Roles and permissions

Cloud Asset Inventory uses Identity and Access Management (IAM) for access control. Every Cloud Asset Inventory API method requires the caller to have the necessary permissions.

Roles

To get the permissions that you need to work with asset metadata, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

To view asset metadata:
- Cloud Asset Viewer (roles/cloudasset.viewer)
- Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)
To view asset metadata and work with feeds:
- Cloud Asset Owner (roles/cloudasset.owner)
- Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to work with asset metadata. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to work with asset metadata:

To view asset metadata:
- cloudasset.assets.*
- recommender.cloudAssetInsights.get
- recommender.cloudAssetInsights.list
- serviceusage.services.use
To view asset metadata and work with feeds:
- cloudasset.*
- recommender.cloudAssetInsights.*
- serviceusage.services.use

You might also be able to get these permissions with custom roles or other predefined roles.

Permissions

The following table lists the permissions that the caller must have to call each API method in Cloud Asset Inventory, or to perform tasks using Google Cloud tools that use Cloud Asset Inventory such as the Google Cloud console or gcloud CLI.

The Cloud Asset Viewer (roles/cloudasset.viewer) and Cloud Asset Owner (roles/cloudasset.owner) roles include many of these permissions. If the caller has been granted one of these roles and the Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) role, they might already have the permissions they need to use Cloud Asset Inventory.

RPC

Method	Required permissions
All APIs
All Cloud Asset Inventory calls	All Cloud Asset Inventory calls require the `serviceusage.services.use` permission.
Analysis APIs
`AnalyzeIamPolicy` `AnalyzeIamPolicyLongRunning` `BatchGetEffectiveIamPolicies`	All of the following permissions: `cloudasset.assets.analyzeIamPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
`AnalyzeMove`	`cloudasset.assets.analyzeMove`
`AnalyzeOrgPolicies` `AnalyzeOrgPolicyGovernedContainers`	All of the following permissions: `cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.searchAllResources`
`AnalyzeOrgPolicyGovernedAssets`	All of the following permissions: `cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
Inventory APIs
`BatchGetAssetsHistory` `ExportAssets`	One of the following permissions, depending on the content type: `cloudasset.assets.exportAccessPolicy` When using the `ACCESS_POLICY` content type. `cloudasset.assets.exportIamPolicy` When using the `IAM_POLICY` content type. `cloudasset.assets.exportOrgPolicy` When using the `ORG_POLICY` content type. `cloudasset.assets.exportOSInventories` When using the `OS_INVENTORY` content type. `cloudasset.assets.exportResource` When using the `RELATIONSHIP` or `RESOURCE` content types. When exporting metadata of an unspecified or `RESOURCE` content type, instead of granting the `cloudasset.assets.exportResource` permission to an account, you can use permissions for each resource type.
`ListAssets`	One of the following permissions, depending on the content type: `cloudasset.assets.listAccessPolicy` `cloudasset.assets.listIamPolicy` `cloudasset.assets.listOrgPolicy` `cloudasset.assets.listOSInventories` `cloudasset.assets.listResource` for the `RELATIONSHIP` and `RESOURCE` content types.
`QueryAssets`	One of the following permissions, depending on the content type: `cloudasset.assets.queryAccessPolicy` `cloudasset.assets.queryIamPolicy` `cloudasset.assets.queryOSInventories` `cloudasset.assets.queryResource` for both the `RELATIONSHIP` and `RESOURCE` content types.
Feed APIs
`CreateFeed`	`cloudasset.feeds.create` You also need one of the following permissions, depending on the content type: `cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource`
`DeleteFeed`	`cloudasset.feeds.delete`
`GetFeed`	`cloudasset.feeds.get`
`ListFeed`	`cloudasset.feeds.list`
`UpdateFeed`	`cloudasset.feeds.update` You also need one of the following permissions, depending on the content type: `cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource`
Search APIs
`SearchAllIamPolicies`	`cloudasset.assets.searchAllIamPolicies`
`SearchAllResources`	`cloudasset.assets.searchAllResources` You also need `cloudasset.assets.searchEnrichmentResourceOwners` if searching for resource owner enrichment.

