;
}
if(match.groups.minor == 4 && match.groups.sub < 77){
return true;
}
if(match.groups.minor == 5 && match.groups.sub < 53){
return true;
}
}
if (match.groups.major == 2 && match.groups.minor == 0 && match.groups.sub < 27){
return true;
}
return false;
""";
SELECT
c.name,
c.resource.data.projectId AS project_id,
c.resource.data.clusterName AS cluster_name,
c.resource.data.config.softwareConfig.imageVersion AS image_version,
c.resource.data.status.state AS cluster_state,
vulnerable_version(c.resource.data.config.softwareConfig.imageVersion) AS is_vulnerable
FROM
`PROJECT_ID.DATASET_ID.TABLE_NAME_PREFIX_dataproc_googleapis_com_Cluster` c
INNER JOIN `PROJECT_ID.DATASET_ID.TABLE_NAME_PREFIX_cloudresourcemanager_googleapis_com_Project` p
ON p.resource.data.projectId = c.resource.data.projectId
WHERE
c.resource.data.config.softwareConfig.imageVersion IS NOT NULL
AND c.resource.data.status.state = "RUNNING"
AND p.resource.data.lifecycleState = "ACTIVE";