This document shows you how to export the asset metadata of your project to a Cloud Storage bucket.
Before you begin
Enable the Cloud Asset Inventory API in the project you're running Cloud Asset Inventory commands from.
Make sure your account has the correct role to call the Cloud Asset Inventory API. For individual permissions for each call type, see Permissions.
Create a Cloud Storage bucket to export to, if you don't have one already.
Limitations
Cloud Storage buckets encrypted with custom Cloud Key Management Service (Cloud KMS) keys are not supported.
The Cloud Storage bucket can't have a retention policy set.
During export, the operation might create temporary files in the output folder. Don't remove these temporary files while the operation is in progress. After the operation is complete, the temporary files are removed automatically.
The
ACCESS_POLICY
content type can only be exported at the organization level.If the file you're exporting to already exists and is in the process of being exported to, a
400
error is returned.To test permissions, Cloud Asset Inventory creates an empty file before exporting the data, which sends out an extra Cloud Storage trigger event of
google.cloud.storage.object.v1.finalized
.
Export an asset snapshot to Cloud Storage
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --snapshot-time="SNAPSHOT_TIME" \ --output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
-
SCOPE
: Use one of the following values:-
project=PROJECT_ID
, wherePROJECT_ID
is the ID of the project that has the asset metadata you want to export. -
folder=FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that has the asset metadata you want to export.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that has the asset metadata you want to export.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Read more about setting the billing project. ASSET_TYPE_#
: Optional. A comma-separated list of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. When--asset-types
isn't specified, all asset types are returned.CONTENT_TYPE
: Optional. The content type of the metadata you want to retrieve. When--content-type
isn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.-
RELATIONSHIP_TYPE_#
: Optional. Requires access to the Security Command Center Premium or Enterprise tier, or [Gemini Cloud Assist](/products/gemini/cloud-assist). A comma-separated list of asset relationship types you want to retrieve. You must setCONTENT_TYPE
toRELATIONSHIP
for this to work. -
SNAPSHOT_TIME
: Optional. The time at which you want to take a snapshot of your assets, in gcloud topic datetime format. The value must be no more than 35 days in the past. When--snapshot-time
isn't specified, a snapshot is taken at the current time. BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The The file in your Cloud Storage bucket to write to.
See the gcloud CLI reference for all options.
Example
Run the following command to export your resource
metadata as it was on January 30,
2024 in the my-project
project, to the file my-file.txt
in the
Cloud Storage bucket my-bucket
.
gcloud asset export \ --project=my-project \ --billing-project=my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --output-path="gs://my-bucket/my-file.txt"
Example response
Export in progress for root asset [projects/my-project]. Use [gcloud asset operations describe projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000] to check the status of the operation.
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Request JSON body:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "readTime": "SNAPSHOT_TIME", "outputConfig": { "gcsDestination": { "uri": "gs://BUCKET_NAME/FILENAME" } } }
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that has the asset metadata you want to export. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that has the asset metadata you want to export.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that has the asset metadata you want to export.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that has the asset metadata you want to export.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Read more about setting the billing project. ASSET_TYPE_#
: Optional. An array of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. WhenassetTypes
isn't specified, all asset types are returned.CONTENT_TYPE
: Optional. The content type of the metadata you want to retrieve. WhencontentType
isn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.-
RELATIONSHIP_TYPE_#
: Optional. Requires access to the Security Command Center Premium or Enterprise tier, or [Gemini Cloud Assist](/products/gemini/cloud-assist). A comma-separated list of asset relationship types you want to retrieve. You must setCONTENT_TYPE
toRELATIONSHIP
for this to work. -
SNAPSHOT_TIME
: Optional. The time at which you want to take a snapshot of your assets, in RFC 3339 format. The value must be no more than 35 days in the past. WhenreadTime
isn't specified, a snapshot is taken at the current time. BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The The file in your Cloud Storage bucket to write to.
See the REST reference for all options.
Command examples
Run one of the following commands to export your resource
metadata as it was on
January 30, 2024 in the my-project
project, to the file my-file.txt
in
the Cloud Storage bucket my-bucket
.
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "gcsDestination": { "uri": "gs://my-bucket/my-file" } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "gcsDestination": { "uri": "gs://my-bucket/my-file" } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
Example response
{ "name": "projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000", "metadata": { "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest", "parent": "projects/000000000000", "readTime": "2024-01-30T00:00:00Z", "contentType": "RESOURCE", "outputConfig": { "gcsDestination": { "uri": "gs://my-bucket/export.txt" } } } }
C#
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Check the status of an export
Exports take time to complete. To check if an export is done, you can query the operation using its operation ID.
Be aware that even if your export is done, someone might have made another export request to the same destination as a different operation. New export requests to the same destination can be made after a previous request has finished, or if more than 15 minutes has elapsed. Export requests made outside of these conditions are rejected by Cloud Asset Inventory.
gcloud
To view the status of your export, complete the following instructions:
Get the
OPERATION_PATH
, which includes the operation ID, from the response to your export request. TheOPERATION_PATH
is shown in the response to the export, which is formatted as follows:projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID
To check the status of your export, run following command with the
OPERATION_PATH
:gcloud asset operations describe OPERATION_PATH
REST
To view the status of your export, complete the following instructions:
Get the
OPERATION_PATH
, which includes the operation ID, from the response to your export request. TheOPERATION_PATH
is shown as the value of thename
field in the response to the export, which is formatted as follows:projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID
To check the status of your export, make the following request.
REST
HTTP method and URL:
GET https://cloudasset.googleapis.com/v1/OPERATION_PATH
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/OPERATION_PATH
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/OPERATION_PATH" | Select-Object -Expand Content
Example response
{ "name": "projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000", "metadata": { "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest", "parent": "projects/000000000000", "readTime": "2024-01-30T00:00:00Z", "contentType": "RESOURCE", "outputConfig": { "gcsDestination": { "uri": "gs://my-bucket/export.txt" } } } }
View an asset snapshot
To view your asset snapshot:
Go to the Cloud Storage Buckets page in the Google Cloud console.
Click the name of the bucket you exported your asset snapshot to, and then click the export filename.
Click Download to download your asset snapshot, and open it in your text editor of choice.