本文档介绍如何将组织、文件夹或项目的资产快照导出到 BigQuery 表,然后对目录运行数据分析。BigQuery 提供类似于 SQL 的体验,让用户可以分析数据,并生成有意义的分析洞见,而无需使用自定义脚本。
准备工作
- 在您运行 Cloud Asset Inventory 命令的项目中启用 Cloud Asset Inventory API。 
- 确保您的账号拥有调用 Cloud Asset Inventory API 的正确角色。如需了解每种通话类型的各项权限,请参阅权限。 
- 创建要导出到的 BigQuery 数据集(如果您还没有)。 
限制
- 导出 BigQuery 表数据时,Cloud Asset Inventory 不支持所有字段。 
- 频繁更改的资源字段(例如 - numBytes、- numLongTermBytes、- numPhysicalBytes和- numRows)可能会导出为- null值。
- 不支持导出到 BigQuery 聚簇表。 
- 不支持使用自定义 Cloud Key Management Service (Cloud KMS) 密钥加密的 BigQuery 表。 
- 除非您导出到分区表,否则不支持将导出输出附加到现有表。目标表必须为空,或必须覆盖目标表。如需覆盖目标表,请将 - --output-bigquery-force标志与 gcloud CLI 配合使用,或将- "force": true与 REST API 配合使用。
- 导出到每个资源类型的单独表格时,不支持 Google Kubernetes Engine (GKE) 资源类型( - container.googleapis.com/Cluster和- container.googleapis.com/NodePool除外)。
- 如果之前向同一目标发出的请求在不到 15 分钟前开始,并且仍在运行,Cloud Asset Inventory 会拒绝新的导出请求。不过,如果导出操作耗时超过 15 分钟,系统会将其标记为已完成,并允许向同一目标发出新的导出请求。 
- ACCESS_POLICY内容类型只能在组织级层导出。
- 如果您要导出的表已存在,并且正在导出到该表,则会返回 - 400错误。
大小写
字段名称采用不同的命名惯例,具体取决于所请求的内容类型和导出设置:
- 对于 - RESOURCE内容类型,当您按素材资源类型将素材资源导出到表格时,字词之间没有空格,并且除第一个字词外,每个新字词的首字母都大写。例如- assetType。
- 对于所有其他内容类型,字段名称均为小写,空格替换为下划线。例如 - asset_type。
用于导出的 BigQuery 架构
每个 BigQuery 表由描述列名、数据类型和其他信息的架构进行定义。为导出设置内容类型会决定表的架构:
- 资源或未指定:如果将内容类型设置为 - RESOURCE或未指定内容类型,并将- per-asset-type标志设置为- false或未使用该标志,就会创建具有以下架构的 BigQuery 表。- 资源架构 - [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "version", "type": "STRING" }, { "mode": "NULLABLE", "name": "discovery_document_uri", "type": "STRING" }, { "mode": "NULLABLE", "name": "discovery_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource_url", "type": "STRING" }, { "mode": "NULLABLE", "name": "parent", "type": "STRING" }, { "mode": "NULLABLE", "name": "data", "type": "STRING" }, { "mode": "NULLABLE", "name": "location", "type": "STRING" } ], "mode": "NULLABLE", "name": "resource", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ] - resource.data列是表示为 JSON 字符串的资源元数据。- 如果您将内容类型设置为 - RESOURCE或未设置内容类型,并将- per-asset-type标志设置为- true,则会为每种资产类型创建单独的表。每个表的架构都包含映射到相应资产类型的- Resource.data字段中的嵌套字段的 RECORD 类型列(最多可为 BigQuery 支持的 15 个嵌套级别)。如需查看示例表,请在 Google Cloud 控制台中参阅export-assets-examples。
- IAM 政策:如果在 REST API 中将内容类型设置为 - IAM_POLICY,或在 gcloud CLI 中将内容类型设置为- iam-policy,就会创建具有以下架构的 BigQuery 表。- IAM 政策架构 - [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "version", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "role", "type": "STRING" }, { "mode": "REPEATED", "name": "members", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "expression", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "location", "type": "STRING" } ], "mode": "NULLABLE", "name": "condition", "type": "RECORD" } ], "mode": "REPEATED", "name": "bindings", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "service", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "log_type", "type": "INTEGER" }, { "mode": "REPEATED", "name": "exempted_members", "type": "STRING" } ], "mode": "REPEATED", "name": "audit_log_configs", "type": "RECORD" } ], "mode": "REPEATED", "name": "audit_configs", "type": "RECORD" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" } ], "mode": "NULLABLE", "name": "iam_policy", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ] 
- 组织政策:如果在 REST API 中将内容类型设置为 - ORG_POLICY,或在 gcloud CLI 中将内容类型设置为- org-policy,就会创建具有以下架构的 BigQuery 表。- 组织政策架构 - [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "version", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "constraint", "type": "STRING" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" }, { "fields": [ { "mode": "REPEATED", "name": "allowed_values", "type": "STRING" }, { "mode": "REPEATED", "name": "denied_values", "type": "STRING" }, { "mode": "NULLABLE", "name": "all_values", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "suggested_value", "type": "STRING" }, { "mode": "NULLABLE", "name": "inherit_from_parent", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "list_policy", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "enforced", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "boolean_policy", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "_present", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "restore_default", "type": "RECORD" } ], "mode": "REPEATED", "name": "org_policy", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ] 
- VPCSC 政策:如果在 REST API 中将内容类型设置为 - ACCESS_POLICY,或在 gcloud CLI 中将内容类型设置为- access-policy,就会创建具有以下架构的 BigQuery 表。- VPCSC 政策架构 - [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "parent", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "REPEATED", "name": "scopes", "type": "STRING" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" } ], "mode": "NULLABLE", "name": "access_policy", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "fields": [ { "fields": [ { "mode": "REPEATED", "name": "ip_subnetworks", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "require_screenlock", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "allowed_encryption_statuses", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "os_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "minimum_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "require_verified_chrome_os", "type": "BOOLEAN" } ], "mode": "REPEATED", "name": "os_constraints", "type": "RECORD" }, { "mode": "REPEATED", "name": "allowed_device_management_levels", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "require_admin_approval", "type": "BOOLEAN" }, { "mode": "NULLABLE", "name": "require_corp_owned", "type": "BOOLEAN" } ], "mode": "NULLABLE", "name": "device_policy", "type": "RECORD" }, { "mode": "REPEATED", "name": "required_access_levels", "type": "STRING" }, { "mode": "NULLABLE", "name": "negate", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "members", "type": "STRING" }, { "mode": "REPEATED", "name": "regions", "type": "STRING" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "network", "type": "STRING" }, { "mode": "REPEATED", "name": "vpc_ip_subnetworks", "type": "STRING" } ], "mode": "NULLABLE", "name": "vpc_subnetwork", "type": "RECORD" } ], "mode": "REPEATED", "name": "vpc_network_sources", "type": "RECORD" } ], "mode": "REPEATED", "name": "conditions", "type": "RECORD" }, { "mode": "NULLABLE", "name": "combining_function", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "basic", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "expression", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "location", "type": "STRING" } ], "mode": "NULLABLE", "name": "expr", "type": "RECORD" } ], "mode": "NULLABLE", "name": "custom", "type": "RECORD" } ], "mode": "NULLABLE", "name": "access_level", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "perimeter_type", "type": "INTEGER" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "mode": "REPEATED", "name": "access_levels", "type": "STRING" }, { "mode": "REPEATED", "name": "restricted_services", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "enable_restriction", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "allowed_services", "type": "STRING" } ], "mode": "NULLABLE", "name": "vpc_accessible_services", "type": "RECORD" }, { "fields": [ { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "ingress_from", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "ingress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "ingress_policies", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "NULLABLE", "name": "source_restriction", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "egress_from", "type": "RECORD" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "external_resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "egress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "egress_policies", "type": "RECORD" } ], "mode": "NULLABLE", "name": "status", "type": "RECORD" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "mode": "REPEATED", "name": "access_levels", "type": "STRING" }, { "mode": "REPEATED", "name": "restricted_services", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "enable_restriction", "type": "BOOLEAN" }, { "mode": "REPEATED", "name": "allowed_services", "type": "STRING" } ], "mode": "NULLABLE", "name": "vpc_accessible_services", "type": "RECORD" }, { "fields": [ { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "ingress_from", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "ingress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "ingress_policies", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "REPEATED", "name": "identities", "type": "STRING" }, { "mode": "NULLABLE", "name": "identity_type", "type": "INTEGER" }, { "fields": [ { "mode": "NULLABLE", "name": "access_level", "type": "STRING" }, { "mode": "NULLABLE", "name": "resource", "type": "STRING" } ], "mode": "REPEATED", "name": "sources", "type": "RECORD" }, { "mode": "NULLABLE", "name": "source_restriction", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "egress_from", "type": "RECORD" }, { "fields": [ { "mode": "REPEATED", "name": "resources", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "service_name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "method", "type": "STRING" }, { "mode": "NULLABLE", "name": "permission", "type": "STRING" } ], "mode": "REPEATED", "name": "method_selectors", "type": "RECORD" } ], "mode": "REPEATED", "name": "operations", "type": "RECORD" }, { "mode": "REPEATED", "name": "external_resources", "type": "STRING" } ], "mode": "NULLABLE", "name": "egress_to", "type": "RECORD" }, { "mode": "NULLABLE", "name": "title", "type": "STRING" } ], "mode": "REPEATED", "name": "egress_policies", "type": "RECORD" } ], "mode": "NULLABLE", "name": "spec", "type": "RECORD" }, { "mode": "NULLABLE", "name": "use_explicit_dry_run_spec", "type": "BOOLEAN" }, { "mode": "NULLABLE", "name": "etag", "type": "STRING" } ], "mode": "NULLABLE", "name": "service_perimeter", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "authorization_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "asset_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "authorization_direction", "type": "INTEGER" }, { "mode": "REPEATED", "name": "orgs", "type": "STRING" } ], "mode": "NULLABLE", "name": "authorized_orgs_desc", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ] 
- OSConfig 实例清单:在 REST API 中将内容类型设置为 - OS_INVENTORY或在 gcloud CLI 中将内容类型设置为- os-inventory时,您需要创建一个具有以下架构的 BigQuery 表。- 操作系统清单架构 - [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "hostname", "type": "STRING" }, { "mode": "NULLABLE", "name": "long_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "short_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "kernel_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "kernel_release", "type": "STRING" }, { "mode": "NULLABLE", "name": "osconfig_agent_version", "type": "STRING" } ], "mode": "NULLABLE", "name": "os_info", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "key", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "id", "type": "STRING" }, { "mode": "NULLABLE", "name": "origin_type", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "create_time", "type": "TIMESTAMP" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" }, { "mode": "NULLABLE", "name": "type", "type": "INTEGER" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "yum_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "apt_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "googet_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "patch_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "category", "type": "STRING" }, { "mode": "NULLABLE", "name": "severity", "type": "STRING" }, { "mode": "NULLABLE", "name": "summary", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_patch", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "id", "type": "STRING" }, { "mode": "NULLABLE", "name": "name", "type": "STRING" } ], "mode": "REPEATED", "name": "categories", "type": "RECORD" }, { "mode": "REPEATED", "name": "kb_article_ids", "type": "STRING" }, { "mode": "NULLABLE", "name": "support_url", "type": "STRING" }, { "mode": "REPEATED", "name": "more_info_urls", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "revision_number", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "last_deployment_change_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "wua_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "caption", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "hot_fix_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "install_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "qfe_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "cos_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "display_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "display_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "publisher", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "year", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "month", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "day", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "install_date", "type": "RECORD" }, { "mode": "NULLABLE", "name": "help_link", "type": "STRING" } ], "mode": "NULLABLE", "name": "windows_application", "type": "RECORD" } ], "mode": "NULLABLE", "name": "installed_package", "type": "RECORD" }, { "fields": [ { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "yum_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "apt_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "googet_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "patch_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "category", "type": "STRING" }, { "mode": "NULLABLE", "name": "severity", "type": "STRING" }, { "mode": "NULLABLE", "name": "summary", "type": "STRING" } ], "mode": "NULLABLE", "name": "zypper_patch", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "title", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "id", "type": "STRING" }, { "mode": "NULLABLE", "name": "name", "type": "STRING" } ], "mode": "REPEATED", "name": "categories", "type": "RECORD" }, { "mode": "REPEATED", "name": "kb_article_ids", "type": "STRING" }, { "mode": "NULLABLE", "name": "support_url", "type": "STRING" }, { "mode": "REPEATED", "name": "more_info_urls", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "revision_number", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "last_deployment_change_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "wua_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "caption", "type": "STRING" }, { "mode": "NULLABLE", "name": "description", "type": "STRING" }, { "mode": "NULLABLE", "name": "hot_fix_id", "type": "STRING" }, { "mode": "NULLABLE", "name": "install_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "qfe_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "package_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "architecture", "type": "STRING" }, { "mode": "NULLABLE", "name": "version", "type": "STRING" } ], "mode": "NULLABLE", "name": "cos_package", "type": "RECORD" }, { "fields": [ { "mode": "NULLABLE", "name": "display_name", "type": "STRING" }, { "mode": "NULLABLE", "name": "display_version", "type": "STRING" }, { "mode": "NULLABLE", "name": "publisher", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "year", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "month", "type": "INTEGER" }, { "mode": "NULLABLE", "name": "day", "type": "INTEGER" } ], "mode": "NULLABLE", "name": "install_date", "type": "RECORD" }, { "mode": "NULLABLE", "name": "help_link", "type": "STRING" } ], "mode": "NULLABLE", "name": "windows_application", "type": "RECORD" } ], "mode": "NULLABLE", "name": "available_package", "type": "RECORD" } ], "mode": "NULLABLE", "name": "value", "type": "RECORD" } ], "mode": "REPEATED", "name": "items", "type": "RECORD" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ], "mode": "NULLABLE", "name": "os_inventory", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ] 
- 关系:如果在 REST API 中将内容类型设置为 - RELATIONSHIP,或在 gcloud CLI 中将内容类型设置为- relationship,就会创建具有以下架构的 BigQuery 表。- 关系架构 - [ { "mode": "NULLABLE", "name": "name", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "fields": [ { "mode": "NULLABLE", "name": "asset", "type": "STRING" }, { "mode": "NULLABLE", "name": "asset_type", "type": "STRING" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "relationship_type", "type": "STRING" } ], "mode": "NULLABLE", "name": "related_asset", "type": "RECORD" }, { "mode": "REPEATED", "name": "ancestors", "type": "STRING" }, { "mode": "NULLABLE", "name": "update_time", "type": "TIMESTAMP" } ] 
导出资产快照
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --snapshot-time="SNAPSHOT_TIME" \ --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \ --output-bigquery-force
请提供以下值:
- 
    SCOPE:请使用以下某个值:- 
        project=PROJECT_ID,其中PROJECT_ID是包含要导出的资源元数据的项目的 ID。
- 
        folder=FOLDER_ID,其中FOLDER_ID是包含要导出的资源元数据的文件夹的 ID。如何查找 Google Cloud 文件夹的 ID Google Cloud 控制台如需查找 Google Cloud 文件夹的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 搜索文件夹名称。文件夹 ID 会显示在文件夹名称旁边。
 gcloud CLI您可以使用以下命令检索位于组织级层的 Google Cloud 文件夹的 ID: gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)" 其中,TOP_LEVEL_FOLDER_NAME 是文件夹名称的部分或完整字符串匹配项。移除 --format标志即可查看有关已找到文件夹的更多信息。上一个命令不会返回文件夹中子文件夹的 ID。为此,请使用顶级文件夹的 ID 运行以下命令: gcloud resource-manager folders list --folder=FOLDER_ID 
- 
            