REST

Method	Required permissions
All APIs
All Cloud Asset Inventory calls	All Cloud Asset Inventory calls require the `serviceusage.services.use` permission.
Analysis APIs
`analyzeIamPolicy` `analyzeIamPolicyLongRunning` `effectiveIamPolicies.batchGet`	All of the following permissions: `cloudasset.assets.analyzeIamPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
`analyzeMove`	`cloudasset.assets.analyzeMove`
`analyzeOrgPolicies` `analyzeOrgPolicyGovernedContainers`	All of the following permissions: `cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.searchAllResources`
`analyzeOrgPolicyGovernedAssets`	All of the following permissions: `cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
Inventory APIs
`batchGetAssetsHistory` `exportAssets`	One of the following permissions, depending on the content type: `cloudasset.assets.exportAccessPolicy` When using the `ACCESS_POLICY` content type. `cloudasset.assets.exportIamPolicy` When using the `IAM_POLICY` content type. `cloudasset.assets.exportOrgPolicy` When using the `ORG_POLICY` content type. `cloudasset.assets.exportOSInventories` When using the `OS_INVENTORY` content type. `cloudasset.assets.exportResource` When using the `RELATIONSHIP` or `RESOURCE` content types. When exporting metadata of an unspecified or `RESOURCE` content type, instead of granting the `cloudasset.assets.exportResource` permission to an account, you can use permissions for each resource type.
`assets.list`	One of the following permissions, depending on the content type: `cloudasset.assets.listAccessPolicy` `cloudasset.assets.listIamPolicy` `cloudasset.assets.listOrgPolicy` `cloudasset.assets.listOSInventories` `cloudasset.assets.listResource` for the `RELATIONSHIP` and `RESOURCE` content types.
`queryAssets`	One of the following permissions, depending on the content type: `cloudasset.assets.queryAccessPolicy` `cloudasset.assets.queryIamPolicy` `cloudasset.assets.queryOSInventories` `cloudasset.assets.queryResource` for both the `RELATIONSHIP` and `RESOURCE` content types.
Feed APIs
`feeds.create`	`cloudasset.feeds.create` You also need one of the following permissions, depending on the content type: `cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource`
`feeds.delete`	`cloudasset.feeds.delete`
`feeds.get`	`cloudasset.feeds.get`
`feeds.list`	`cloudasset.feeds.list`
`feeds.patch`	`cloudasset.feeds.update` You also need one of the following permissions, depending on the content type: `cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource`
Search APIs
`searchAllIamPolicies`	`cloudasset.assets.searchAllIamPolicies`
`searchAllResources`	`cloudasset.assets.searchAllResources` You also need `cloudasset.assets.searchEnrichmentResourceOwners` if searching for resource owner enrichment.

gcloud

Positional statement	Required permissions
All APIs
All Cloud Asset Inventory calls	All Cloud Asset Inventory calls require the `serviceusage.services.use` permission.
Analysis APIs
`analyze-iam-policy` `analyze-iam-policy-longrunning` `get-effective-iam-policy`	All of the following permissions: `cloudasset.assets.analyzeIamPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
`analyze-move`	`cloudasset.assets.analyzeMove`
`analyze-org-policies` `analyze-org-policy-governed-containers`	All of the following permissions: `cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.searchAllResources`
`analyze-org-policy-governed-assets`	All of the following permissions: `cloudasset.assets.analyzeOrgPolicy` `cloudasset.assets.searchAllIamPolicies` `cloudasset.assets.searchAllResources`
Inventory APIs
`get-history` `export`	One of the following permissions, depending on the content type: `cloudasset.assets.exportAccessPolicy` When using the `ACCESS_POLICY` content type. `cloudasset.assets.exportIamPolicy` When using the `IAM_POLICY` content type. `cloudasset.assets.exportOrgPolicy` When using the `ORG_POLICY` content type. `cloudasset.assets.exportOSInventories` When using the `OS_INVENTORY` content type. `cloudasset.assets.exportResource` When using the `RELATIONSHIP` or `RESOURCE` content types. When exporting metadata of an unspecified or `RESOURCE` content type, instead of granting the `cloudasset.assets.exportResource` permission to an account, you can use permissions for each resource type.
`list`	One of the following permissions, depending on the content type: `cloudasset.assets.listAccessPolicy` `cloudasset.assets.listIamPolicy` `cloudasset.assets.listOrgPolicy` `cloudasset.assets.listOSInventories` `cloudasset.assets.listResource` for the `RELATIONSHIP` and `RESOURCE` content types.
`query`	One of the following permissions, depending on the content type: `cloudasset.assets.queryAccessPolicy` `cloudasset.assets.queryIamPolicy` `cloudasset.assets.queryOSInventories` `cloudasset.assets.queryResource` for both the `RELATIONSHIP` and `RESOURCE` content types.
Feed APIs
`feeds create`	`cloudasset.feeds.create` You also need one of the following permissions, depending on the content type: `cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource`
`feeds delete`	`cloudasset.feeds.delete`
`feeds describe`	`cloudasset.feeds.get`
`feeds list`	`cloudasset.feeds.list`
`feeds update`	`cloudasset.feeds.update` You also need one of the following permissions, depending on the content type: `cloudasset.assets.exportIamPolicy` `cloudasset.assets.exportResource`
Search APIs
`search-all-iam-policies`	`cloudasset.assets.searchAllIamPolicies`
`search-all-resources`	`cloudasset.assets.searchAllResources` You also need `cloudasset.assets.searchEnrichmentResourceOwners` if searching for resource owner enrichment.

