Cloud Asset Inventory is a global metadata inventory service that lets you view, search, export, monitor, and analyze your Google Cloud asset metadata, with up to 35 days of create, update, and delete history. Assets that haven't changed in the past 35 days report their latest status.
Asset metadata can come from the following places:
Google Cloud resources, such as Compute Engine VM instances, Cloud Storage buckets, and App Engine instances.
Policies set on Google Cloud resources, such as IAM policies, organization policies, and Access Context Manager policies.
Runtime information from OS inventory management.
Here's how you can work with your assets:
List your assets and their relationships in a particular project, folder, or organization, and get asset history up to 35 days in the past.
Search for your resources and their IAM allow policies using a custom query language, or query your assets with BigQuery SQL.
Export your asset metadata to BigQuery or Cloud Storage.
Analyze what would happen if a resource was moved to another project.
Analyze your IAM and organization policies on resources, and View your effective IAM policies on resources to see who has access to what.
Monitor your assets for changes by setting up and subscribing to a feed.
Generate insights from your assets to help improve your security posture.
Asset types, asset names, and content types
Cloud Asset Inventory offers multiple methods to interact with your assets. Depending on the method you use and the response detail you want, you might need to specify asset types, asset names, and content types in your requests.
Asset types
Some Cloud Asset Inventory methods return results based on asset types. Asset types include Google Cloud resources, policies, OS inventory runtime information, and relationships. The available asset types and the Cloud Asset Inventory methods that support them are detailed in Asset types.
Asset names
Some Cloud Asset Inventory methods return results based on asset names. When specifying an asset name, you must use its full resource name. See Asset names for a list of full resource names.
Content types
You can request additional metadata on a resource by specifying a metadata content type. If you don't specify a content type, then only a basic response is returned, containing information such as the asset name, the last time it was updated, and what projects, folders, and organizations it belongs to.
Content type names differ depending on how you interact with Cloud Asset Inventory. The RPC and REST API names are the same. However, the gcloud CLI content type names follow a different pattern. For consistency and ease of explanation, the rest of this documentation refers to content types by their RPC and REST names.
The following table details the content types and their descriptions:
| Content type | Description | |
|---|---|---|
| RPC and REST name | gcloud CLI name | |
ACCESS_POLICY |
access-policy |
The Access Context Manager policy set on an asset. |
IAM_POLICY |
iam-policy |
The IAM policy metadata binding to the resource. |
ORG_POLICY |
org-policy |
The organization policy metadata set on an asset. This content type
outputs legacy organization policy v1. For organization policy v2, try
the resource content type and a resource type of
orgpolicy.googleapis.com/Policy.
|
OS_INVENTORY |
os-inventory |
The runtime OS inventory information. To enable OS inventory, complete the relevant steps in Set up VM Manager. |
RELATIONSHIP |
relationship |
Requires access to the Security Command Center Premium or Enterprise tier, or Gemini Cloud Assist. Many Google Cloud assets are connected to each other by relationships. For example, a Compute instance group can contain a Compute instance, or a GKE cluster can contain a node. Relationship data is available from May 30th, 2022. A relationship might have its own update timestamp, because it might be inferred at a different time than the source asset updates. See Relationship types for a list of the supported relationships. |
RESOURCE |
resource |
The resource's metadata. |
How responses change with content type
The following examples show how responses change when listing VM instances in a project through Cloud Asset Inventory with different content types.
No content type
If you specify no content type when listing VM instances, you receive only the instance names, the last time they were updated, and what projects, folders, and organizations they belong to.
Expand for response example
--- ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID assetType: compute.googleapis.com/Instance name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME updateTime: '2023-11-15T12:28:30.087825Z'
IAM_POLICY content type
If you specify the IAM_POLICY content type, you also receive the
IAM bindings on the VM, if there are any.
