Getting started with Cloud Asset Inventory

This quickstart shows you how to export asset metadata at a point in time using Cloud Asset Inventory and the Cloud SDK gcloud asset commands.

Before you begin

Before you can start working with Cloud Asset Inventory, you must enable the Cloud Asset Inventory API, the Cloud SDK, and assign permissions. The Cloud SDK provides the gcloud command-line tool to interact with Cloud Asset Inventory and other Google Cloud services. Learn more about the gcloud tool.

Enabling the Cloud Asset Inventory API and Cloud SDK

  1. Accede a tu Cuenta de Google.

    Si todavía no tienes una cuenta, regístrate para obtener una nueva.

  2. En la página de selección de proyectos de Cloud Console, selecciona o crea un proyecto de Cloud.

    Ir a la página de selección de proyectos

  3. Habilita la API necesaria.

    Habilita la API

  4. Instala e inicializa el SDK de Cloud.

Configuring permissions

To call the Cloud Asset Inventory API, you must first configure permissions.

Searching assets

  1. To search resource metadata, run the following gcloud asset search-all-resources command.

     gcloud beta asset search-all-resources \
        --scope SCOPE \
        --query QUERY
    

    Where all of the following flags are optional:

    • (Optional) SCOPE: The search result scope is limited within a project, folder, or organization. You must have the cloudasset.assets.searchAllResources permission granted to the caller for the desired scope. The default value is your configured project property. The allowed values are:
      • projects/PROJECT_ID (e.g., "projects/foo")
      • projects/PROJECT_NUMBER (e.g., "projects/12345")
      • folders/FOLDER_NUMBER (e.g., "folders/1234")
      • organizations/ORGANIZATION_NUMBER (e.g., "organizations/123")
    • (Optional) QUERY: The query statement. See How to construct a query for more information. Some examples include:
      • "foo" to find resources whose metadata contains "foo" as a substring.
      • "name : foo" to find resources whose names contain "foo" as a word.

    To learn more about how to search resources, see Searching resources.

  2. To search Cloud IAM policies, run the following gcloud asset search-all-iam-policies command.

     gcloud beta asset search-all-iam-policies \
        --scope SCOPE \
        --query QUERY \
    

    Where:

    • (Optional) SCOPE: The search result scope is limited within a project, folder, or organization. You must have the cloudasset.assets.searchAllIamPolicies permission granted to the caller for the desired scope. The default value is your configured project property. The allowed values are:
      • projects/PROJECT_ID (e.g., "projects/foo")
      • projects/PROJECT_NUMBER (e.g., "projects/12345")
      • folders/FOLDER_NUMBER (e.g., "folders/1234")
      • organizations/ORGANIZATION_NUMBER (e.g., "organizations/123")
    • (Optional) QUERY: The query statement. See How to construct a query for more information. Some examples include:
      • "policy : amy@gmail.com": to find Cloud IAM policies that specify user "amy".
      • "policy : compute.admin": to find Cloud IAM policies that specify the Compute Admin (roles/compute.admin) role.
      • "resource : projects/123456": to find Cloud IAM policies that are set on "projects/123456".

    To learn more about how to search Cloud IAM policies, see Searching IAM policies.

Exporting an asset snapshot to Cloud Storage

To export all the asset metadata at a given timestamp to a Cloud Storage file, complete the following steps.

  1. Create a new bucket if your project doesn't have an existing Cloud Storage bucket that is available to store exported data.

  2. To export asset metadata within your project, run the following command. This command stores the exported snapshot in a Cloud Storage bucket at gs://YOUR_BUCKET/NEW_FILE.

    gcloud asset export \
       --content-type resource \
       --project PROJECT_ID \
       --snapshot-time SNAPSHOT_TIME \
       --output-path "gs://YOUR_BUCKET/NEW_FILE"
    

    Where:

    • PROJECT_ID: The ID of the project that is having its metadata exported. This project can be either the project where Cloud Asset Inventory API is enabled and from which you're running the export, or a different project.
    • (Optional) SNAPSHOT_TIME: The value must be the current time or a time in the past at which you want to take a snapshot of your assets. By default, a snapshot is taken at the current time. See gcloud topic datetimes for information on time formats.
  3. (Optional) To check the status of the export, run the following command. It is displayed in the gcloud tool after running the export command.

    gcloud asset operations describe projects/PROJECT_ID/operations/ExportAssets/CONTENT_TYPE/OPERATION_NUMBER
    

Viewing an asset snapshot

To view an asset snapshot after you've exported it to Cloud Storage, complete the following steps.

  1. Go to the Cloud Storage Browser page.
    Open the Cloud Storage Browser page

  2. Open the file where you exported your metadata.

The export file lists the assets and their resource names.

What's next