Export permissions for each resource type

Granting the cloudasset.assets.exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead.

For example, granting a user cloudasset.assets.exportComputeDisks means they can't export anything except the resource type compute.googleapis.com/Disk.

Resource export permissions only apply to RESOURCE and unspecified content types.

Service	Resource type	Resource export permission
App Engine	`appengine.googleapis.com/Application`	`cloudasset.assets.exportAppengineApplications`
	`appengine.googleapis.com/Service`	`cloudasset.assets.exportAppengineServices`
	`appengine.googleapis.com/Version`	`cloudasset.assets.exportAppengineVersions`
BigQuery	`bigquery.googleapis.com/Dataset`	`cloudasset.assets.exportBigqueryDatasets`
BigQuery	`bigquery.googleapis.com/Table`	`cloudasset.assets.exportBigqueryTables`
Bigtable	`bigtableadmin.googleapis.com/Cluster`	`cloudasset.assets.exportBigtableCluster`
	`bigtableadmin.googleapis.com/Instance`	`cloudasset.assets.exportBigtableInstance`
	`bigtableadmin.googleapis.com/Table`	`cloudasset.assets.exportBigtableTable`
Cloud Billing	`cloudbilling.googleapis.com/BillingAccount`	`cloudasset.assets.exportCloudbillingBillingAccounts`
Cloud DNS	`dns.googleapis.com/ManagedZone`	`cloudasset.assets.exportDnsManagedZones`
Cloud DNS	`dns.googleapis.com/Policy`	`cloudasset.assets.exportDnsPolicies`
Cloud Key Management Service	`cloudkms.googleapis.com/CryptoKey`	`cloudasset.assets.exportCloudkmsCryptoKeys`
	`cloudkms.googleapis.com/CryptoKeyVersion`	`cloudasset.assets.exportCloudkmsCryptoKeyVersions`
	`cloudkms.googleapis.com/ImportJob`	`cloudasset.assets.exportCloudkmsImportJobs`
	`cloudkms.googleapis.com/KeyRing`	`cloudasset.assets.exportCloudkmsKeyRings`
Cloud OS Config	`osconfig.googleapis.com/PatchDeployment`	`cloudasset.assets.exportPatchDeployments`
Spanner	`spanner.googleapis.com/Backup`	`cloudasset.assets.exportSpannerBackups`
	`spanner.googleapis.com/Database`	`cloudasset.assets.exportSpannerDatabases`
	`spanner.googleapis.com/Instance`	`cloudasset.assets.exportSpannerInstances`
Cloud SQL	`sqladmin.googleapis.com/Instance`	`cloudasset.assets.exportSqladminInstances`
Cloud Storage	`storage.googleapis.com/Bucket`	`cloudasset.assets.exportStorageBuckets`
Compute Engine	`compute.googleapis.com/Address`	`cloudasset.assets.exportComputeAddress`
	`compute.googleapis.com/Autoscaler`	`cloudasset.assets.exportComputeAutoscalers`
	`compute.googleapis.com/BackendBucket`	`cloudasset.assets.exportComputeBackendBuckets`
	`compute.googleapis.com/BackendService`	`cloudasset.assets.exportComputeBackendServices`
	`compute.googleapis.com/Disk`	`cloudasset.assets.exportComputeDisks`
	`compute.googleapis.com/Firewall`	`cloudasset.assets.exportComputeFirewalls`
	`compute.googleapis.com/ForwardingRule`	`cloudasset.assets.exportComputeForwardingRules`
	`compute.googleapis.com/GlobalAddress`	`cloudasset.assets.exportComputeGlobalAddress`
	`compute.googleapis.com/HealthCheck`	`cloudasset.assets.exportComputeHealthChecks`
	`compute.googleapis.com/HttpHealthCheck`	`cloudasset.assets.exportComputeHttpHealthChecks`
	`compute.googleapis.com/HttpsHealthCheck`	`cloudasset.assets.exportComputeHttpsHealthChecks`
	`compute.googleapis.com/Image`	`cloudasset.assets.exportComputeImages`
	`compute.googleapis.com/Instance`	`cloudasset.assets.exportComputeInstances`
	`compute.googleapis.com/InstanceGroup`	`cloudasset.assets.exportComputeInstanceGroups`
	`compute.googleapis.com/InstanceGroupManager`	`cloudasset.assets.exportComputeInstanceGroupManagers`
	`compute.googleapis.com/InstanceTemplate`	`cloudasset.assets.exportComputeInstanceTemplates`
