Export and import resources to Config Connector
This page describes the config-connector export command and how to use it to
export Google Cloud resources into YAML files,
which you can subsequently import into Config Connector. If you already have access to the resource's YAML file,
follow the steps in Managing and deleting resources
to acquire the resource instead.
Limitations
Not all resources support the export command. To get a list of supported
resources, run config-connector print-resources.
Before you begin
- Install the config-connectorCLI tool.
- To simplify commands, set your default namespace by running the following command:
kubectl config set-context --current --namespace NAMESPACE_NAME NAMESPACE_NAMEwith your namespace name.
- Get the full resource name for the resource that you want to export.
If you don't know the resource's full name, you might be able to find it with one of the following methods:
- Use Cloud Asset Inventory to search for a resource.
- Use the describeorlistcommand for the resource, for examplegcloud pubsub topics describe sample-topic --format "value(name)".
- Check the resource's product documentation for a guide on getting the resource ID, for example Getting a Cloud Key Management Service resource ID.
 
Export a resource
You can use the config-connector CLI tool to export an existing resource into a YAML file.
To export a resource into a YAML file, run the following command:
config-connector export RESOURCE_ID
Replace RESOURCE_ID with the full name of the resource that you want to export.
The command outputs the resource in YAML format that can be used by Config Connector. The output should resemble the following example:
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: my-example-project
  name: sample-topic
Import a resource into Config Connector
After you have the YAML file for the resource that you want Config Connector to acquire, complete the following steps:
- Pass your resource into Config Connector by running the following command: - config-connector export RESOURCE_ID | kubectl apply -f - --namespace NAMESPACE- Replace - NAMESPACEwith the namespace that Config Connector manages resources from.
- Confirm that Config Connector is managing the resource by running the following command: - kubectl describe RESOURCE_TYPE RESOURCE_NAME- Replace the following: - RESOURCE_TYPE: the resource type, for example- pubsubtopic.
- RESOURCE_NAME: the resource name. This doesn't have to be the full resource name.
 
After Config Connector acquires the resource, you can manage that resource by following the steps in Managing and deleting resources.
config-connector CLI tool optional fields
When running the config-connector export command, you can pass the
following optional fields:
config-connector export RESOURCE_NAME \
    --output FILENAME \
    --oauth2-token TOKEN \
    --iam-format [policy | policymember | none] \
    --filter-deleted-iam-members [true | false] \
    --verbose
- --output: An optional output path that disables standard output. When a file, the result contains all the command output; when a directory, the directory contains a new file for each resource in the output.
- --oauth2-token: An OAUTH2 token as the Google Cloud identity. By default,- config-connectoruses the Google Cloud CLI default credentials.
- --iam-format: Specifies the kind of IAM resources output with your export. Options are- policy(default),- policymember, or- none.
- --filter-deleted-iam-members: Specifies whether to filter out deleted IAM principals. Options are- trueor- false. The default value is- false.
- --verbose: Enables verbose logging.
What's next
- Read about how Config Connector acquires existing Google Cloud resources.
- Learn about the resources that Config Connector supports.