This topic shows you how to configure the permissions and credentials that are required for calling the Cloud Asset Inventory API.
Authenticating
Before you can call the Cloud Asset Inventory API, you must authenticate as either an end user or as a service account. For more information about authentication, see Authentication overview.
Granting required permissions for the gcloud CLI
To use the gcloud CLI to access the Cloud Asset Inventory API, you must
grant the necessary permissions on the target resource's parent, which can be
either an organization, project, or folder. You must specify this parent in the
parent
field of your API requests.
If your account has the Cloud Asset Owner role (roles/cloudasset.owner
) or the
Owner basic role (roles/owner
) on the resource's parent, it has sufficient
permissions to call the Cloud Asset Inventory API and you can skip to
Downloading credentials. For more information about
Cloud Asset Inventory roles, see Roles.
Granting roles
To grant a role to an account, complete the following steps with the Google Cloud CLI. Learn how to install and initialize the gcloud CLI.
User account
To grant the necessary roles to a user account, complete the following steps.
To log in with your user account, run the following command.
gcloud auth login USER_ACCOUNT_EMAIL
Grant your user account the Cloud Asset Viewer role (
roles/cloudasset.viewer
) or the Cloud Asset Owner role (roles/cloudasset.owner
) on the root (parent) resource. This project can be the project where the Cloud Asset Inventory API is enabled.To grant your user account the Cloud Asset Viewer role, run the following command.
gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \ --member user:USER_ACCOUNT_EMAIL \ --role roles/cloudasset.viewer
You can add the
--billing-project
flag to thegcloud asset
command to specify the billing project where the Cloud Asset Inventory API is enabled.--billing-project PROJECT_ID
If you specify this flag, your account needs the
serviceusage.services.use
permission on the projectPROJECT_ID
. See Understanding roles for a list of predefined roles that include this permission.
Service account
To grant the necessary roles to a service account, complete the following steps. For more information about service accounts, see Creating and managing service accounts.
To create a new service account, run the following command. If you already have a service account in a project where the Cloud Asset Inventory API is enabled, you can skip this step.
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \ --display-name "SERVICE_ACCOUNT_DISPLAY_NAME"
Grant your service account the Cloud Asset Viewer role (
roles/cloudasset.viewer
) or the Cloud Asset Owner role (roles/cloudasset.owner
) on the root (parent) resource. This project can be the same as the project where the Cloud Asset Inventory API is enabled.To grant your service account the Cloud Asset Viewer role, run the following command.
gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role roles/cloudasset.viewer
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-24 UTC.