Access Control

This page describes the access control options available to you for the Cloud Asset API.

Overview

Cloud Asset Inventory uses Cloud Identity and Access Management (Cloud IAM) for access control.

In the Cloud Asset API, access control can be configured at the project level or organization level. For example, you can grant access to all Cloud Asset Inventory resources within a project to a group of developers.

For a detailed description of Cloud IAM and its features, see the Cloud IAM developer's guide. In particular, see its Managing Cloud IAM Policies section.

Every Cloud Asset Inventory API method requires the caller to have the necessary permissions. See Permissions and roles for more information.

Permissions and roles

This section summarizes Cloud Asset API permissions and roles that Cloud IAM supports.

Required permissions

The following table lists the permissions that the caller must have to call each API method in the Cloud Asset API or to perform tasks using Google Cloud tools that use the API, such as Google Cloud Console or Cloud SDK.

Permission API Methods
cloudasset.assets.exportResource,
cloudasset.assets.exportIamPolicy,
cloudasset.assets.exportOrgPolicy or
cloudasset.assets.exportAccessPolicy
based on the content_type
*.batchGetAssetsHistory
*.exportAssets
*.operations.get

Note that when using the *.exportAssets API to export resource metadata of certain asset types, if the caller has not been granted the cloudasset.assets.exportResource permission, an alternative requirement is that caller has the appropriate permissions per resource type for every asset type that's specified in the request.

Roles

Cloud Asset Inventory has one Cloud IAM role, roles/cloudasset.viewer. This role grants the cloudasset.assets.exportResource and cloudasset.assets.exportIamPolicy permissions, allowing the use of all Cloud Asset API methods. The roles/owner role can also be used to grant this permission. Note that the primitive role owner includes permissions for other Google Cloud services as well.

Access control with the Cloud Console

You can use the Cloud Console to manage access control for your environments and projects.

To set access controls at the project level:

  1. Open the IAM page in the Google Cloud Console.
  2. Select your project, and click Continue.
  3. Click Add Member.
  4. Enter the email address of a new member to whom you have not granted any Cloud IAM role previously.
  5. Select the desired role from the drop-down menu.
  6. Click Add.
  7. Verify that the member is listed under the role that you granted.
Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

Cloud Asset Inventory Documentation