- 
        organization=ORGANIZATION_ID,其中ORGANIZATION_ID是包含您要导出的资产元数据的组织的 ID。如何查找 Google Cloud 组织的 ID Google Cloud 控制台如需查找 Google Cloud 组织的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 点击全部标签页。组织 ID 显示在组织名称旁边。
 gcloud CLI您可以使用以下命令检索 Google Cloud 组织的 ID: gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))" 
- 
            
 
- 
        
- 
    BILLING_PROJECT_ID:可选。默认 Cloud Asset Inventory 服务代理所在的项目的 ID,该项目具有管理您的 BigQuery 数据集和表的权限。 详细了解如何设置结算项目。
- ASSET_TYPE_#:可选。以英文逗号分隔的 可搜索资产类型列表。 支持 RE2 兼容的正则表达式。如果正则表达式与任何支持的资源类型均不匹配,则会返回- INVALID_ARGUMENT错误。如果未指定- --asset-types,则返回所有资产类型。
- CONTENT_TYPE:可选。您要检索的元数据的 内容类型。如果未指定- --content-type,则仅返回基本信息,例如资产名称、资产上次更新时间以及资产所属的项目、文件夹和组织。
- 
    RELATIONSHIP_TYPE_#:可选。需要有权访问 Security Command Center 高级层级或 Enterprise 层级,或者 Gemini Cloud Assist。以英文逗号分隔的资产关系类型列表,用于指定要检索的关系类型。您必须将CONTENT_TYPE设置为RELATIONSHIP, 才能使此功能正常运行。
- 
    SNAPSHOT_TIME:可选。您希望截取资源快照的时间,采用 gcloud topic datetime 格式。该值必须是过去不超过 35 天的时间。如果未指定--snapshot-time,则在当前时间截取快照。
- 
    BIGQUERY_PROJECT_ID:您要将 BigQuery 表导出到的项目 ID。
- 
    DATASET_ID:BigQuery 数据集的 ID。
- 
    TABLE_NAME:要将元数据导出到的 BigQuery 表。如果不存在,系统会创建该目录。
--output-bigquery-force 标志会覆盖目标表(如果存在)。
如需了解所有选项,请参阅 gcloud CLI 参考文档。
示例
运行以下命令,将 my-project 项目中 2024 年 1 月 30 日的 resource 元数据导出到 BigQuery 表 my-table。
gcloud asset export \ --project=my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --bigquery-table=projects/my-project/datasets/my-dataset/tables/my-table \ --output-bigquery-force
示例响应
Export in progress for root asset [projects/my-project]. Use [gcloud asset operations describe projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000] to check the status of the operation.
REST
HTTP 方法和网址:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
标头:
X-Goog-User-Project: BILLING_PROJECT_ID
请求 JSON 正文:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "readTime": "SNAPSHOT_TIME", "outputConfig": { "bigqueryDestination": { "dataset": "projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID", "table": "TABLE_NAME", "force": true } } }
请提供以下值:
- 
    SCOPE_PATH:请使用以下某个值:允许使用的值包括: - 
        projects/PROJECT_ID,其中PROJECT_ID是包含要导出的资源元数据的项目的 ID。
- 
        projects/PROJECT_NUMBER,其中PROJECT_NUMBER是包含您要导出的资源元数据的项目的编号。如何查找 Google Cloud 项目编号 Google Cloud 控制台如需查找 Google Cloud 项目编号,请完成以下步骤: gcloud CLI您可以使用以下命令检索 Google Cloud 项目编号: gcloud projects describe PROJECT_ID --format="value(projectNumber)" 
- 
        folders/FOLDER_ID,其中FOLDER_ID是包含要导出的资源元数据的文件夹的 ID。如何查找 Google Cloud 文件夹的 ID Google Cloud 控制台如需查找 Google Cloud 文件夹的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 搜索文件夹名称。文件夹 ID 会显示在文件夹名称旁边。
 gcloud CLI您可以使用以下命令检索位于组织级层的 Google Cloud 文件夹的 ID: gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)" 其中,TOP_LEVEL_FOLDER_NAME 是文件夹名称的部分或完整字符串匹配项。移除 --format标志即可查看有关已找到文件夹的更多信息。上一个命令不会返回文件夹中子文件夹的 ID。为此,请使用顶级文件夹的 ID 运行以下命令: gcloud resource-manager folders list --folder=FOLDER_ID 
- 
            
