You can receive real-time notifications about resource and policy changes by creating and subscribing to a feed.
When you create the feed, you can specify that you want to monitor changes of supported resource types, IAM policies, access policies, and organization policies in an organization, folder, project. Additionally, you can add conditions to your feed so that you only receive notifications for certain types of changes to an asset.
After creating a feed, you receive notifications through Pub/Sub whenever the specified assets change. The first message published to the Pub/Sub topic is a welcome message in the format of a string, and all following messages are in the format of a TemporalAsset.
Here's a sample Pub/Sub message for the RESOURCE
content type.
{
"asset":{
"ancestors":[
"projects/000000000000",
"folders/000000000000",
"organizations/000000000000"
],
"assetType":"storage.googleapis.com/Bucket",
"name":"//storage.googleapis.com/my-bucket",
"resource":{
"data":{
LATEST_ASSET_METADATA
},
"discoveryDocumentUri":"https://www.googleapis.com/discovery/v1/apis/storage/v1/rest",
"discoveryName":"Bucket",
"location":"us",
"parent":"//cloudresourcemanager.googleapis.com/projects/000000000000",
"version":"v1"
},
"updateTime":"2024-01-30T00:00:00.000000Z"
},
"priorAsset":{
"ancestors":[
"projects/000000000000",
"folders/000000000000",
"organizations/000000000000"
],
"assetType":"storage.googleapis.com/Bucket",
"name":"//storage.googleapis.com/my-bucket",
"resource":{
"data":{
PREVIOUS_ASSET_METADATA
},
"discoveryDocumentUri":"https://www.googleapis.com/discovery/v1/apis/storage/v1/rest",
"discoveryName":"Bucket",
"location":"us",
"parent":"//cloudresourcemanager.googleapis.com/projects/000000000000",
"version":"v1"
},
"updateTime":"2024-01-29T00:00:00.000000Z"
},
"priorAssetState":"PRESENT",
"window":{
"startTime":"2024-01-30T00:00:00.000000Z"
}
}
To learn more about Pub/Sub or how to set up subscriptions, see the Pub/Sub documentation.
Before you begin
Enable the Cloud Asset Inventory API in the project you're running Cloud Asset Inventory commands from.
Make sure your account has the correct role to call the Cloud Asset Inventory API. For individual permissions for each call type, see Permissions.
Create a Pub/Sub topic, if you don't have one already.
Limitations
It can take up to 10 minutes for any feed creation, update, or deletion to take effect.
The project where a feed is created must outlive the feed. This is because the service account used to publish to the destination Pub/Sub topic is located in that project. A feed no longer functions and is deleted as soon as project deletion is permanent.
You can create up to 200 feeds on a parent. This limit only applies to feeds directly following a parent and does not count the feeds of its children. For example, if you have 10 projects in an organization, each project can have up to 200 feeds, and the organization can also have up to 200 feeds.
Create feeds
gcloud
gcloud asset feeds create FEED_ID \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --pubsub-topic=projects/TOPIC_PROJECT_ID/topics/TOPIC_ID \ --asset-names=ASSET_NAME_1,ASSET_NAME_2,... \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --content-type=CONTENT_TYPE \ --relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --condition-title="CONDITION_TITLE" \ --condition-description="CONDITION_DESCRIPTION" \ --condition-expression="CONDITION_EXPRESSION"
Provide the following values:
-
SCOPE
: Use one of the following values:-
project=PROJECT_ID
, wherePROJECT_ID
is the ID of the project to create the feed in. -
folder=FOLDER_ID
, whereFOLDER_ID
is the ID of the folder to create the feed in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization to create the feed in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
FEED_ID
: A unique asset feed identifier.-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project. -
TOPIC_PROJECT_ID
: The ID of the project where the Pub/Sub topic is located. -
TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to. - At least one of the following asset definitions:
ASSET_NAME_#
: Optional. A comma-separated list of asset full names.ASSET_TYPE_#
: Optional. A comma-separated list of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. When--asset-types
isn't specified, all asset types are returned.
CONTENT_TYPE
: Optional. The content type of the metadata you want to retrieve. When--content-type
isn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.-
RELATIONSHIP_TYPE_#
: Optional. Only available for Security Command Center Premium and Enterprise tier subscribers. A comma-separated list of asset relationship types you want to retrieve. You must setCONTENT_TYPE
toRELATIONSHIP
for this to work. - If adding an optional feed condition, include the following details
in your command:
CONDITION_TITLE
: A title to assign to the feed condition.-
CONDITION_DESCRIPTION
: A description to assign to the feed condition. CONDITION_EXPRESSION
: The condition expression to apply to the feed.
