Frequently asked questions and troubleshooting

The following are common issues that can occur when interacting with the Cloud Asset API and how to handle them.

Why does my request have invalid authentication credentials?

If you haven't set up the OAuth header properly, making a call will return the following error:

  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected
               OAuth 2 access token, login cookie or other valid
               authentication credential. See
    "status": "UNAUTHENTICATED",
    "details": [
        "@type": "",
        "detail": "Authentication error: 2"

To address this issue, repeat the steps to verify your initial setup.

Why do I not have permission to use the Cloud Asset API?

An error is returned if you don't have permission to export assets or get the history on an organization, project, or folder.

For example, if you don't have permission, running the following command:

gcurl -d '{"outputConfig":{"gcsDestination": \
{"uri":gs://YOUR_BUCKET/NEW_FILE}}}' \

Will return the following error:

 "error": {
  "code": 403,
  "message": "The caller does not have permission",
  "status": "PERMISSION_DENIED",
  "details": [
    "@type": "",
    "detail": "[ORIGINAL ERROR] generic::permission_denied: Request
    denied by Cloud IAM."

To address this issue, request access from your project, folder, or organization admin. Depending on the assets you are trying to export or get history for, you'll need one of the following permissions:

  • cloudasset.viewer
  • project.owner

For more information on roles and permissions, see Understanding roles.

Why are my export to Cloud Storage commands failing?

If the Cloud Storage bucket you use to store exported data isn't in the Cloud Asset API-enabled project you're running the export from, performing the request will result in the following permission denied error:

     "error": {
      "code": 7,
      "message": "Failed to write to: YOUR_BUCKET/FILE",

To address this issue, either use a Cloud Storage bucket that belongs to the Cloud Asset API-enabled project you're running the export from, or grant the service account the roles/storage.admin role, where PROJECT_NUMBER is the project number of the Cloud Asset API-enabled project you're running the export from.

Why is the Cloud Asset API result stale?

Data freshness in the Cloud Asset API is on a best-effort basis. While almost all asset updates will be available to clients in minutes, in rare cases it's possible the result of the ExportAssets or BatchGetAssetsHistory methods won't include the most recent asset updates.

To pick up the most recent asset updates, adjust the timestamp in Cloud Asset API calls to be two minutes older than the current timestamp.

Why are temporary files output after running ExportAssets?

The ExportAssets operation might create temporary files in the output folder. Don't remove these temporary files while the operation is in progress. Once the operation is complete, the temporary files are removed automatically.

If the temporary files remain, you can safely remove them after the ExportAssets operation is complete.

What if my request URL too long for BatchGetAssetsHistory?

The BatchGetAssetsHistory method is an HTTP GET action that sends all request data in a length limited URL. As a result, an error will occur if the request is too long.

To bypass this, the client code should use HTTP POST to send request with the Content-Type set to application/x-www-form-urlencoded along with an X-HTTP-Method-Override: GET HTTP header. See Long Request URLs for more information.

The following is an example request for BatchGetAssetsHistory using HTTP POST:

curl -X POST -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Authorization: Bearer " \
     -d 'assetNames=&contentType=1&readTimeWindow.startTime=2018-09-01T09:00:00Z' \

Why is my Cloud SDK or Cloud Shell credential rejected?

If a user project in a request is sent to from the Cloud SDK or Cloud Shell, you'll see an error message like the following:

Your application has authenticated using end user credentials from the
Cloud SDK or Cloud Shell which are not supported by the We recommend that most server applications
use service accounts instead. For more information about service accounts
and how to use them in your application, see

To fix this issue, set the user project to the Cloud Asset API-enabled user's project ID. This can be done by specifying HTTP header X-Goog-User-Project in the HTTP request.

If you're using curl, this can be done by adding the following parameter:

-H 'X-Goog-User-Project: PROJECT_ID'

If you're using the gcloud tool, use the following command:

gcloud config set billing/quota_project PROJECT_ID

How do I export assets to BigQuery tables that don't belong to the current project?

When you call the ExportAssets API from the Cloud Asset API-enabled project (A), it uses the service account to write to the destination BigQuery table. To output to a BigQuery table in another project (B):

In project B's Cloud IAM policy, grant the service account ( the roles/bigquery.user and roles/bigquery.dataEditor roles.