Configuring permissions

This topic shows you how to configure the permissions and credentials that are required for calling the Cloud Asset Inventory API.

Authenticating

Before you can call the Cloud Asset Inventory API, you must authenticate as either an end user or as a service account. For more information about authentication, see Authentication overview.

Granting required permissions for the gcloud tool

To use the gcloud tool to access the Cloud Asset Inventory API, you must grant the necessary permissions on the target resource's parent, which can be either an organization, project, or folder. You must specify this parent in the parent field of your API requests.

If your account has the Cloud Asset Owner role (roles/cloudasset.owner) or the Owner primitive role (roles/owner) on the resource's parent, it has sufficient permissions to call the Cloud Asset Inventory API and you can skip to Downloading credentials. For more information about Cloud Asset Inventory roles, see Roles.

Granting roles

To grant a role to an account, complete the following the steps with the gcloud command-line tool. Learn how to install and initialize the gcloud tool.

User account

To grant the necessary roles to a user account, complete the following steps.

  1. To log in with your user account, run the following command.

    gcloud auth login USER_ACCOUNT_EMAIL
    
  2. Grant your user account the Cloud Asset Viewer role (roles/cloudasset.viewer) or the Cloud Asset Owner role (roles/cloudasset.owner) on the root (parent) resource. This project can be the project where the Cloud Asset Inventory API is enabled.

    To grant your user account the Cloud Asset Viewer role, run the following command.

    gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \\
         --member user:USER_ACCOUNT_EMAIL \\
         --role roles/cloudasset.viewer
    

    You can add the --billing-project flag to the gcloud projects add-iam-policy-binding command to specify that your billing project is the project where the Cloud Asset Inventory API is enabled.

    --billing-project PROJECT_ID
    

    If you specify this flag, your account needs the serviceusage.services.use permission on the project PROJECT_ID See Understanding roles for a list of predefined roles that include this permission.

Service account

To grant the necessary roles to a service account, complete the following steps. For more information about service accounts, see Creating and managing service accounts.

  1. To create a new service account, run the following command. If you already have a service account in a project where the Cloud Asset Inventory API is enabled, you can skip this step.

    gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \\
           --display-name "SERVICE_ACCOUNT_DISPLAY_NAME"
    
  2. Grant your service account the Cloud Asset Viewer role (roles/cloudasset.viewer) or the Cloud Asset Owner role (roles/cloudasset.owner) on the root (parent) resource. This project can be the same as the project where the Cloud Asset Inventory API is enabled.

    To grant your service account the Cloud Asset Viewer role, run the following command.

    gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \\
            --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \\
            --role roles/cloudasset.viewer
    
  3. To create a private key for your service account, run the following command.

    gcloud iam service-accounts keys create YOUR_FILE_PATH/key.json \\
            --iam-account SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
    
  4. To activate your service account for use with the gcloud tool, run the following command.

    gcloud auth activate-service-account SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \\
            --key-file=YOUR_FILE_PATH/key.json
    

Downloading JSON credentials

To access the Cloud Asset Inventory API without the gcloud tool, you need a JSON credentials file. To download the file, complete the following the steps.

  1. Go to the Credentials page in the Cloud Console.

    Go to the Credentials page

  2. Select + Create Credentials, and then select OAuth client ID.

  3. If you are creating a Client ID for a new project, you must set up the OAuth consent screen. Cloud Console displays the consent screen whenever an application using your Client ID requests access to private data.

    To configure the consent screen, complete the following steps:

    1. Select Configure consent screen, and then enter the required information.

    2. Save your changes.

  4. On the Create client ID page, under Application type, select the appropriate type. For more information about client types, see Setting up OAuth 2.0.

  5. Enter a name for the credential, and then click Create.

  6. In the dialog that appears, confirm that the client ID and client secret is correct, and then close the dialog.

  7. To save your new Client ID JSON file, click .

  8. Rename and move the downloaded JSON file so that the path is ~/credentials.json.

Verifying credentials setup

To verify that you have correctly set up your credentials, run the following command.

   oauth2l header --json ~/credentials.json cloud-platform
   

You should see an output similar to the following:

Authorization: Bearer y29.xxxxxxx

Defining a shell alias

You may find it convenient to define a shell alias to call Google Cloud REST APIs.

To define a gcurl alias for calling Google Cloud REST APIs, run the following command:

   alias gcurl='curl -H "$(oauth2l header --json ~/credentials.json \
   cloud-platform)" -H "Content-Type: application/json" '