- 
        organizations/ORGANIZATION_ID,其中ORGANIZATION_ID是包含您要导出的资产元数据的组织的 ID。如何查找 Google Cloud 组织的 ID Google Cloud 控制台如需查找 Google Cloud 组织的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 点击全部标签页。组织 ID 显示在组织名称旁边。
 gcloud CLI您可以使用以下命令检索 Google Cloud 组织的 ID: gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))" 
- 
            
 
- 
        
- 
    BILLING_PROJECT_ID:默认 Cloud Asset Inventory 服务代理所在的项目的 ID,该代理拥有管理您的 BigQuery 数据集和表的权限。 详细了解如何设置结算项目。
- ASSET_TYPE_#:可选。 可搜索的资产类型数组。 支持 RE2 兼容的正则表达式。如果正则表达式与任何支持的资源类型均不匹配,则会返回- INVALID_ARGUMENT错误。如果未指定- assetTypes,则返回所有资产类型。
- CONTENT_TYPE:可选。您要检索的元数据的 内容类型。如果未指定- contentType,则仅返回基本信息,例如资产名称、资产上次更新时间以及资产所属的项目、文件夹和组织。
- 
    RELATIONSHIP_TYPE_#:可选。需要有权访问 Security Command Center 高级层级或 Enterprise 层级,或者 Gemini Cloud Assist。以英文逗号分隔的资产关系类型列表,用于指定要检索的关系类型。您必须将CONTENT_TYPE设置为RELATIONSHIP, 才能使此功能正常运行。
- 
    SNAPSHOT_TIME:可选。您希望截取资源快照的时间,采用 RFC 3339 格式。该值必须是过去不超过 35 天的时间。如果未指定readTime,则在当前时间截取快照。
- 
    BIGQUERY_PROJECT_ID:您要将 BigQuery 表导出到的项目 ID。
- 
    DATASET_ID:BigQuery 数据集的 ID。
- 
    TABLE_NAME:要将元数据导出到的 BigQuery 表。如果不存在,系统会创建该目录。
如果目标表存在,"force": true 键值对会覆盖该表。
如需了解所有选项,请参阅 REST 参考文档。
命令示例
运行以下命令之一,将 my-project 项目中 2024 年 1 月 30 日的 resource 元数据导出到 BigQuery 表 my-table。
curl(Linux、macOS 或 Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
示例响应
{ "name": "projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000", "metadata": { "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest", "parent": "projects/000000000000", "readTime": "2024-01-30T00:00:00Z", "contentType": "RESOURCE", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true } } } }
Go
如需了解如何安装和使用 Cloud Asset Inventory 客户端库,请参阅 Cloud Asset Inventory 客户端库。
如需向 Cloud Asset Inventory 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
Java
如需了解如何安装和使用 Cloud Asset Inventory 客户端库,请参阅 Cloud Asset Inventory 客户端库。
如需向 Cloud Asset Inventory 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
Node.js
如需了解如何安装和使用 Cloud Asset Inventory 客户端库,请参阅 Cloud Asset Inventory 客户端库。
如需向 Cloud Asset Inventory 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
Python
如需了解如何安装和使用 Cloud Asset Inventory 客户端库,请参阅 Cloud Asset Inventory 客户端库。
如需向 Cloud Asset Inventory 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
将资产快照导出到单独的表中,每种资产类型对应一个表
您可以使用 gcloud CLI 中的 --per-asset-type 标志和 REST API 请求中的 "separateTablesPerAssetType": true 将资产导出到每个资产类型对应的单独 BigQuery 表中。无法以这种方式导出 RELATIONSHIP 内容类型。
在此模式下,每个表的名称都是 TABLE_NAME 与 _(下划线)和资产类型名称串联而成。非字母数字字符将被替换为 _。
如果导出到任何表失败,整个导出操作将会失败并返回第一个错误。之前成功导出的结果会保留。
以下类型会打包到 JSON 字符串中,以克服 Proto3 和 BigQuery 类型之间的兼容性问题。
- google.protobuf.Timestamp
- google.protobuf.Duration
- google.protobuf.FieldMask
- google.protobuf.ListValue
- google.protobuf.Value
- google.protobuf.Struct
- google.api.*
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --snapshot-time="SNAPSHOT_TIME" \ --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \ --per-asset-type \ --output-bigquery-force
请提供以下值:
- 
    SCOPE:请使用以下某个值:- 
        project=PROJECT_ID,其中PROJECT_ID是包含要导出的资源元数据的项目的 ID。
- 
        folder=FOLDER_ID,其中FOLDER_ID是包含要导出的资源元数据的文件夹的 ID。如何查找 Google Cloud 文件夹的 ID Google Cloud 控制台如需查找 Google Cloud 文件夹的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 搜索文件夹名称。文件夹 ID 会显示在文件夹名称旁边。
 gcloud CLI您可以使用以下命令检索位于组织级层的 Google Cloud 文件夹的 ID: gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)" 其中,TOP_LEVEL_FOLDER_NAME 是文件夹名称的部分或完整字符串匹配项。移除 --format标志即可查看有关已找到文件夹的更多信息。上一个命令不会返回文件夹中子文件夹的 ID。为此,请使用顶级文件夹的 ID 运行以下命令: gcloud resource-manager folders list --folder=FOLDER_ID 
- 
            
- 
        organization=ORGANIZATION_ID,其中ORGANIZATION_ID是包含您要导出的资产元数据的组织的 ID。如何查找 Google Cloud 组织的 ID Google Cloud 控制台如需查找 Google Cloud 组织的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 点击全部标签页。组织 ID 显示在组织名称旁边。
 gcloud CLI您可以使用以下命令检索 Google Cloud 组织的 ID: gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))" 
- 
            