See the gcloud CLI reference for all options.
Example
Run the following command to create a feed in the my-topic
Pub/Sub topic
that notifies when changes are made to the following resources in the my-project
project.
- The
my-bucket
Cloud Storage bucket - Any BigQuery table
gcloud asset feeds create my-feed \ --project=my-project \ --pubsub-topic=projects/my-project/topics/my-topic \ --asset-names=//storage.googleapis.com/my-bucket \ --asset-types=bigquery.googleapis.com/Table \ --content-type=resource
Example response
assetNames: - //storage.googleapis.com/my-bucket assetTypes: - bigquery.googleapis.com/Table condition: {} contentType: RESOURCE feedOutputConfig: pubsubDestination: topic: projects/my-project/topics/my-topic name: projects/000000000000/feeds/my-feed
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH/feeds
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Request JSON body:
{ "feedId": "FEED_ID", "feed": { "assetNames": [ "ASSET_NAME_1", "ASSET_NAME_2", "..." ], "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "feedOutputConfig": { "pubsubDestination": { "topic": "projects/TOPIC_PROJECT_ID/topics/TOPIC_ID" } }, "condition": { "title": "CONDITION_TITLE", "description": "CONDITION_DESCRIPTION", "expression": "CONDITION_EXPRESSION" } } }
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project to create the feed in. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project to create the feed in.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder to create the feed in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization to create the feed in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project. FEED_ID
: A unique asset feed identifier.- At least one of the following asset definitions:
ASSET_NAME_#
: Optional. An array of asset full names.ASSET_TYPE_#
: Optional. An array of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. WhenassetTypes
isn't specified, all asset types are returned.
CONTENT_TYPE
: Optional. The content type of the metadata you want to retrieve. WhencontentType
isn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.-
RELATIONSHIP_TYPE_#
: Optional. Only available for Security Command Center Premium and Enterprise tier subscribers. A comma-separated list of asset relationship types you want to retrieve. You must setCONTENT_TYPE
toRELATIONSHIP
for this to work. -
TOPIC_PROJECT_ID
: The ID of the project where the Pub/Sub topic is located. -
TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to. - If adding an optional feed condition, include the following details
in your command:
CONDITION_TITLE
: A title to assign to the feed condition.-
CONDITION_DESCRIPTION
: A description to assign to the feed condition. CONDITION_EXPRESSION
: The condition expression to apply to the feed.
See the REST reference for all options.
Command examples
Run one of the following commands to create a feed in the my-topic
Pub/Sub
topic that notifies when changes are made to the following resources in the
my-project
project.
- The
my-bucket
Cloud Storage bucket - Any BigQuery table
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "feedId": "my-feed", "feed": { "assetNames": [ "//storage.googleapis.com/my-bucket" ], "assetTypes": [ "bigquery.googleapis.com/Table" ], "contentType": "RESOURCE", "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } } }' \ https://cloudasset.googleapis.com/v1/projects/my-project/feeds
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "feedId": "my-feed", "feed": { "assetNames": [ "//storage.googleapis.com/my-bucket" ], "assetTypes": [ "bigquery.googleapis.com/Table" ], "contentType": "RESOURCE", "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } } } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project/feeds" | Select-Object -Expand Content
Example response
{ "name": "projects/000000000000/feeds/my-feed", "assetNames": [ "//storage.googleapis.com/my-bucket" ], "assetTypes": [ "bigquery.googleapis.com/Table" ], "contentType": "RESOURCE", "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } }
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Get feeds
gcloud
gcloud asset feeds describe FEED_ID \ --SCOPE \ --billing-project=BILLING_PROJECT_ID
Provide the following values:
-
SCOPE
: Use one of the following values:-
project=PROJECT_ID
, wherePROJECT_ID
is the ID of the project that the feed is in. -
folder=FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that the feed is in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that the feed is in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project. FEED_ID
: A unique asset feed identifier.
See the gcloud CLI reference for all options.
