Monitoring asset changes

This page explains how to create and manage feeds on a project.

Overview

To receive real-time notifications about resource and policy changes, you can create and subscribe to a feed. When you configure the feed, you can specify that you want to monitor changes of supported resource types, IAM policies, access policies, and organization policies in an organization, folder, project. Additionally, you can add conditions to your feed so that you only receive notifications for certain types of changes to an asset. After configuring your feed, you immediately receive notifications whenever the specified assets are changed, sent through Pub/Sub (formatted as a TemporalAsset). Real-time notifications connect to your existing workloads. With this functionality, you can merge actions like creating a Cloud Function to reverse a resource change after it has been detected.

Before you begin

Before you begin, complete the following steps.

  1. Enable the Cloud Asset Inventory API on the project where you'll be running the API commands.

    Enable the Cloud Asset Inventory API

  2. Configure the permissions that are required to call the Cloud Asset Inventory API using either the gcloud CLI or the API.

  3. Complete the following steps to set up your environment.

    gcloud CLI

    To set up your environment to use the gcloud CLI to call the Cloud Asset Inventory API, install the Google Cloud CLI on your local client.

    REST

    To set up your environment to call the Cloud Asset Inventory API with the curl command, complete the following steps.

    1. Confirm that you have access to the curl command.

    2. Ensure that you grant your account one of the following roles on your project, folder, or organization.

      • Cloud Asset Viewer role (roles/cloudasset.viewer)

      • Owner basic role (roles/owner)

  4. Grant your user or service account permissions to call the API for real-time feeds. The following permissions are needed for each operation:

    Permission Description
    cloudasset.feeds.create
    cloudasset.assets.exportResource    		 Create feeds
    cloudasset.feeds.update
    cloudasset.assets.exportResource    		 Update feeds
    cloudasset.feeds.delete Delete feeds
    cloudasset.feeds.get Get feeds
    cloudasset.feeds.list List feeds

    The Cloud Asset Owner (roles/cloudasset.owner) role grants all permissions related to the Cloud Asset API, including the permissions listed in the preceding table. For more information about roles and permissions, see Understanding roles and Configuring permissions.

  5. If you are exporting metadata from one project to another, make sure the exporting project's default Cloud Asset Inventory service account exists and has the correct permissions.

  6. Create a Pub/Sub topic if you don't have an existing Pub/Sub topic.

Limitations

  • It can take up to 10 minutes for any feed creation, update, or deletion to take effect.

  • The consumer project where the feed is created must outlive the feed because the service account used to publish to the destination Pub/Sub topic is located in the consumer project. If the consumer project is deleted, Cloud Asset Inventory cannot publish to the destination. The feed no longer functions and is deleted as soon as project deletion is permanent.

Creating feeds

You can create up to 200 feeds on a parent. This limit only applies to feeds directly following that parent and does not count the feeds of its children. For example, if you have 10 projects under an organization, each project can have up to 200 feeds and the organization can also have up to 200 feeds.

To create a feed for projects, folders, or organizations, make one of the following requests. Cloud Asset Inventory sets a notification on any asset that matches at least one of your feed's ASSET parameters AND also matches the condition expression, if specified.

gcloud

Projects 

gcloud asset feeds create FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic=projects/PROJECT_ID/topics/TOPIC_ID \
    --asset-names=ASSET_NAME_1,ASSET_NAME_2,... \
    --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \
    --content-type=CONTENT_TYPE \
    --condition-title="CONDITION_TITLE" \
    --condition-description="CONDITION_DESCRIPTION" \
    --condition-expression="CONDITION_EXPRESSION"

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project whose metadata is being sent to the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • ASSET_TYPE: Optional. A comma-separated list of searchable asset types for which you want to receive change notifications. Regular expressions are supported. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error is returned.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • CONTENT_TYPE: Optional. The asset content type for which you want to receive change notifications.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

  • CONDITION_EXPRESSION: Optional. The condition expression to apply to the feed.

Folders 

gcloud asset feeds create FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic=projects/PROJECT_ID/topics/TOPIC_ID \
    --asset-names=ASSET_NAME_1,ASSET_NAME_2,... \
    --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \
    --content-type=CONTENT_TYPE \
    --condition-title="CONDITION_TITLE" \
    --condition-description="CONDITION_DESCRIPTION" \
    --condition-expression="CONDITION_EXPRESSION"

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • FOLDER_ID: The ID of the folder whose metadata is being sent to the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • ASSET_TYPE: Optional. A comma-separated list of searchable asset types for which you want to receive change notifications. Regular expressions are supported. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error is returned.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • CONTENT_TYPE: Optional. The asset content type for which you want to receive change notifications.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

  • CONDITION_EXPRESSION: Optional. The condition expression to apply to the feed.