 
- 
        
- 
    BILLING_PROJECT_ID:可选。默认 Cloud Asset Inventory 服务代理所在的项目的 ID,该项目具有管理您的 BigQuery 数据集和表的权限。 详细了解如何设置结算项目。
- ASSET_TYPE_#:可选。以英文逗号分隔的 可搜索资产类型列表。 支持 RE2 兼容的正则表达式。如果正则表达式与任何支持的资源类型均不匹配,则会返回- INVALID_ARGUMENT错误。如果未指定- --asset-types,则返回所有资产类型。
- 
    CONTENT_TYPE:可选。您要检索的元数据的 内容类型。RELATIONSHIP内容类型无法与--per-asset-type一起使用。如果未指定 --content-type,则仅返回基本信息,例如资产名称、资产上次更新时间以及资产所属的项目、文件夹和组织。
- 
    SNAPSHOT_TIME:可选。您希望截取资源快照的时间,采用 gcloud topic datetime 格式。该值必须是过去不超过 35 天的时间。如果未指定--snapshot-time,则在当前时间截取快照。
- 
    BIGQUERY_PROJECT_ID:您要将 BigQuery 表导出到的项目 ID。
- 
    DATASET_ID:BigQuery 数据集的 ID。
- 
    TABLE_NAME:要将元数据导出到的 BigQuery 表的前缀。表的完整名称是前缀与_和资产类型串联而成。
--output-bigquery-force 标志会覆盖目标表(如果存在)。
如需了解所有选项,请参阅 gcloud CLI 参考文档。
示例
运行以下命令,将 my-project 项目中 2024 年 1 月 30 日的 resource 元数据导出到多个以 my-table 为前缀的 BigQuery 表中。
gcloud asset export \ --project=my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --bigquery-table=projects/my-project/datasets/my-dataset/tables/my-table \ --per-asset-type \ --output-bigquery-force
REST
HTTP 方法和网址:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
标头:
X-Goog-User-Project: BILLING_PROJECT_ID
请求 JSON 正文:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "readTime": "SNAPSHOT_TIME", "outputConfig": { "bigqueryDestination": { "dataset": "projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID", "table": "TABLE_NAME", "force": true, "separateTablesPerAssetType": true } } }
请提供以下值:
- 
    SCOPE_PATH:请使用以下某个值:允许使用的值包括: - 
        projects/PROJECT_ID,其中PROJECT_ID是包含要导出的资源元数据的项目的 ID。
- 
        projects/PROJECT_NUMBER,其中PROJECT_NUMBER是包含您要导出的资源元数据的项目的编号。如何查找 Google Cloud 项目编号 Google Cloud 控制台如需查找 Google Cloud 项目编号,请完成以下步骤: gcloud CLI您可以使用以下命令检索 Google Cloud 项目编号: gcloud projects describe PROJECT_ID --format="value(projectNumber)" 
- 
        folders/FOLDER_ID,其中FOLDER_ID是包含要导出的资源元数据的文件夹的 ID。如何查找 Google Cloud 文件夹的 ID Google Cloud 控制台如需查找 Google Cloud 文件夹的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 搜索文件夹名称。文件夹 ID 会显示在文件夹名称旁边。
 gcloud CLI您可以使用以下命令检索位于组织级层的 Google Cloud 文件夹的 ID: gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)" 其中,TOP_LEVEL_FOLDER_NAME 是文件夹名称的部分或完整字符串匹配项。移除 --format标志即可查看有关已找到文件夹的更多信息。上一个命令不会返回文件夹中子文件夹的 ID。为此,请使用顶级文件夹的 ID 运行以下命令: gcloud resource-manager folders list --folder=FOLDER_ID 
- 
            
- 
        organizations/ORGANIZATION_ID,其中ORGANIZATION_ID是包含您要导出的资产元数据的组织的 ID。如何查找 Google Cloud 组织的 ID Google Cloud 控制台如需查找 Google Cloud 组织的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 点击全部标签页。组织 ID 显示在组织名称旁边。
 gcloud CLI您可以使用以下命令检索 Google Cloud 组织的 ID: gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))" 
- 
            
 
- 
        
- 
    BILLING_PROJECT_ID:默认 Cloud Asset Inventory 服务代理所在的项目的 ID,该代理拥有管理您的 BigQuery 数据集和表的权限。 详细了解如何设置结算项目。
- ASSET_TYPE_#:可选。 可搜索的资产类型数组。 支持 RE2 兼容的正则表达式。如果正则表达式与任何支持的资源类型均不匹配,则会返回- INVALID_ARGUMENT错误。如果未指定- assetTypes,则返回所有资产类型。
- 
    CONTENT_TYPE:可选。您要检索的元数据的 内容类型。RELATIONSHIP内容类型无法与"separateTablesPerAssetType": true一起使用。如果未指定 contentType,则仅返回基本信息,例如资产名称、资产上次更新时间以及资产所属的项目、文件夹和组织。
- 
    SNAPSHOT_TIME:可选。您希望截取资源快照的时间,采用 RFC 3339 格式。该值必须是过去不超过 35 天的时间。如果未指定readTime,则在当前时间截取快照。
- 
    BIGQUERY_PROJECT_ID:您要将 BigQuery 表导出到的项目 ID。
- 
    DATASET_ID:BigQuery 数据集的 ID。
- 
    TABLE_NAME:要将元数据导出到的 BigQuery 表的前缀。表的完整名称是前缀与_和资产类型串联而成。
如果目标表存在,"force": true 键值对会覆盖该表。
命令示例
运行以下任一命令,将 my-project 项目中 2024 年 1 月 30 日的 resource 元数据导出到多个以 my-table 为前缀的 BigQuery 表中。
curl(Linux、macOS 或 Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true, "separateTablesPerAssetType": true } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "force": true, "separateTablesPerAssetType": true } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
将资产快照导出到时间单位列分区表
您可以将项目中的资产导出到按时间单位列分区的表中。
导出的快照存储在名为 TABLE_NAME 的 BigQuery 表中,该表具有每天粒度和两个额外的时间戳列 readTime 和 requestTime,其中一列将是分区列(根据 PARTITION_KEY 值指定)。
如需将项目中的资产导出到分区表中,请发出以下请求之一。
gcloud
gcloud asset export \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --snapshot-time="SNAPSHOT_TIME" \ --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \ --partition-key=PARTITION_KEY \ --output-bigquery-force
请提供以下值:
- 
    SCOPE:请使用以下某个值:- 
        project=PROJECT_ID,其中PROJECT_ID是包含要导出的资源元数据的项目的 ID。
- 
        folder=FOLDER_ID,其中FOLDER_ID是包含要导出的资源元数据的文件夹的 ID。如何查找 Google Cloud 文件夹的 ID Google Cloud 控制台如需查找 Google Cloud 文件夹的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 搜索文件夹名称。文件夹 ID 会显示在文件夹名称旁边。
 gcloud CLI您可以使用以下命令检索位于组织级层的 Google Cloud 文件夹的 ID: gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)" 其中,TOP_LEVEL_FOLDER_NAME 是文件夹名称的部分或完整字符串匹配项。移除 --format标志即可查看有关已找到文件夹的更多信息。上一个命令不会返回文件夹中子文件夹的 ID。为此,请使用顶级文件夹的 ID 运行以下命令: gcloud resource-manager folders list --folder=FOLDER_ID 
- 
            