	`compute.googleapis.com/Interconnect`	`cloudasset.assets.exportComputeInterconnect`
	`compute.googleapis.com/InterconnectAttachment`	`cloudasset.assets.exportComputeInterconnectAttachment`
	`compute.googleapis.com/License`	`cloudasset.assets.exportComputeLicenses`
	`compute.googleapis.com/Network`	`cloudasset.assets.exportComputeNetworks`
	`compute.googleapis.com/Project`	`cloudasset.assets.exportComputeProjects`
	`compute.googleapis.com/RegionDisk`	`cloudasset.assets.exportComputeRegionDisk`
	`compute.googleapis.com/Route`	`cloudasset.assets.exportComputeRoutes`
	`compute.googleapis.com/Router`	`cloudasset.assets.exportComputeRouters`
	`compute.googleapis.com/Snapshot`	`cloudasset.assets.exportComputeSnapshots`
	`compute.googleapis.com/SslCertificate`	`cloudasset.assets.exportComputeSslCertificates`
	`compute.googleapis.com/Subnetwork`	`cloudasset.assets.exportComputeSubnetworks`
	`compute.googleapis.com/TargetHttpProxy`	`cloudasset.assets.exportComputeTargetHttpProxies`
	`compute.googleapis.com/TargetHttpsProxy`	`cloudasset.assets.exportComputeTargetHttpsProxies`
	`compute.googleapis.com/TargetInstance`	`cloudasset.assets.exportComputeTargetInstances`
	`compute.googleapis.com/TargetPool`	`cloudasset.assets.exportComputeTargetPools`
	`compute.googleapis.com/TargetTcpProxy`	`cloudasset.assets.exportComputeTargetTcpProxies`
	`compute.googleapis.com/TargetSslProxy`	`cloudasset.assets.exportComputeTargetSslProxies`
	`compute.googleapis.com/TargetVpnGateway`	`cloudasset.assets.exportComputeTargetVpnGateways`
	`compute.googleapis.com/UrlMap`	`cloudasset.assets.exportComputeUrlMaps`
	`compute.googleapis.com/VpnTunnel`	`cloudasset.assets.exportComputeVpnTunnels`
Dataproc	`dataproc.googleapis.com/Cluster`	`cloudasset.assets.exportDataprocClusters`
Dataproc	`dataproc.googleapis.com/Job`	`cloudasset.assets.exportDataprocJobs`
Google Kubernetes Engine	`container.googleapis.com/Cluster`	`cloudasset.assets.exportContainerClusters`
	`container.googleapis.com/NodePool`	`cloudasset.assets.exportContainerNodepool`
	`k8s.io/Namespace`	`cloudasset.assets.exportContainerNamespace`
	`k8s.io/Node`	`cloudasset.assets.exportContainerNode`
	`k8s.io/Pod`	`cloudasset.assets.exportContainerPod`
	`rbac.authorization.k8s.io/ClusterRole`	`cloudasset.assets.exportContainerClusterrole`
	`rbac.authorization.k8s.io/ClusterRoleBinding`	`cloudasset.assets.exportContainerClusterrolebinding`
	`rbac.authorization.k8s.io/Role`	`cloudasset.assets.exportContainerRole`
	`rbac.authorization.k8s.io/RoleBinding`	`cloudasset.assets.exportContainerRolebinding`
IAM	`iam.googleapis.com/Role`	`cloudasset.assets.exportIamRoles`
IAM	`iam.googleapis.com/ServiceAccount`	`cloudasset.assets.exportIamServiceAccounts`
Pub/Sub	`pubsub.googleapis.com/Subscription`	`cloudasset.assets.exportPubsubSubscriptions`
Pub/Sub	`pubsub.googleapis.com/Topic`	`cloudasset.assets.exportPubsubTopics`
Resource Manager	`cloudresourcemanager.googleapis.com/Folder`	`cloudasset.assets.exportCloudresourcemanagerFolders`
	`cloudresourcemanager.googleapis.com/Organization`	`cloudasset.assets.exportCloudresourcemanagerOrganizations`
	`cloudresourcemanager.googleapis.com/Project`	`cloudasset.assets.exportCloudresourcemanagerProjects`

VPC Service Controls

VPC Service Controls can be used with Cloud Asset Inventory to provide additional security for your assets. To learn more about VPC Service Controls, see the Overview of VPC Service Controls.

To learn about the limitations in using Cloud Asset Inventory with VPC Service Controls, see the supported products and limitations.