Organizations 

gcloud asset feeds create FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic=projects/PROJECT_ID/topics/TOPIC_ID \
    --asset-names=ASSET_NAME_1,ASSET_NAME_2,... \
    --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \
    --content-type=CONTENT_TYPE \
    --condition-title="CONDITION_TITLE" \
    --condition-description="CONDITION_DESCRIPTION" \
    --condition-expression="CONDITION_EXPRESSION"

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • ORGANIZATION_ID: The ID of the project whose metadata is being sent to the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • ASSET_TYPE: Optional. A comma-separated list of searchable asset types for which you want to receive change notifications. Regular expressions are supported. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error is returned.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • CONTENT_TYPE: Optional. The asset content type for which you want to receive change notifications.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

  • CONDITION_EXPRESSION: Optional. The condition expression to apply to the feed.

REST 

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "feedId": "FEED_ID",
          "feed": {
            "assetNames": [
              "ASSET_NAME_1",
              "ASSET_NAME_2",
              "..."
            ],
            "assetTypes": [
              "ASSET_TYPE_1",
              "ASSET_TYPE_2",
              "..."
            ],
            "contentType": "CONTENT_TYPE",
            "feedOutputConfig": {
              "pubsubDestination": {
                "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
              }
            },
            "condition": {
              "title": "CONDITION_TITLE",
              "description": "CONDITION_DESCRIPTION",
              "expression": "CONDITION_EXPRESSION"
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • FEED_ID: A unique asset feed identifier.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • ASSET_TYPE: Optional. A comma-separated list of searchable asset types for which you want to receive change notifications. Regular expressions are supported. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error is returned.

    At least one ASSET_NAME or ASSET_TYPE is required.

  • CONTENT_TYPE: Optional. The asset content type for which you want to receive change notifications.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

  • CONDITION_EXPRESSION: Optional. The condition expression to apply to the feed.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

After creating a feed, subscribe to updates from the Pub/Sub topic you specified in the feed. A new feed can take up to 10 minutes to start sending notifications. A notification is sent for every change on an asset that matches either assetNames or assetTypes, and satisfies condition in the feed.

The first message published to the Pub/Sub topic is a welcome message in the format of string, and all the following messages are in the format of TemporalAsset. Here is a sample message for the RESOURCE content type.

{
  "asset": {
    "ancestors": [
      "projects/[PROJECT_ID]",
      "folders/[FOLDER_ID]",
      "organizations/[ORGANIZATION_ID]"
    ],
    "assetType": "[ASSET_TYPE]",
    "name": "[ASSET_NAME]",
    "resource": {
      "data": {
        ...detailed resource metadata...
      },
      "discoveryDocumentUri": "[DISCOVERY_URI]",
      "discoveryName": "[DISCOVERY_NAME]",
      "location": "[LOCATION]",
      "parent": "[PARENT_ASSET_NAME]",
      "version": "[VERSION]"
    },
    "updateTime": "[UPDATE_TIME]"
  },
  "priorAsset": {
    ...prior asset information...
  },
  "priorAssetState": "[PRIOR_ASSET_STATE]",
  "window": {
    "startTime": "[UPDATE_TIME]"
  }
}

To learn more about Pub/Sub or how to set up subscriptions, see the Pub/Sub documentation.

Creating a feed for Cloud Storage bucket or BigQuery table changes

The following commands create notifications from the TOPIC_ID Pub/Sub topic when content changes in the BUCKET_NAME Cloud Storage bucket or any BigQuery tables:

gcloud

Projects 

gcloud asset feeds create FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --asset-names=//storage.googleapis.com/BUCKET_NAME \
    --asset-types=bigquery.googleapis.com/Table \
    --content-type=resource

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project whose metadata is being sent to the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • BUCKET_NAME: The Cloud Storage bucket name to monitor.

Folders 

gcloud asset feeds create FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --asset-names=//storage.googleapis.com/BUCKET_NAME \
    --asset-types=bigquery.googleapis.com/Table \
    --content-type=resource

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • FOLDER_ID: The ID of the folder whose metadata is being sent to the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • BUCKET_NAME: The Cloud Storage bucket name to monitor.

Organizations 

gcloud asset feeds create FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --asset-names=//storage.googleapis.com/BUCKET_NAME \
    --asset-types=bigquery.googleapis.com/Table \
    --content-type=resource

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • ORGANIZATION_ID: The ID of the organization whose metadata is being sent to the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • BUCKET_NAME: The Cloud Storage bucket name to monitor.