Example response
assetNames: - //storage.googleapis.com/my-bucket assetTypes: - bigquery.googleapis.com/Table condition: {} contentType: RESOURCE feedOutputConfig: pubsubDestination: topic: projects/my-project/topics/my-topic name: projects/000000000000/feeds/my-feed
REST
HTTP method and URL:
GET https://cloudasset.googleapis.com/v1/SCOPE_PATH/feeds/FEED_ID
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that the feed is in. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that the feed is in.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that the feed is in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that the feed is in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Read more about setting the billing project. FEED_ID
: A unique asset feed identifier.
See the REST reference for all options.
Command examples
Run one of the following commands to get a specific feed.
curl (Linux, macOS, or Cloud Shell)
curl -X GET \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/projects/my-project/feeds/my-feed
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project/feeds/my-feed" | Select-Object -Expand Content
Example response
{ "name": "projects/000000000000/feeds/my-feed", "assetNames": [ "//storage.googleapis.com/my-bucket" ], "assetTypes": [ "bigquery.googleapis.com/Table" ], "contentType": "RESOURCE", "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } }
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
List feeds
To list all the feeds for a project, folder, or organization, make one of the following requests.
gcloud
gcloud asset feeds list \ --SCOPE \ --billing-project=BILLING_PROJECT_ID
Provide the following values:
-
SCOPE
: Use one of the following values:-
project=PROJECT_ID
, wherePROJECT_ID
is the ID of the project that the feeds are in. -
folder=FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that the feeds are in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that the feeds are in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project.
See the gcloud CLI reference for all options.
Example response
- assetNames: - //storage.googleapis.com/my-bucket assetTypes: - bigquery.googleapis.com/Table condition: {} contentType: RESOURCE feedOutputConfig: pubsubDestination: topic: projects/my-project/topics/my-topic name: projects/000000000000/feeds/my-feed
REST
HTTP method and URL:
GET https://cloudasset.googleapis.com/v1/SCOPE_PATH/feeds
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that the feeds are in. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that the feeds are in.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that the feeds are in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that the feeds are in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Read more about setting the billing project.
See the REST reference for all options.
Command examples
Run one of the following commands to list all feeds in the my-project
project.
curl (Linux, macOS, or Cloud Shell)
curl -X GET \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/projects/my-project/feeds
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project/feeds" | Select-Object -Expand Content
Example response
{ "feeds": [ { "name": "projects/000000000000/feeds/my-feed", "assetNames": [ "//storage.googleapis.com/my-bucket" ], "assetTypes": [ "bigquery.googleapis.com/Table" ], "contentType": "RESOURCE", "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } } ] }
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Update feeds
You can update the attributes of an existing feed in the following ways:
Adding and removing specific asset names, or clearing all of them from the feed.
Adding and removing specific asset types, or clearing all of them from the feed.
Overwriting conditions or clearing them from the feed.
gcloud
gcloud asset feeds update FEED_ID \ --SCOPE \ --billing-project=BILLING_PROJECT_ID \ --pubsub-topic=projects/TOPIC_PROJECT_ID/topics/TOPIC_ID \ --clear-asset-names \ --add-asset-names=ASSET_NAME_1,ASSET_NAME_2,... \ --remove-asset-names=ASSET_NAME_3,ASSET_NAME_4,... \ --clear-asset-types \ --add-asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --remove-asset-types=ASSET_TYPE_3,ASSET_TYPE_4,... \ --clear-content-type \ --content-type=CONTENT_TYPE \ --clear-relationship-types \ --remove-relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --add-relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,... \ --clear-condition-title \ --condition-title="CONDITION_TITLE" \ --clear-condition-description \ --condition-description="CONDITION_DESCRIPTION" \ --clear-condition-expression --condition-expression="CONDITION_EXPRESSION"
Provide the following values:
-
SCOPE
: Use one of the following values:-
project=PROJECT_ID
, wherePROJECT_ID
is the ID of the project to update the feed in. -
folder=FOLDER_ID
, whereFOLDER_ID
is the ID of the folder to update the feed in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization to update the feed in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
FEED_ID
: A unique asset feed identifier.-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project. -
TOPIC_PROJECT_ID
: The ID of the project where the Pub/Sub topic is located. -
TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to. - At least one of the following asset definitions:
ASSET_NAME_#
: Optional. A comma-separated list of asset full names.ASSET_TYPE_#
: Optional. A comma-separated list of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. When--asset-types
isn't specified, all asset types are returned.
