Access control with IAM

This page describes the access control options available to you for the Cloud Asset API.

Overview

Cloud Asset Inventory uses Identity and Access Management (IAM) for access control.

In the Cloud Asset API, access control can be configured at the project level or organization level. For example, you can grant access to all Cloud Asset Inventory resources in a project to a group of developers.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see its Manage access to projects, folders, and organizations section.

Permissions and roles

Every Cloud Asset Inventory API method requires the caller to have the necessary permissions. This section summarizes Cloud Asset API permissions and roles that IAM supports.

Required permissions

The following table lists the permissions that the caller must have to call each API method in the Cloud Asset API or to perform tasks using Google Cloud tools that use the API, such as Google Cloud console or Google Cloud CLI.

Permission API methods
cloudasset.assets.searchAllResources *.searchAllResources
cloudasset.assets.searchAllIamPolicies *.searchAllIamPolicies
cloudasset.assets.analyzeIamPolicy,
cloudasset.assets.searchAllResources and
cloudasset.assets.searchAllIamPolicies
*.analyzeIamPolicy
*.analyzeIamPolicyLongrunning
*.batchGetEffectiveIamPolicies
cloudasset.assets.analyzeOrgPolicy and
cloudasset.assets.searchAllResources
*.analyzeOrgPolicies
*.analyzeOrgPolicyGovernedContainers
cloudasset.assets.analyzeOrgPolicy,
cloudasset.assets.searchAllResources and
cloudasset.assets.searchAllIamPolicies
*.analyzeOrgPolicyGovernedAssets
cloudasset.feeds.get *.getFeed
cloudasset.feeds.list *.listFeeds
cloudasset.feeds.delete *.deleteFeed
cloudasset.feeds.create,
cloudasset.assets.exportResource or
cloudasset.assets.exportIamPolicy
based on the content_type
*.createFeed
cloudasset.feeds.update,
cloudasset.assets.exportResource or
cloudasset.assets.exportIamPolicy
based on the content_type
*.updateFeed
cloudasset.assets.exportResource,
cloudasset.assets.exportIamPolicy,
cloudasset.assets.exportOrgPolicy,
cloudasset.assets.exportOSInventories or
cloudasset.assets.exportAccessPolicy
based on the content_type
*.batchGetAssetsHistory
*.exportAssets
*.operations.get
cloudasset.assets.listResource,
cloudasset.assets.listIamPolicy,
cloudasset.assets.listOrgPolicy,
cloudasset.assets.listAccessPolicy or
cloudasset.assets.listOSInventories
based on the content_type
*.listAssets
cloudasset.assets.analyzeMove *.analyzeMove
cloudasset.savedqueries.create *.createSavedQuery
cloudasset.savedqueries.get *.getSavedQuery
cloudasset.savedqueries.list *.listSavedQueries
cloudasset.savedqueries.update *.updateSavedQuery
cloudasset.savedqueries.delete *.deleteSavedQuery

Note that when using the *.exportAssets API to export resource metadata of specified asset types with RESOURCE or an unspecified content type, if the caller has not been granted the cloudasset.assets.exportResource permission, an alternative requirement is that caller has the appropriate per-resource-type permissions for every asset type that's specified in the request.

Roles

Cloud Asset Inventory has two IAM roles:

  • Cloud Asset Owner (roles/cloudasset.owner), which grants full access to cloud asset metadata. It grants all cloudasset.* permissions and recommender.cloudAssetInsights.* permissions.

  • Cloud Asset Viewer (roles/cloudasset.viewer), which grants read-only access to cloud asset metadata. It grants all cloudasset.assets.* (it does not grant cloudasset.feeds.* and cloudasset.savedqueries.* permissions), recommender.cloudAssetInsights.get and recommender.cloudAssetInsights.list permissions.

Choose the appropriate role that contains the permissions necessary for your needs. In general, only the Cloud Asset Owner role grants all the required permissions to call the Cloud Asset API and allows full use of all methods.

Basic roles include the following permissions:

  • Owner role (roles/owner) grants all cloudasset.* permissions.

  • Editor role (roles/editor) grants cloudasset.assets.search* and cloudasset.assets.analyzeIamPolicy permissions.

  • Viewer role (roles/viewer) grants cloudasset.assets.search* and cloudasset.assets.analyzeIamPolicy permissions.

We recommend granting one of the Cloud Asset roles instead of a basic role, because basic roles contain many permissions for other Google Cloud services and might result in granting a larger access scope than intended.

You can grant roles to users at the organization, folder, or project level. See Manage access to projects, folders, and organizations for more information.

VPC Service Controls

VPC Service Controls can be used with Cloud Asset Inventory to provide additional security for your assets. To learn more about VPC Service Controls, see the VPC Service Controls overview.

To learn about the limitations in using Cloud Asset Inventory with VPC Service Controls, see the supported products and limitations.