Cloud Asset Inventory provides inventory services based on a time series database. This database keeps a five week history of Google Cloud asset metadata. The Cloud Asset Inventory export service allows you to export all asset metadata at a certain timestamp or export event change history during a timeframe.
Features
Export asset metadata at a timestamp
The Cloud Asset Inventory export service allows you to export all the asset metadata at a given timestamp to a Cloud Storage file.
Export asset history
The Cloud Asset Inventory export service allows you to export the event change history of multiple assets during a given timeframe. The exported event change history shows you all the create, delete, and update events for the specifed assets over time.
Supported resource types
Cloud Asset Inventory currently supports and returns the following resource types. You need to use the correct resource name format when using Cloud Asset Inventory.
Service | Launch stage/Resource |
---|---|
App Engine | GAAPI reference • appengine.googleapis.com/Application • appengine.googleapis.com/Service • appengine.googleapis.com/Version |
BigQueryNote that BigQuery asset metadata and change history might be incomplete. | GAAPI reference• bigquery.googleapis.com/Dataset • bigquery.googleapis.com/Table |
Cloud Bigtable | GAAPI reference• bigtableadmin.googleapis.com/Cluster • bigtableadmin.googleapis.com/Instance • bigtableadmin.googleapis.com/Table |
Cloud Billing | GAAPI reference• cloudbilling.googleapis.com/BillingAccount |
Dataproc | GA API reference• dataproc.googleapis.com/Cluster • dataproc.googleapis.com/Job |
Cloud DNS | GAAPI reference• dns.googleapis.com/ManagedZone • dns.googleapis.com/Policy |
Cloud Identity and Access ManagementNote that iam.googleapis.com/ServiceAccountKey asset can be stale for up to 3 days. History data starts from Oct 28th, 2019. |
GAAPI reference• iam.googleapis.com/Role • iam.googleapis.com/ServiceAccount • iam.googleapis.com/ServiceAccountKey |
Key Management Service | GAAPI reference• cloudkms.googleapis.com/KeyRing • cloudkms.googleapis.com/CryptoKey • cloudkms.googleapis.com/CryptoKeyVersion |
Pub/Sub | GA API reference• pubsub.googleapis.com/Topic • pubsub.googleapis.com/Subscription |
Cloud Spanner | GAAPI reference• spanner.googleapis.com/Instance • spanner.googleapis.com/Database |
Cloud SQL Note that Cloud SQL asset change history can be incomplete, and data freshness can be stale for up to an hour. | GAAPI reference• sqladmin.googleapis.com/Instance |
Cloud Storage | GAAPI reference• storage.googleapis.com/Bucket |
Compute Engine | GAAPI reference • compute.googleapis.com/Autoscaler • compute.googleapis.com/Address • compute.googleapis.com/GlobalAddress • compute.googleapis.com/BackendBucket • compute.googleapis.com/BackendService • compute.googleapis.com/Disk • compute.googleapis.com/Firewall • compute.googleapis.com/ForwardingRule • compute.googleapis.com/GlobalForwardingRule • compute.googleapis.com/HealthCheck • compute.googleapis.com/HttpHealthCheck • compute.googleapis.com/HttpsHealthCheck • compute.googleapis.com/Image • compute.googleapis.com/Instance • compute.googleapis.com/InstanceGroup • compute.googleapis.com/InstanceGroupManager • compute.googleapis.com/InstanceTemplate • compute.googleapis.com/Interconnect • compute.googleapis.com/InterconnectAttachment • compute.googleapis.com/License • compute.googleapis.com/Network • compute.googleapis.com/Project • compute.googleapis.com/RegionBackendService • compute.googleapis.com/RegionDisk • compute.googleapis.com/Route • compute.googleapis.com/Router • compute.googleapis.com/SecurityPolicy • compute.googleapis.com/Snapshot • compute.googleapis.com/SslCertificate • compute.googleapis.com/Subnetwork • compute.googleapis.com/TargetHttpProxy • compute.googleapis.com/TargetHttpsProxy • compute.googleapis.com/TargetInstance • compute.googleapis.com/TargetPool • compute.googleapis.com/TargetTcpProxy • compute.googleapis.com/TargetSslProxy • compute.googleapis.com/TargetVpnGateway • compute.googleapis.com/UrlMap • compute.googleapis.com/VpnTunnel |
Google Kubernetes Engine | GAAPI reference• container.googleapis.com/Cluster API reference• k8s.io/Node • k8s.io/Pod • k8s.io/Namespace • k8s.io/Service • rbac.authorization.k8s.io/Role • rbac.authorization.k8s.io/RoleBinding • rbac.authorization.k8s.io/ClusterRole • rbac.authorization.k8s.io/ClusterRoleBinding |
BetaAPI reference• container.googleapis.com/NodePool • extensions.k8s.io/Ingress |
|
Resource ManagerNote that we recently migrated Resource Manager resources to GA versions. | GAAPI reference• cloudresourcemanager.googleapis.com/Organization • cloudresourcemanager.googleapis.com/Folder • cloudresourcemanager.googleapis.com/Project |
Service UsageNote that Service Usage asset change history might be incomplete, data freshness can be stale for up to six hours, and the field config in the metadata is not supported yet. | GAAPI reference• serviceusage.googleapis.com/Service |
Supported policy types
The Cloud Asset API currently supports the following policy types in Google Cloud:
Policy | Launch stage/Supported resource |
---|---|
Cloud IAM | GAAPI reference • All supported resource types |
Organization Policy Note that Organization Policy change history can be incomplete, and data freshness can be stale for up to one day. | GAAPI reference• cloudresourcemanager.googleapis.com/Organization • cloudresourcemanager.googleapis.com/Folder • cloudresourcemanager.googleapis.com/Project |
Access Policy (VPC Service Controls Policy) Note that Access Policy change history can be incomplete, and data freshness can be stale for up to 6 hours. | GAAPI reference• cloudresourcemanager.googleapis.com/Organization |
Key Concepts
Asset
An asset refers to a Google Cloud resource or policy. Examples of resources include Compute Engine virtual machines (VMs), Cloud Storage buckets, and App Engine instances. Examples of policies include Cloud Identity and Access Management (Cloud IAM) policies and org policies (currently not supported).
Asset content type
Cloud Asset Inventory supports the following asset types:
Resource: Resource metadata of a Google Cloud asset.
IAM Policy: Metadata of the Cloud IAM Policy set on a Google Cloud asset.
Org Policy: Metadata of the Organization Policy set on a Resource Manager asset.
Access Policy: Metadata of the Access Context Manager Policy (VPC Service Controls Policy) set on an organization.
Asset snapshot
An asset snapshot is the set of available assets under a Cloud Asset Inventory project, folder, or organization at a timestamp.
Asset history
For a given asset, asset history includes all metadata create, delete, and update events between timestamp T1 and T2.
Next steps
- Try out the Cloud Asset Inventory Quickstart to start exporting assets.