CONTENT_TYPE
: Optional. The content type of the metadata you want to retrieve. When--content-type
isn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.-
RELATIONSHIP_TYPE_#
: Optional. Only available for Security Command Center Premium and Enterprise tier subscribers. A comma-separated list of asset relationship types you want to retrieve. You must setCONTENT_TYPE
toRELATIONSHIP
for this to work. - If adding an optional feed condition, include the following details
in your command:
CONDITION_TITLE
: A title to assign to the feed condition.-
CONDITION_DESCRIPTION
: A description to assign to the feed condition. CONDITION_EXPRESSION
: The condition expression to apply to the feed.
See the gcloud CLI reference for all options.
Example
Run the following command to update the my-topic
Pub/Sub topic in the
my-project
project. This request removes all asset names from monitoring, and adds
the asset type gkemulticloud.googleapis.com/AttachedCluster
.
gcloud asset feeds update my-feed \ --project=my-project \ --pubsub-topic=projects/my-project/topics/my-topic \ --clear-asset-names \ --add-asset-types=gkemulticloud.googleapis.com/AttachedCluster
Example response
assetTypes: - bigquery.googleapis.com/Table - gkemulticloud.googleapis.com/AttachedCluster condition: {} contentType: RESOURCE feedOutputConfig: pubsubDestination: topic: projects/my-project/topics/my-topic name: projects/000000000000/feeds/my-feed
To update the attributes of a feed, you need to specify the attribute
path in the update_mask
and the value of that attribute.
REST
HTTP method and URL:
PATCH https://cloudasset.googleapis.com/v1/SCOPE_PATH/feeds/FEED_ID
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Request JSON body:
{ "feed": { "assetNames": [ "ASSET_NAME_1", "ASSET_NAME_2", "..." ], "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "feedOutputConfig": { "pubsubDestination": { "topic": "projects/TOPIC_PROJECT_ID/topics/TOPIC_ID" } } }, "condition": { "title": "CONDITION_TITLE", "description": "CONDITION_DESCRIPTION", "expression": "CONDITION_EXPRESSION" }, "update_mask": { "paths": [ "feed_output_config.pubsub_destination.topic", ATTRIBUTE_PATH_1, ATTRIBUTE_PATH_2, ... ] } }
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project to update the feed in. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project to update the feed in.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder to update the feed in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization to update the feed in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project. FEED_ID
: A unique asset feed identifier.- At least one of the following asset definitions:
ASSET_NAME_#
: Optional. An array of asset full names.ASSET_TYPE_#
: Optional. An array of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. WhenassetTypes
isn't specified, all asset types are returned.
CONTENT_TYPE
: Optional. The content type of the metadata you want to retrieve. WhencontentType
isn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.-
RELATIONSHIP_TYPE_#
: Optional. Only available for Security Command Center Premium and Enterprise tier subscribers. A comma-separated list of asset relationship types you want to retrieve. You must setCONTENT_TYPE
toRELATIONSHIP
for this to work. -
TOPIC_PROJECT_ID
: The ID of the project where the Pub/Sub topic is located. -
TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to. - If adding an optional feed condition, include the following details
in your command:
CONDITION_TITLE
: A title to assign to the feed condition.-
CONDITION_DESCRIPTION
: A description to assign to the feed condition. CONDITION_EXPRESSION
: The condition expression to apply to the feed.
See the REST reference for all options.
Command examples
Run one of the following commands to update the my-topic
Pub/Sub topic in
the my-project
project. This request removes all asset names from monitoring, and
adds the asset type gkemulticloud.googleapis.com/AttachedCluster
.
curl (Linux, macOS, or Cloud Shell)
curl -X PATCH \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "feed": { "assetNames": [], "assetTypes": [ "gkemulticloud.googleapis.com/AttachedCluster" ], "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } }, "update_mask": { "paths": ["feed_output_config.pubsub_destination.topic", "asset_names", "asset_types"] } }' \ https://cloudasset.googleapis.com/v1/projects/my-project/feeds/my-feed
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } $body = @" { "feed": { "assetNames": [], "assetTypes": [ "gkemulticloud.googleapis.com/AttachedCluster" ], "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } }, "update_mask": { "paths": ["feed_output_config.pubsub_destination.topic", "asset_names", "asset_types"] } } "@ Invoke-WebRequest ` -Method PATCH ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project/feeds/my-feed" | Select-Object -Expand Content
Example response
{ "feeds": [ { "name": "projects/000000000000/feeds/my-feed", "assetTypes": [ "bigquery.googleapis.com/Table", "gkemulticloud.googleapis.com/AttachedCluster" ], "contentType": "RESOURCE", "feedOutputConfig": { "pubsubDestination": { "topic": "projects/my-project/topics/my-topic" } } } ] }
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Delete feeds
If you no longer want to be notified of asset changes, make one of the following requests to delete a feed.
gcloud
gcloud asset feeds delete FEED_ID \ --SCOPE \ --billing-project=BILLING_PROJECT_ID
Provide the following values:
-
SCOPE
: Use one of the following values:-
project=PROJECT_ID
, wherePROJECT_ID
is the ID of the project that the feed is in. -
folder=FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that the feed is in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organization=ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that the feed is in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project.
