Exporting to Cloud Storage

This topic shows you how to export the asset metadata of your project to a Cloud Storage bucket.

Before you begin

Before you begin, complete the following steps.

  1. Enable the Cloud Asset Inventory API on the project where you'll be running the API commands.
    Enable the Cloud Asset Inventory API

  2. Configure the permissions that are required to call the Cloud Asset Inventory API using either the gcloud tool or the API.

  3. Complete the following steps to set up your environment.

    gcloud

    To set up your environment to use the gcloud tool to call the Cloud Asset Inventory API, install the Cloud SDK on your local client.

    API

    To set up your environment to call the Cloud Asset Inventory API with the Unix curl command, complete the following steps.

    1. Install oauth2l on your local machine so you can interact with the Google OAuth system.
    2. Confirm that you have access to the Unix curl command.
    3. Ensure that you grant your account one of the following roles on your project, folder, or organization.

      • Cloud Asset Viewer role (roles/cloudasset.viewer)
      • Owner basic role (roles/owner)
  4. Create a Cloud Storage bucket to store the exported snapshot.

Exporting an asset snapshot for a project

To export an asset snapshot at a given timestamp, select the command that that produces a snapshot with the appropriate level of detail.

These commands store the exported snapshot in a Cloud Storage bucket at gs://YOUR_BUCKET/NEW_FILE. This Cloud Storage bucket must be located in the project from which you're exporting the asset metadata. It also cannot have any retention policy set.

Exporting all resource names without metadata

To export all resource names without metadata in a project, run the following command.

gcloud

gcloud asset export \
   --project PROJECT_ID \
   --output-path "gs://YOUR_BUCKET/NEW_FILE"

API

gcurl -d '{"outputConfig":{"gcsDestination": \
         {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
          https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Exporting all resource metadata

To export all resource metadata in a project, run the following command.

gcloud

gcloud asset export \
 --content-type resource \
 --project PROJECT_ID \
 --output-path "gs://YOUR_BUCKET/NEW_FILE"

API

gcurl -d '{"contentType":"RESOURCE", "outputConfig":{"gcsDestination": \
         {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
          https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Exporting metadata of resource with a specific asset type

To export the metadata of all resources in a project that have an asset type that starts with compute.googleapis.com, run the following command.

gcloud

gcloud asset export \
 --content-type resource \
 --project PROJECT_ID \
 --asset-types compute.googleapis.com.* \
 --output-path "gs://YOUR_BUCKET/NEW_FILE"

API

gcurl -d '{"contentType":"RESOURCE", "assetTypes": "compute.googleapis.com.*", "outputConfig":{"gcsDestination": \
         {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
          https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Exporting IAM policies

To export the IAM policies in a project, run the following command.

gcloud

gcloud asset export \
 --content-type iam-policy \
 --project PROJECT_ID \
 --output-path "gs://YOUR_BUCKET/NEW_FILE"

API

gcurl -d '{"contentType":"IAM_POLICY", "outputConfig":{\
          "gcsDestination": {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
          https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Exporting organization policies

To export the organization policies that are set on a project, run the following gcloud tool command.

gcloud asset export \
   --content-type org-policy \
   --project PROJECT_ID \
   --output-path "gs://YOUR_BUCKET/NEW_FILE"

Exporting access policies in an organization

To export the access policies in an organization, run the following gcloud tool command.

gcloud asset export \
   --content-type access-policy \
   --organization ORGANIZATION_ID \
   --output-path "gs://YOUR_BUCKET/NEW_FILE"
 

Exporting an asset snapshot for an organization or folder

To export the assets of an organization or folder, use the following flags or methods.

gcloud

To export the assets of an organization or folder, you can use one of the following flags in place of --project.

access-policy can only be exported for an --organization.

API

To export the assets of an organization or folder, you can use one of the REST methods in gcurl commands.

  • https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_NUMBER:exportAssets
  • https://cloudasset.googleapis.com/v1/folders/FOLDER_NUMBER:exportAssets

Checking the status of an export

To check the status of an export, run the following commands.

gcloud

To check the status of the export, you can run the following command. It is displayed in the gcloud tool after running the export command.

gcloud asset operations describe OPERATION_ID

API

To view the status of your export, run the following command with the operation ID returned in the response to your export.

  1. You can find the OPERATION_ID in the name field of the response to the export, which is formatted as follows:

    "name": "projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID"
    
  2. To check the status of your export, run following command with the OPERATION_ID:

    gcurl https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_ID
    

Viewing an asset snapshot

To view your asset snapshot:

  1. Go to the Cloud Storage browser page in the Cloud Console..
    Go to the Cloud Storage browser page

  2. Select the bucket where you stored your export, and then select the filename.

The export lists the assets and their resource names.