Expand for response example
---
ancestors:
- projects/PROJECT_NUMBER
- folders/FOLDER_NUMBER
- organizations/ORGANIZATION_ID
assetType: compute.googleapis.com/Instance
iamPolicy:
bindings:
- members:
- user:USER_EMAIL_ADDRESS
role: roles/compute.securityAdmin
etag: ETAG
name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME
updateTime: '2023-12-19T23:35:42.673842Z'RESOURCE content type
If you specify the RESOURCE content type, you also receive all the metadata
associated with the VM.
Expand for response example
---
ancestors:
- projects/PROJECT_NUMBER
- folders/FOLDER_NUMBER
- organizations/ORGANIZATION_ID
assetType: compute.googleapis.com/Instance
name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME
resource:
data:
allocationAffinity:
consumeAllocationType: ANY_ALLOCATION
canIpForward: false
confidentialInstanceConfig:
enableConfidentialCompute: true
cpuPlatform: AMD Rome
creationTimestamp: '2023-11-14T14:35:37.059-08:00'
deletionProtection: false
description: ''
disks:
- architecture: X86_64
autoDelete: true
boot: true
deviceName: INSTANCE_NAME
diskSizeGb: '10'
guestOsFeatures:
- type: VIRTIO_SCSI_MULTIQUEUE
- type: SEV_CAPABLE
- type: SEV_SNP_CAPABLE
- type: SEV_LIVE_MIGRATABLE
- type: UEFI_COMPATIBLE
- type: GVNIC
index: 0
interface: NVME
licenses:
- https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-2004-lts
mode: READ_WRITE
shieldedInstanceInitialState:
dbx:
- content: DATA
fileType: BIN
dbxs:
- content: DATA
fileType: BIN
source: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME
type: PERSISTENT
displayDevice:
enableDisplay: false
fingerprint: FINGERPRINT
id: 'ID'
keyRevocationActionType: NONE_ON_KEY_REVOCATION
labelFingerprint: LABEL_FINGERPRINT
lastStartTimestamp: '2023-11-15T04:28:30.005-08:00'
machineType: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/machineTypes/n2d-standard-2
name: INSTANCE_NAME
networkInterfaces:
- accessConfigs:
- name: External NAT
natIP: 34.27.105.222
networkTier: PREMIUM
type: ONE_TO_ONE_NAT
fingerprint: jKU51FdTluk=
name: nic0
network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default
networkIP: 10.128.15.212
nicType: GVNIC
stackType: IPV4_ONLY
subnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/default
reservationAffinity:
consumeReservationType: ANY_ALLOCATION
resourceStatus: {}
scheduling:
automaticRestart: true
onHostMaintenance: TERMINATE
preemptible: false
provisioningModel: STANDARD
selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME
serviceAccounts:
- email: PROJECT_NUMBER-compute@developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/trace.append
shieldedInstanceConfig:
enableIntegrityMonitoring: true
enableSecureBoot: false
enableVtpm: true
shieldedInstanceIntegrityPolicy:
updateAutoLearnPolicy: true
startRestricted: false
status: RUNNING
tags:
fingerprint: FINGERPRINT
zone: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE
discoveryDocumentUri: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest
discoveryName: Instance
location: ZONE
parent: //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER
version: v1
updateTime: '2023-11-15T12:28:30.087825Z'RELATIONSHIP content type
Relationships require access to the Security Command Center Premium or Enterprise tier, or Gemini Cloud Assist.
If you specify the RELATIONSHIP content type, you also receive metadata
associated with the VM instance's related assets.
Expand for response example
--- ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID assetType: compute.googleapis.com/Instance name: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME relatedAsset: ancestors: - projects/PROJECT_NUMBER - folders/FOLDER_NUMBER - organizations/ORGANIZATION_ID asset: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME assetType: compute.googleapis.com/Disk relationshipType: COMPUTE_INSTANCE_USE_DISK updateTime: '2023-12-19T23:35:42.673842Z'
When using the RELATIONSHIP content type, instead of requesting all
relationships, you can request specific
relationship types.
Data freshness
Cloud Asset Inventory provides eventual consistency on current data and best-effort consistency on historical data. While rare, it's possible that Cloud Asset Inventory can miss some data updates.
Unless noted in the resource types table, almost all asset updates are available in minutes.