- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- GovernedAsset
- GovernedResource
- GovernedIamPolicy
- Try it!
Analyzes organization policies governed assets (Google Cloud resources or policies) under a scope. This RPC supports custom constraints and the following canned constraints:
- constraints/ainotebooks.accessMode
- constraints/ainotebooks.disableFileDownloads
- constraints/ainotebooks.disableRootAccess
- constraints/ainotebooks.disableTerminal
- constraints/ainotebooks.environmentOptions
- constraints/ainotebooks.requireAutoUpgradeSchedule
- constraints/ainotebooks.restrictVpcNetworks
- constraints/compute.disableGuestAttributesAccess
- constraints/compute.disableInstanceDataAccessApis
- constraints/compute.disableNestedVirtualization
- constraints/compute.disableSerialPortAccess
- constraints/compute.disableSerialPortLogging
- constraints/compute.disableVpcExternalIpv6
- constraints/compute.requireOsLogin
- constraints/compute.requireShieldedVm
- constraints/compute.restrictLoadBalancerCreationForTypes
- constraints/compute.restrictProtocolForwardingCreationForTypes
- constraints/compute.restrictXpnProjectLienRemoval
- constraints/compute.setNewProjectDefaultToZonalDNSOnly
- constraints/compute.skipDefaultNetworkCreation
- constraints/compute.trustedImageProjects
- constraints/compute.vmCanIpForward
- constraints/compute.vmExternalIpAccess
- constraints/gcp.detailedAuditLoggingMode
- constraints/gcp.resourceLocations
- constraints/iam.allowedPolicyMemberDomains
- constraints/iam.automaticIamGrantsForDefaultServiceAccounts
- constraints/iam.disableServiceAccountCreation
- constraints/iam.disableServiceAccountKeyCreation
- constraints/iam.disableServiceAccountKeyUpload
- constraints/iam.restrictCrossProjectServiceAccountLienRemoval
- constraints/iam.serviceAccountKeyExpiryHours
- constraints/resourcemanager.accessBoundaries
- constraints/resourcemanager.allowedExportDestinations
- constraints/sql.restrictAuthorizedNetworks
- constraints/sql.restrictNoncompliantDiagnosticDataAccess
- constraints/sql.restrictNoncompliantResourceCreation
- constraints/sql.restrictPublicIp
- constraints/storage.publicAccessPrevention
- constraints/storage.restrictAuthTypes
- constraints/storage.uniformBucketLevelAccess
This RPC only returns either resources of types supported by search APIs or IAM policies.
HTTP request
GET https://cloudasset.googleapis.com/v1/{scope=*/*}:analyzeOrgPolicyGovernedAssets
The URL uses gRPC Transcoding syntax.
Path parameters
| Parameters | |
|---|---|
| scope | 
 Required. The organization to scope the request. Only organization policies within the scope will be analyzed. The output assets will also be limited to the ones governed by those in-scope organization policies. 
 Authorization requires one or more of the following IAM permissions on the specified resource  
 | 
Query parameters
| Parameters | |
|---|---|
| constraint | 
 Required. The name of the constraint to analyze governed assets for. The analysis only contains analyzed organization policies for the provided constraint. | 
| filter | 
 The expression to filter  For governed resources, filtering is currently available for bare literal values and the following fields: * governedResource.project * governedResource.folders * consolidatedPolicy.rules.enforce When filtering by  For governed IAM policies, filtering is currently available for bare literal values and the following fields: * governedIamPolicy.project * governedIamPolicy.folders * consolidatedPolicy.rules.enforce When filtering by  | 
| pageToken | 
 The pagination token to retrieve the next page. | 
| pageSize | 
 The maximum number of items to return per page. If unspecified,  | 
Request body
The request body must be empty.
Response body
The response message for AssetService.AnalyzeOrgPolicyGovernedAssets.
If successful, the response body contains data with the following structure:
| JSON representation | 
|---|
| { "governedAssets": [ { object ( | 
| Fields | |
|---|---|
| governedAssets[] | 
 The list of the analyzed governed assets. | 
| constraint | 
 The definition of the constraint in the request. | 
| nextPageToken | 
 The page token to fetch the next page for  | 
Authorization scopes
Requires the following OAuth scope:
- https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
GovernedAsset
Represents a Google Cloud asset(resource or IAM policy) governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
| JSON representation | 
|---|
| { "consolidatedPolicy": { object ( | 
| Fields | |
|---|---|
| consolidatedPolicy | 
 The consolidated policy for the analyzed asset. The consolidated policy is computed by merging and evaluating  | 
| policyBundle[] | 
 The ordered list of all organization policies from the  If the constraint is defined with default policy, it will also appear in the list. | 
| Union field  
 | |
| governedResource | 
 A Google Cloud resource governed by the organization policies of the  | 
| governedIamPolicy | 
 An IAM policy governed by the organization policies of the  | 
GovernedResource
The Google Cloud resources governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
| JSON representation | 
|---|
| {
  "fullResourceName": string,
  "parent": string,
  "project": string,
  "folders": [
    string
  ],
  "organization": string,
  "assetType": string,
  "effectiveTags": [
    {
      object ( | 
| Fields | |
|---|---|
| fullResourceName | 
 The full resource name of the Google Cloud resource. | 
| parent | 
 The full resource name of the parent of  | 
| project | 
 The project that this resource belongs to, in the format of projects/{PROJECT_NUMBER}. This field is available when the resource belongs to a project. | 
| folders[] | 
 The folder(s) that this resource belongs to, in the format of folders/{FOLDER_NUMBER}. This field is available when the resource belongs (directly or cascadingly) to one or more folders. | 
| organization | 
 The organization that this resource belongs to, in the format of organizations/{ORGANIZATION_NUMBER}. This field is available when the resource belongs (directly or cascadingly) to an organization. | 
| assetType | 
 The asset type of the  | 
| effectiveTags[] | 
 The effective tags on this resource. | 
GovernedIamPolicy
The IAM policies governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.
| JSON representation | 
|---|
| {
  "attachedResource": string,
  "policy": {
    object ( | 
| Fields | |
|---|---|
| attachedResource | 
 The full resource name of the resource on which this IAM policy is set. Example:  | 
| policy | 
 The IAM policy directly set on the given resource. | 
| project | 
 The project that this IAM policy belongs to, in the format of projects/{PROJECT_NUMBER}. This field is available when the IAM policy belongs to a project. | 
| folders[] | 
 The folder(s) that this IAM policy belongs to, in the format of folders/{FOLDER_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to one or more folders. | 
| organization | 
 The organization that this IAM policy belongs to, in the format of organizations/{ORGANIZATION_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to an organization. | 
| assetType | 
 The asset type of the  |