REST 

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "feedId": "FEED_ID",
          "feed": {
            "assetNames": ["storage.googleapis.com/BUCKET_NAME"],
            "assetTypes": ["bigquery.googleapis.com/Table"],
            "contentType": "RESOURCE",
            "feedOutputConfig": {
              "pubsubDestination": {
                "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
              }
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • FEED_ID: A unique asset feed identifier.

  • BUCKET_NAME: The Cloud Storage bucket name to monitor.

  • PROJECT_ID: The ID of the project whose metadata is being sent to the feed.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Notifications are only sent when the resource or policy metadata of the resource itself gets changed. In the previous example, changing any resource under Cloud Storage buckets or BigQuery tables does not trigger a notification.

Creating a feed for asset type changes

The following requests create notifications from the TOPIC_ID Pub/Sub topic when content changes in the resources whose asset type starts with compute.googleapis.com.

gcloud

Projects 

gcloud asset feeds create FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --content-type=resource \
    --asset-types=compute.googleapis.com.*

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project whose metadata is being sent to the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

Folders 

gcloud asset feeds create FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --content-type=resource \
    --asset-types=compute.googleapis.com.*

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • FOLDER_ID: The ID of the folder whose metadata is being sent to the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

Organizations 

gcloud asset feeds create FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --content-type=resource \
    --asset-types=compute.googleapis.com.*

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • ORGANIZATION_ID: The ID of the organization whose metadata is being sent to the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

REST 

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "feedId": "FEED_ID",
          "feed": {
            "assetTypes": ["compute.googleapis.com.*"],
            "contentType": "RESOURCE",
            "feedOutputConfig": {
              "pubsubDestination": {
                "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
              }
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project whose metadata is being sent to the feed.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Getting feeds

To get a specific feed, make one of the following requests.

gcloud

Projects 

gcloud asset feeds describe FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project whose metadata is published in the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

Folders 

gcloud asset feeds describe FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • FOLDER_ID: The ID of the folder whose metadata is published in the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

Organizations 

gcloud asset feeds describe FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • ORGANIZATION_ID: The ID of the organization whose metadata is published in the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

REST 

curl -X GET \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds/FEED_ID

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • SCOPE: A scope can be a project, a folder, or an organization. Project IDs aren't supported.

    The allowed values are:

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • FEED_ID: A unique asset feed identifier.

The feed is returned in the following format, where FULL_NAME_FEED_ID is the feed identifier along with its resource parent:

{
  "name": "FULL_NAME_FEED_ID",
  "assetTypes": ["ASSET_TYPES"],
  "assetNames": ["ASSET_NAMES"],
  "contentType": "CONTENT_TYPES",
  "feedOutputConfig": {
    "pubsubDestination": {
      "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
    }
  },
  "condition": {
    "title": "CONDITION_TITLE",
    "description": "CONDITION_DESCRIPTION",
    "expression": "CONDITION_EXPRESSION"
  }
}

Listing feeds

To list all the feeds for a project, folder, or organization, make one of the following requests.

gcloud

Projects 

gcloud asset feeds list \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is published in the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

Folders 

gcloud asset feeds list \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is published in the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

Organizations 

gcloud asset feeds list \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is published in the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

REST 

curl -X GET \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Updating feeds

To update the attributes of a feed, you need to specify the attribute path in the update_mask and the value of that attribute. The following request updates the assetNames and topic value of a feed on a project.

gcloud

Projects 

gcloud asset feeds update FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --add-asset-names=ASSET_NAME_1,ASSET_NAME_2,...

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is published in the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic that notifications are published to.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

Folders 

gcloud asset feeds update FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --add-asset-names=ASSET_NAME_1,ASSET_NAME_2,...

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is published in the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic that notifications are published to.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

Organizations 

gcloud asset feeds update FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --add-asset-names=ASSET_NAME_1,ASSET_NAME_2,...

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is published in the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic that notifications are published to.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

REST 

curl -X PATCH \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "feed": {
            "assetNames": [
                "ASSET_NAME_1",
                "ASSET_NAME_2",
                "..."
              ],
            "feedOutputConfig": {
              "pubsubDestination": {
                "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
              }
            }
          },
          "update_mask": {
            "paths": ["asset_names", "feed_output_config.pubsub_destination.topic"]
          }
        }' \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds/FEED_ID

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • ASSET_NAME: Optional. A comma-separated list of asset full names for which you want to receive change notifications.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic that notifications are published to.