See the gcloud CLI reference for all options.
Example response
A successful deletion returns no response.
REST
HTTP method and URL:
DELETE https://cloudasset.googleapis.com/v1/SCOPE_PATH/feeds/FEED_ID
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that the feed is in.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that the feed is in.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that the feed is in.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
BILLING_PROJECT_ID
: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about setting the billing project.
See the REST reference for all options.
Command examples
Run one of the following commands to delete a specific feed.
curl (Linux, macOS, or Cloud Shell)
curl -X DELETE \ -H "X-Goog-User-Project: BILLING_PROJECT_ID" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/projects/000000000000/feeds/my-feed
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method DELETE ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/projects/000000000000/feeds/my-feed" | Select-Object -Expand Content
Example response
{}
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Feed conditions
To view only certain types of changes for a given asset, you can add a condition to your feed. Conditions are written in Common Expression Language (CEL).
Support for conditions is limited. In some cases, creating or updating feeds with conditions might result in a delay.
Limitations
Condition expressions have a length limit of 3,000 characters.
Most variable names in condition expressions are represented in lowercase with underscores between each word. For example,
example_variable
.The exception is the variable names of the sub-fields of
data
in the Resource object. These don't have word separators, and the first character of each word after the first is capitalized. For example,exampleVariable
.Some validations on condition expressions are performed during feed creation or feed update time. However, such validations are not comprehensive, especially for conditions set on the
temporal_asset.asset.resource.data
field, which has a dynamic type. Where possible, filter your feed by using the appropriate gcloud CLI or REST API parameters instead.Notifications aren't sent if errors happen during evaluation time, however the errors are logged.
For dynamic types in
temporal_asset.asset.resource.data
, conditions specified on absent fields trigger runtime errors and notifications aren't published. For example, for the conditiontemporal_asset.asset.resource.data.name != "my_name"
, if thename
field is missing in an update, the evaluation fails and you don't receive notifications. If your condition only works in the presence of certain fields, add an existence check to the condition to ensure it is properly evaluated.Static enum types can be represented as either fully qualified path names or raw integers. For example, the following expressions are valid for
prior_asset_state
:temporal_asset.prior_asset_state == google.cloud.asset.v1.TemporalAsset.PriorAssetState.DOES_NOT_EXIST
and
temporal_asset.prior_asset_state == 3
Dynamic enum types in
temporal_asset.asset.resource.data
are represented as raw strings. For example, the following expression is valid for the asset typecloudresourcemanager.googleapis.com/Project
:temporal_asset.asset.resource.data.lifecycleState == "ACTIVE"
Create a condition expression with CEL
In a feed condition,
Common Expression Language (CEL) is used
to make boolean decisions based on attribute data. A condition expression
consists of one or more statements that are joined using logic operators. Each
statement expresses an attribute-based control rule that applies to the
TemporalAsset
to determine whether a notification is sent.
The following CEL features are the most important for feed conditions:
Variables: Conditions use variables to express a given attribute, such as
temporal_asset.deleted
(Boolean
) ortemporal_asset.asset.name
(String
). These variables are populated with values based on the context at runtime.Operators: Every data type, such as
String
, supports a set of operators that can be used to create a logic expression. Most commonly, operators are used to compare the value contained in a variable with a literal value, such astemporal_asset.asset.name == "//cloudresourcemanager.googleapis.com/projects/12345"
. In this example, if the input value oftemporal_asset.asset.name
is//cloudresourcemanager.googleapis.com/projects/12345
, then the expression evaluates totrue
.Functions: A function is a compound operator for data types that support more complex operations. In condition expressions, there are predefined functions that can be used in conjunction with a given data type. For example,
temporal_asset.asset.name.contains("keyword")
uses a function calledcontains
to check if the value oftemporal_asset.asset.name
contains"keyword"
. If so, it evaluates totrue
.Logical operators: Conditions support logical operators that can be used to build complex logic expressions from basic expression statements:
&&
(AND) and||
(OR). These logical operators make it possible to use multiple input variables in a condition expression. For example:temporal_asset.deleted && temporal_asset.window.start_time.getFullYear() > 2020
joins two basic statements, and requires both statements to be met in order to produce atrue
evaluation result.
