Cloud Asset Inventory is a global metadata inventory service that lets you view, search, export, monitor, and analyze your Google Cloud asset metadata, with up to 35 days of create, update, and delete history. Assets that haven't changed in the past 35 days report their latest status.
Asset metadata can come from the following places:
Google Cloud resources, such as Compute Engine VM instances, Cloud Storage buckets, and App Engine instances.
Policies set on Google Cloud resources, such as IAM policies, organization policies, and Access Context Manager policies.
Runtime information from OS inventory management.
Here's how you can work with your assets:
List your assets and their relationships in a particular project, folder, or organization, and get asset history up to 35 days in the past.
Search for your resources and their IAM allow policies using a custom query language, or query your assets with BigQuery SQL.
Export your asset metadata to BigQuery or Cloud Storage.
Analyze what would happen if a resource was moved to another project.
Analyze your IAM and organization policies on resources, and View your effective IAM policies on resources to see who has access to what.
Monitor your assets for changes by setting up and subscribing to a feed.
Generate insights from your assets to help improve your security posture.
Asset types, asset names, and content types
Cloud Asset Inventory offers multiple methods to interact with your assets. Depending on the method you use and the response detail you want, you might need to specify asset types, asset names, and content types in your requests.
Asset types
Some Cloud Asset Inventory methods return results based on asset types. Asset types include Google Cloud resources, policies, OS inventory runtime information, and relationships. The available asset types and the Cloud Asset Inventory methods that support them are detailed in Asset types.
Asset names
Some Cloud Asset Inventory methods return results based on asset names. When specifying an asset name, you must use its full resource name. See Asset names for a list of full resource names.
Content types
You can request additional metadata on a resource by specifying a metadata content type. If you don't specify a content type, then only a basic response is returned, containing information such as the asset name, the last time it was updated, and what projects, folders, and organizations it belongs to.
Content type names differ depending on how you interact with Cloud Asset Inventory. The RPC and REST API names are the same. However, the gcloud CLI content type names follow a different pattern. For consistency and ease of explanation, the rest of this documentation refers to content types by their RPC and REST names.
The following table details the content types and their descriptions:
Content type | Description | |
---|---|---|
RPC and REST name | gcloud CLI name | |
ACCESS_POLICY |
access-policy |
The Access Context Manager policy set on an asset. |
IAM_POLICY |
iam-policy |
The IAM policy metadata binding to the resource. |
ORG_POLICY |
org-policy |
The organization policy metadata set on an asset. This content type
outputs legacy organization policy v1. For organization policy v2, try
the resource content type and a resource type of
orgpolicy.googleapis.com/Policy .
|
OS_INVENTORY |
os-inventory |
The runtime OS inventory information. To enable OS inventory, complete the relevant steps in Set up VM Manager. |
RELATIONSHIP |
relationship |
Requires access to the Security Command Center Premium or Enterprise tier, or Gemini Cloud Assist. Many Google Cloud assets are connected to each other by relationships. For example, a Compute instance group can contain a Compute instance, or a GKE cluster can contain a node. Relationship data is available from May 30th, 2022. A relationship might have its own update timestamp, because it might be inferred at a different time than the source asset updates. See Relationship types for a list of the supported relationships. |
RESOURCE |
resource |
The resource's metadata. |
How responses change with content type
The following examples show how responses change when listing VM instances in a project through Cloud Asset Inventory with different content types.
No content type
If you specify no content type when listing VM instances, you receive only the instance names, the last time they were updated, and what projects, folders, and organizations they belong to.
Expand for response example
--- ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID assetType: compute.googleapis.com/Instance name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME updateTime: '2023-11-15T12:28:30.087825Z'
IAM_POLICY content type
If you specify the IAM_POLICY
content type, you also receive the
IAM bindings on the VM, if there are any.
Expand for response example
--- ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID assetType: compute.googleapis.com/Instance iamPolicy: bindings: - members: - user:USER_EMAIL_ADDRESS role: roles/compute.securityAdmin etag: ETAG name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME updateTime: '2023-12-19T23:35:42.673842Z'
RESOURCE content type
If you specify the RESOURCE
content type, you also receive all the metadata
associated with the VM.
Expand for response example
--- ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID assetType: compute.googleapis.com/Instance name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME resource: data: allocationAffinity: consumeAllocationType: ANY_ALLOCATION canIpForward: false confidentialInstanceConfig: enableConfidentialCompute: true cpuPlatform: AMD Rome creationTimestamp: '2023-11-14T14:35:37.059-08:00' deletionProtection: false description: '' disks: - architecture: X86_64 autoDelete: true boot: true deviceName: INSTANCE_NAME diskSizeGb: '10' guestOsFeatures: - type: VIRTIO_SCSI_MULTIQUEUE - type: SEV_CAPABLE - type: SEV_SNP_CAPABLE - type: SEV_LIVE_MIGRATABLE - type: UEFI_COMPATIBLE - type: GVNIC index: 0 interface: NVME licenses: - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-2004-lts mode: READ_WRITE shieldedInstanceInitialState: dbx: - content: DATA fileType: BIN dbxs: - content: DATA fileType: BIN source: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME type: PERSISTENT displayDevice: enableDisplay: false fingerprint: FINGERPRINT id: 'ID' keyRevocationActionType: NONE_ON_KEY_REVOCATION labelFingerprint: LABEL_FINGERPRINT lastStartTimestamp: '2023-11-15T04:28:30.005-08:00' machineType: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/machineTypes/n2d-standard-2 name: INSTANCE_NAME networkInterfaces: - accessConfigs: - name: External NAT natIP: 34.27.105.222 networkTier: PREMIUM type: ONE_TO_ONE_NAT fingerprint: jKU51FdTluk= name: nic0 network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default networkIP: 10.128.15.212 nicType: GVNIC stackType: IPV4_ONLY subnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/default reservationAffinity: consumeReservationType: ANY_ALLOCATION resourceStatus: {} scheduling: automaticRestart: true onHostMaintenance: TERMINATE preemptible: false provisioningModel: STANDARD selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME serviceAccounts: - email: PROJECT_NUMBER-compute@developer.gserviceaccount.com scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write - https://www.googleapis.com/auth/servicecontrol - https://www.googleapis.com/auth/service.management.readonly - https://www.googleapis.com/auth/trace.append shieldedInstanceConfig: enableIntegrityMonitoring: true enableSecureBoot: false enableVtpm: true shieldedInstanceIntegrityPolicy: updateAutoLearnPolicy: true startRestricted: false status: RUNNING tags: fingerprint: FINGERPRINT zone: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE discoveryDocumentUri: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest discoveryName: Instance location: ZONE parent: //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER version: v1 updateTime: '2023-11-15T12:28:30.087825Z'
RELATIONSHIP content type
Relationships require access to the Security Command Center Premium or Enterprise tier, or Gemini Cloud Assist.
If you specify the RELATIONSHIP
content type, you also receive metadata
associated with the VM instance's related assets.
Expand for response example
--- ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID assetType: compute.googleapis.com/Instance name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME relatedAsset: ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID asset: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME assetType: compute.googleapis.com/Disk relationshipType: COMPUTE_INSTANCE_USE_DISK updateTime: '2023-12-19T23:35:42.673842Z'
When using the RELATIONSHIP
content type, instead of requesting all
relationships, you can request specific
relationship types.