  • SCOPE: A scope can be a project, a folder, or an organization. Project IDs aren't supported.

    The allowed values are:

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Deleting feeds

If you no longer want to be notified of asset changes, use the following command to delete a feed on a project.

gcloud

Projects 

gcloud asset feeds delete FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is published in the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

Folders 

gcloud asset feeds delete FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is published in the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

Organizations 

gcloud asset feeds delete FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is published in the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

REST 

curl -X DELETE \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds/FEED_ID

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • SCOPE: A scope can be a project, a folder, or an organization. Project IDs aren't supported.

    The allowed values are:

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
    --organization=$(gcloud organizations describe ORGANIZATION_NAME \
      --format="value(name.segment(1))") \
    --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
    --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Troubleshooting

This section shows you how to troubleshoot common issues.

Failure to create or update feeds

If the creation or update of a feed fails, it might caused by an issue with permissions. Each feed creation or update request includes three parts: the consumer project used to call the API, the target parent to be monitored and destination Pub/Sub topic to receive the notification.

To create or update a feed, the following permissions are required:

  • The caller or the service account must have asset permissions in the target parent (that can be a project, folder or organization).

  • The asset service account (service-PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com) in the Cloud Asset API-enabled consumer project must have pubsub.topics.publish permission on the destination Pub/Sub topic.

An error message that contains does not have permission could indicate that the user or service account does not have the asset permissions. Learn more about the required permissions.

An error message that contains Fail to use TOPIC_ID as feed output destination could indicate that there is an issue publishing the message to the topic you specified in the feed output destination. To resolve the issue:

  • If you are using Google Cloud CLI, make sure you are using the correct project:

    gcloud config list project

  • Ensure you've specified the correct topic name.

  • Ensure that the service account (service-PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com) has the pubsub.topics.publish permission on the topic, where PROJECT_NUMBER is the project number of the Cloud Asset Inventory-enabled project you plan to create the feed from.

    How to find a Google Cloud project number

    Console

    To find a Google Cloud project number, complete the following steps:

    1. Go to the Dashboard page in the Google Cloud console.

      Go to Dashboard

    2. Click the switcher box in the menu bar.
    3. Select your organization from the Select from box, and then search for your project name.
    4. Click the project name to switch to that project. The project number is shown in the Project info card.

    gcloud CLI

    You can retrieve a Google Cloud project number with the following command:

    gcloud projects describe PROJECT_ID --format="value(projectNumber)"

Failure to receive resource updates or IAM policy updates

If you are not receiving notifications for resource or IAM policy updates, verifying the following configuration details can help resolve the issue:

  • Make sure that the metadata has changed on your assets. The real-time feed only sends updates when the metadata of the supported resource types has changed; operations such as uploading a new file to your Cloud Storage bucket does not trigger a metadata change.

  • Make sure your assets meet one of the criteria you specified in the feed, which are asset names and asset types.

  • Check the logs to see if there are errors when publishing updates to your topic.

Using Cloud Logging

This section describes how to set up and view Logging for Cloud Asset Inventory real-time feeds.

When real-time feeds fail to send resources or IAM policy updates through Pub/Sub, Cloud Asset Inventory logs the error status and message via Logging. Logging is enabled by default, and belongs to Google Cloud's operations suite. Learn about Google Cloud's operations suite pricing.

Viewing real-time feed logs

To view logs, go to Logs Explorer.

The real-time feed log is indexed by a Pub/Sub topic. To see all logs:

  1. Click the Resource combo box, which is next to the Search all fields box.

  2. Search for Cloud Pub/Sub Topic, and then click the Cloud Pub/Sub Topic resource type.

  3. Click the topic ID you want to view.

  4. Click Apply.

UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.

Logged information

Real-time feed log entries contain following types of information:

  • General information shown in most Google Cloud logs, such as severity, project ID, project number, or timestamp.

  • Real-time feed log fields in jsonPayload, which contains asset name, feed output config, error status when publishing resource or IAM policy updates.

The following table shows what kinds of information each field contains.

Field Type and description
name

string

Full Name of the feed. The format is one of the following:

  • projects/PROJECT_ID/feeds/FEED_ID
  • folders/FOLDER_ID/feeds/FEED_ID
  • organizations/ORGANIZATION_ID/feeds/FEED_ID
asset_name

string

Full name of the asset to receive updates. For example:

//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1

See Resource names for more info.

feed_output_config

FeedOutputConfig

Feed output configuration defining where the asset updates are published to.

condition

Expr

Feed condition which determines whether an asset update should be published.

error_status

Status

Status when there's a failure to publish asset updates to a feed.