For more information about CEL features, see the language definition.
Using condition variables
Condition variables allow you to create conditions on different attributes. Supported condition variables are:
- temporal_asset: The most recent asset change in
TemporalAsset
format. If the condition evaluates to true, the
TemporalAsset
is sent to the configured destination.
Example condition expressions
The following condition expression sends notifications on creation events:
temporal_asset.deleted == false &&
temporal_asset.prior_asset_state == google.cloud.asset.v1.TemporalAsset.PriorAssetState.DOES_NOT_EXIST
The following condition expression sends notifications for resources that are
located in folders 12345
and 23456
:
"folders/12345" in temporal_asset.asset.ancestors ||
"folders/23456" in temporal_asset.asset.ancestors
The following condition expression sends notifications when new allowed rules
are added to firewalls, assuming the asset type is already set to
compute.googleapis.com/Firewall
in the feed:
size(temporal_asset.asset.resource.data.allowed) >
size(temporal_asset.prior_asset.resource.data.allowed)
The following condition expression sends notifications for VM instances with
n1-standard-1
machine type, assuming the asset type is already set to
compute.googleapis.com/Instance
in the feed:
temporal_asset.asset.resource.data.machineType.endsWith('/machineTypes/n1-standard-1')
The following condition expression sends notifications for storage buckets with
any IAM policies for allUsers
, assuming the asset type is set
to storage.googleapis.com/Bucket
, and the content type is set to IAM_POLICY
in the feed:
temporal_asset.asset.iam_policy.bindings.exists(b, b.members.exists(m, m == "allUsers"))
The following condition expression sends a notification when a storage bucket
with the test
key in its label is deleted:
temporal_asset.deleted == true && temporal_asset.prior_asset_state == google.cloud.asset.v1.TemporalAsset.PriorAssetState.PRESENT && "test" in temporal_asset.prior_asset.resource.data.labels
Troubleshooting
If you're not receiving notifications for resource or IAM policy updates, the following steps can help you to troubleshoot:
Make sure that the metadata has changed on your assets. The real-time feed only sends updates when the metadata of the supported resource types has changed. Operations such as uploading a new file to your Cloud Storage bucket does not trigger a metadata change.
Make sure your assets match one of the asset names or types you specified in the feed.
For project deletions, keep in mind that when you shut down a project you have 30 days to undo the operation. Because of this, the
deleted
field in the asset metadata is not set until the project is permanently deleted. To monitor projects that are pending deletion, you can set a condition on the project'slifecycleState
field instead. For example:temporal_asset.asset.resource.data.lifecycleState == "DELETE_REQUESTED"
.Check the logs to see if there are errors when publishing updates to your topic.
Cloud Logging
When real-time feeds fail to send resources or IAM policy updates through Pub/Sub, Cloud Asset Inventory logs the error status and message in Logging. Logging is enabled by default, and belongs to Google Cloud Observability. Learn about Google Cloud Observability pricing.
Viewing real-time feed logs
The real-time feed log is indexed by a Pub/Sub topic. To see all logs:
Go to the Logs Explorer page in the Google Cloud console.
Click the Resource list, which is near to the Search all fields box.
Search for
Cloud Pub/Sub Topic
, and then click the Cloud Pub/Sub Topic resource type.Click the topic ID you want to view.
Click Apply.
UTF-8 encoding is enforced for log fields. Characters that are not UTF-8 characters are replaced with question marks.
Logged information
Real-time feed log entries contain following types of information:
General information shown in most Google Cloud logs, such as severity, project ID, project number, or timestamp.
Real-time feed log fields in
jsonPayload
, which contains asset name, feed output config, and error status when publishing resource or IAM policy updates.
The following table shows what kind of information each field contains.
Field | Type and description |
---|---|
name |
Full Name of the feed. The format is one of the following:
|
asset_name |
Full name of the asset to receive updates. For example:
See Resource names for more info. |
condition |
Feed condition which determines whether an asset update should be published. |
error_status |
Status when there's a failure to publish asset updates to a feed. |
feed_output_config |
Feed output configuration defining where the asset updates are published to. |