- 
        organization=ORGANIZATION_ID,其中ORGANIZATION_ID是包含您要导出的资产元数据的组织的 ID。如何查找 Google Cloud 组织的 ID Google Cloud 控制台如需查找 Google Cloud 组织的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 点击全部标签页。组织 ID 显示在组织名称旁边。
 gcloud CLI您可以使用以下命令检索 Google Cloud 组织的 ID: gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))" 
- 
            
 
- 
        
- 
    BILLING_PROJECT_ID:可选。默认 Cloud Asset Inventory 服务代理所在的项目的 ID,该项目具有管理您的 BigQuery 数据集和表的权限。 详细了解如何设置结算项目。
- ASSET_TYPE_#:可选。以英文逗号分隔的 可搜索资产类型列表。 支持 RE2 兼容的正则表达式。如果正则表达式与任何支持的资源类型均不匹配,则会返回- INVALID_ARGUMENT错误。如果未指定- --asset-types,则返回所有资产类型。
- CONTENT_TYPE:可选。您要检索的元数据的 内容类型。如果未指定- --content-type,则仅返回基本信息,例如资产名称、资产上次更新时间以及资产所属的项目、文件夹和组织。
- 
    RELATIONSHIP_TYPE_#:可选。需要有权访问 Security Command Center 高级层级或 Enterprise 层级,或者 Gemini Cloud Assist。以英文逗号分隔的资产关系类型列表,用于指定要检索的关系类型。您必须将CONTENT_TYPE设置为RELATIONSHIP, 才能使此功能正常运行。
- 
    SNAPSHOT_TIME:可选。您希望截取资源快照的时间,采用 gcloud topic datetime 格式。该值必须是过去不超过 35 天的时间。如果未指定--snapshot-time,则在当前时间截取快照。
- 
    BIGQUERY_PROJECT_ID:您要将 BigQuery 表导出到的项目 ID。
- 
    DATASET_ID:BigQuery 数据集的 ID。
- 
    TABLE_NAME:要将元数据导出到的 BigQuery 表。如果不存在,系统会创建该目录。
- 
    PARTITION_KEY:导出到 BigQuery 分区表时的 分区键列。有效值为read-time和request-time。
--output-bigquery-force 标志会覆盖目标表中相应分区中的数据。不同分区中的数据保持不变。
如果未指定 --output-bigquery-force,导出的数据会附加到相应分区。
如果架构更新或附加数据的尝试失败,导出操作将失败。这包括目标表已存在,但不具有导出操作所需的架构的情况。
如需了解所有选项,请参阅 gcloud CLI 参考文档。
示例
运行以下命令,将 my-project 项目中 2024 年 1 月 30 日的 resource 元数据导出到 BigQuery 表 my-table。
gcloud asset export \ --project=projects/my-project \ --content-type=resource \ --snapshot-time="2024-01-30" \ --bigquery-table=projects/my-project/datasets/my-dataset/tables/my-table \ --partition-key=my-partition-key \ --output-bigquery-force
REST
HTTP 方法和网址:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
标头:
X-Goog-User-Project: BILLING_PROJECT_ID
请求 JSON 正文:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "readTime": "SNAPSHOT_TIME", "outputConfig": { "bigqueryDestination": { "dataset": "projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID", "table": "TABLE_NAME", "partitionSpec": { "partitionKey": "PARTITION_KEY" }, "force": true, } } }
请提供以下值:
- 
    SCOPE_PATH:请使用以下某个值:允许使用的值包括: - 
        projects/PROJECT_ID,其中PROJECT_ID是包含要导出的资源元数据的项目的 ID。
- 
        projects/PROJECT_NUMBER,其中PROJECT_NUMBER是包含您要导出的资源元数据的项目的编号。如何查找 Google Cloud 项目编号 Google Cloud 控制台如需查找 Google Cloud 项目编号,请完成以下步骤: gcloud CLI您可以使用以下命令检索 Google Cloud 项目编号: gcloud projects describe PROJECT_ID --format="value(projectNumber)" 
- 
        folders/FOLDER_ID,其中FOLDER_ID是包含要导出的资源元数据的文件夹的 ID。如何查找 Google Cloud 文件夹的 ID Google Cloud 控制台如需查找 Google Cloud 文件夹的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 搜索文件夹名称。文件夹 ID 会显示在文件夹名称旁边。
 gcloud CLI您可以使用以下命令检索位于组织级层的 Google Cloud 文件夹的 ID: gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)" 其中,TOP_LEVEL_FOLDER_NAME 是文件夹名称的部分或完整字符串匹配项。移除 --format标志即可查看有关已找到文件夹的更多信息。上一个命令不会返回文件夹中子文件夹的 ID。为此,请使用顶级文件夹的 ID 运行以下命令: gcloud resource-manager folders list --folder=FOLDER_ID 
- 
            
- 
        organizations/ORGANIZATION_ID,其中ORGANIZATION_ID是包含您要导出的资产元数据的组织的 ID。如何查找 Google Cloud 组织的 ID Google Cloud 控制台如需查找 Google Cloud 组织的 ID,请完成以下步骤: - 
            前往 Google Cloud 控制台。 
- 点击菜单栏中的切换器列表框。
- 从列表框中选择您的组织。
- 点击全部标签页。组织 ID 显示在组织名称旁边。
 gcloud CLI您可以使用以下命令检索 Google Cloud 组织的 ID: gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))" 
- 
            
 
- 
        
- 
    BILLING_PROJECT_ID:默认 Cloud Asset Inventory 服务代理所在的项目的 ID,该代理拥有管理您的 BigQuery 数据集和表的权限。 详细了解如何设置结算项目。
- ASSET_TYPE_#:可选。 可搜索的资产类型数组。 支持 RE2 兼容的正则表达式。如果正则表达式与任何支持的资源类型均不匹配,则会返回- INVALID_ARGUMENT错误。如果未指定- assetTypes,则返回所有资产类型。
- CONTENT_TYPE:可选。您要检索的元数据的 内容类型。如果未指定- contentType,则仅返回基本信息,例如资产名称、资产上次更新时间以及资产所属的项目、文件夹和组织。
- 
    RELATIONSHIP_TYPE_#:可选。需要有权访问 Security Command Center 高级层级或 Enterprise 层级,或者 Gemini Cloud Assist。以英文逗号分隔的资产关系类型列表,用于指定要检索的关系类型。您必须将CONTENT_TYPE设置为RELATIONSHIP, 才能使此功能正常运行。
- 
    SNAPSHOT_TIME:可选。您希望截取资源快照的时间,采用 RFC 3339 格式。该值必须是过去不超过 35 天的时间。如果未指定readTime,则在当前时间截取快照。
- 
    BIGQUERY_PROJECT_ID:您要将 BigQuery 表导出到的项目 ID。
- 
    DATASET_ID:BigQuery 数据集的 ID。
- 
    TABLE_NAME:要将元数据导出到的 BigQuery 表。如果不存在,系统会创建该目录。
- 
    PARTITION_KEY:导出到 BigQuery 分区表时的 分区键列。有效值为READ_TIME和REQUEST_TIME。
"force": true 键值对会覆盖目标表中相应分区中的数据。不同分区中的数据保持不变。
如果 force 未设置或设置为 false,导出的数据会附加到相应分区。
如果架构更新或附加数据的尝试失败,导出操作将失败。这包括目标表已存在,但不具有导出操作所需的架构的情况。
命令示例
运行以下命令之一,将 my-project 项目中 2024 年 1 月 30 日的 resource 元数据导出到 BigQuery 表 my-table。
curl(Linux、macOS 或 Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "partitionSpec": { "partitionKey": "my-partition-key" }, "force": true, } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "bigqueryDestination": { "dataset": "projects/my-project/datasets/my-dataset", "table": "my-table", "partitionSpec": { "partitionKey": "my-partition-key" }, "force": true, } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:exportAssets" | Select-Object -Expand Content
查看导出状态
导出需要一段时间才能完成。如需检查导出是否完成,您可以使用相应操作的操作 ID 查询该操作。
请注意,即使您的导出操作已完成,其他人也可能已通过其他操作向同一目标位置发出了另一项导出请求。只有在之前的导出请求完成后,或者在超过 15 分钟后,才能向同一目标发出新的导出请求。如果导出请求不符合上述条件,Cloud Asset Inventory 会拒绝该请求。
gcloud
如需查看导出状态,请按照以下说明操作:
- 从导出请求的响应中获取 - OPERATION_PATH,其中包括操作 ID。- OPERATION_PATH显示在导出响应中,格式如下:- projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID
- 要检查导出状态,请使用 - OPERATION_PATH运行以下命令:- gcloud asset operations describe OPERATION_PATH
REST
如需查看导出状态,请按照以下说明操作:
- 从导出请求的响应中获取 - OPERATION_PATH,其中包括操作 ID。- OPERATION_PATH显示为导出响应中- name字段的值,其格式如下所示:- projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID
- 如需检查导出状态,请发出以下请求。 - REST- HTTP 方法和网址: - GET https://cloudasset.googleapis.com/v1/OPERATION_PATH - 命令示例- curl(Linux、macOS 或 Cloud Shell)- curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/OPERATION_PATH - PowerShell (Windows)- $cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/OPERATION_PATH" | Select-Object -Expand Content 
在 BigQuery 中查看资产快照
控制台
- 前往 Google Cloud 控制台中的 BigQuery Studio 页面。 
- 如需显示数据集中的表和视图,请打开导航面板。在资源部分,选择项目以将其展开,然后选择数据集。 
- 从列表中选择您的表。 
- 选择详情并记下行数中的值。使用 gcloud CLI 或 REST API 时,您可能需要此值来控制结果的起点。 
- 要查看一组数据示例,请选择预览。 
REST
如需浏览表的数据,请调用 tabledata.list。在 tableId 参数中,指定表的名称。
您可以配置以下可选参数来控制输出。
- maxResults是要返回的结果数上限。
- selectedFields是要返回的列的逗号分隔列表;如果未指定此参数,则会返回所有列。
- startIndex是要读取的起始行的索引(从零开始)。
返回的值会封装在一个 JSON 对象中,您必须对此对象进行解析,具体请参阅 tabledata.list 参考文档。
在 BigQuery 中查询资源快照
将快照导出到 BigQuery 后,您便可以对资产元数据运行查询。
默认情况下,BigQuery 运行交互式(也称为按需)查询作业,也就是说,查询会尽快执行。交互式查询计入并发速率限制和每日限制。
查询结果会保存到临时表或永久表中。您可以选择在现有表中附加或覆盖数据,或者创建新表(如果不存在同名的表)。
如需运行将输出写入临时表的交互式查询,请完成以下步骤。
控制台
- 前往 Google Cloud 控制台中的 BigQuery Studio 页面。 
- 选择编写新查询。 
- 在查询编辑器文本区域中,输入有效的 BigQuery SQL 查询。 
- 可选:如需更改数据处理位置,请完成以下步骤。 - 选择更多,然后选择查询设置。 
- 在处理位置下,选择自动选择,然后选择数据的位置。 
- 要更新查询设置,请选择保存。 
 
- 选择运行。 
REST
- 要启动新作业,请调用 - jobs.insert方法。在作业资源中,设置以下参数。- 在 - configuration字段中,将- query字段设置为描述 BigQuery 查询作业的 JobConfigurationQuery。
- 在 - jobReference字段中,为您的作业适当设置- location字段。
 
- 要轮询结果,请调用 - getQueryResults。直到- jobComplete等于- true。您可以在- errors列表中检查错误和警告。
其他 SQL 查询示例
本部分提供了示例 SQL 查询,用于在将资产元数据导出到 BigQuery 后对其进行分析。如需了解详情,请参阅标准 SQL 查询语法。
直接查询可用列
要查找每种资产类型的数量,请运行以下查询:
SELECT asset_type, COUNT(*) AS asset_count
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
GROUP BY asset_type
ORDER BY asset_count DESC
使用重复字段
如需查找向 Gmail 账号授予访问权限的 Identity and Access Management (IAM) 政策,请运行以下查询。BigQuery 使用 UNNEST 将重复字段展平为可以直接查询的表:
SELECT name, asset_type, bindings.role
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
JOIN UNNEST(iam_policy.bindings) AS bindings
JOIN UNNEST(bindings.members) AS principals
WHERE principals like "%@gmail.com"
如需查找允许使用公共 IP 地址创建的组织、文件夹或项目,请运行以下查询。此查询很有用,因为除非配置了 SSL 或代理,否则允许使用 Cloud SQL 实例的公共 IP 地址可能会引入漏洞:
SELECT name
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
JOIN UNNEST(org_policy) AS op
WHERE
  op.constraint = "constraints/sql.restrictPublicIp"
  AND (op.boolean_policy IS NULL OR op.boolean_policy.enforced = FALSE);
如需在项目的同一 VPC Service Controls 服务边界内查找组织、文件夹或项目,请运行以下查询:
SELECT service_perimeter.title, service_perimeter.status.resources
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME`
CROSS JOIN UNNEST(service_perimeter.status.resources) as resource
WHERE resource = "projects/PROJECT_ID";
处理 JSON 字符串
如需查找打开的防火墙规则,请运行以下查询。详细了解 BigQuery 中使用的 JSON 函数。
CREATE TEMP FUNCTION json2array(json STRING)
RETURNS ARRAY<STRING>
LANGUAGE js AS """
  return JSON.parse(json).map(x=>JSON.stringify(x));
""";
SELECT firewall.name, firewall.resource.parent, JSON_EXTRACT(firewall.resource.data, '$.sourceRanges') AS sourceRanges
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME` AS firewall
JOIN UNNEST(json2array(JSON_EXTRACT(firewall.resource.data, '$.sourceRanges'))) AS source_ranges
WHERE asset_type="compute.googleapis.com/Firewall" AND JSON_EXTRACT(firewall.resource.data, '$.sourceRanges') IS NOT NULL AND JSON_EXTRACT_SCALAR(source_ranges, '$') = "0.0.0.0/0"
通过按资源类型导出到不同的表,您可以更轻松、更快速地查找打开的防火墙规则。
SELECT firewall.name, firewall.resource.parent, sourceRanges
FROM `PROJECT_ID.DATASET_ID.STRUCTURED_INSTANCE_TABLE_NAME` AS firewall
JOIN UNNEST(firewall.resource.data.sourceRanges) AS sourceRanges
WHERE sourceRanges = "0.0.0.0/0";
联接不同资源类型的表
要联接不同资源类型的表,请运行以下查询。以下示例显示了如何查找未挂接任何虚拟机的所有子网。首先,查询会查找所有子网。然后,查询会从该列表中选择其 selfLink 值不存在的子网。
CREATE TEMP FUNCTION json2array(json STRING)
RETURNS ARRAY<STRING>
LANGUAGE js AS """
  return JSON.parse(json).map(x=>JSON.stringify(x));
""";
SELECT name, JSON_EXTRACT(subnetwork.resource.data, '$.selfLink') AS selflink
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME` AS subnetwork
WHERE asset_type = "compute.googleapis.com/Subnetwork" AND (JSON_EXTRACT(subnetwork.resource.data, '$.selfLink') NOT IN
(SELECT DISTINCT JSON_EXTRACT(network_interfaces, '$.subnetwork')
FROM `PROJECT_ID.DATASET_ID.TABLE_NAME` as instance
JOIN UNNEST(json2array(JSON_EXTRACT(instance.resource.data, '$.networkInterfaces'))) AS network_interfaces
WHERE asset_type ="compute.googleapis.com/Instance"
AND JSON_EXTRACT(instance.resource.data, '$.networkInterfaces') IS NOT NULL
)) IS NULL
通过为每种资源类型导出到不同的表,您可以使用更简单、速度更快的查询来查找没有挂接任何虚拟机的所有子网。
SELECT name, subnetwork.resource.data.selfLink
FROM `PROJECT_ID.DATASET_ID.STRUCTURED_SUBNETWORK_TABLE_NAME` AS subnetwork
WHERE
  (
    subnetwork.resource.data.selfLink
      NOT IN (
        SELECT DISTINCT networkInterface.subnetwork
        FROM `PROJECT_ID.DATASET_ID.STRUCTURED_INSTANCE_TABLE_NAME` as instance
        JOIN
          UNNEST(instance.resource.data.networkInterfaces) AS networkInterface
        WHERE
          networkInterface IS NOT NULL
      )
  ) IS NULL;
查找因 CVE-2021-44228 而存在漏洞的 Dataproc 集群
CREATE TEMP FUNCTION vulnerable_version(imageVersion STRING)
RETURNS BOOL
LANGUAGE js AS r"""
    const version_regexp = /(?<major>\d+)(?:\.)(?<minor>\d+)(?:\.)?(?<sub>\d+)?/g;
    let match = version_regexp.exec(imageVersion);
    if(match.groups.major < 1){
        return true;
    }
    if (match.groups.major == 1){
        if (match.groups.minor < 3){
            return true;
        }
        if(match.groups.minor == 3 && match.groups.sub < 95){
            return true;
        }
        if(match.groups.minor == 4 && match.groups.sub < 77){
            return true;
        }
        if(match.groups.minor == 5 && match.groups.sub < 53){
            return true;
        }
    }
    if (match.groups.major == 2 && match.groups.minor == 0 && match.groups.sub < 27){
        return true;
    }
    return false;
""";
SELECT
  c.name,
  c.resource.data.projectId AS project_id,
  c.resource.data.clusterName AS cluster_name,
  c.resource.data.config.softwareConfig.imageVersion AS image_version,
  c.resource.data.status.state AS cluster_state,
  vulnerable_version(c.resource.data.config.softwareConfig.imageVersion) AS is_vulnerable
FROM
  `PROJECT_ID.DATASET_ID.TABLE_NAME_PREFIX_dataproc_googleapis_com_Cluster` c
  INNER JOIN `PROJECT_ID.DATASET_ID.TABLE_NAME_PREFIX_cloudresourcemanager_googleapis_com_Project` p
    ON p.resource.data.projectId = c.resource.data.projectId
WHERE
  c.resource.data.config.softwareConfig.imageVersion IS NOT NULL
  AND c.resource.data.status.state = "RUNNING"
  AND p.resource.data.lifecycleState = "ACTIVE";