Method: analyzeOrgPolicyGovernedAssets

Stay organized with collections Save and categorize content based on your preferences.

Analyzes organization policies governed assets (Google Cloud resources or policies) under a scope. This RPC supports custom constraints and the following 10 canned constraints:

  • storage.uniformBucketLevelAccess
  • iam.disableServiceAccountKeyCreation
  • iam.allowedPolicyMemberDomains
  • compute.vmExternalIpAccess
  • appengine.enforceServiceAccountActAsCheck
  • gcp.resourceLocations
  • compute.trustedImageProjects
  • compute.skipDefaultNetworkCreation
  • compute.requireOsLogin
  • compute.disableNestedVirtualization

This RPC only returns either resources of types supported by searchable asset types, or IAM policies.

HTTP request

GET https://cloudasset.googleapis.com/v1/{scope=*/*}:analyzeOrgPolicyGovernedAssets

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
scope

string

Required. The organization to scope the request. Only organization policies within the scope will be analyzed. The output assets will also be limited to the ones governed by those in-scope organization policies.

  • organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456")

Authorization requires one or more of the following IAM permissions on the specified resource scope:

  • cloudasset.assets.searchAllResources
  • cloudasset.assets.searchAllIamPolicies

Query parameters

Parameters
constraint

string

Required. The name of the constraint to analyze governed assets for. The analysis only contains analyzed organization policies for the provided constraint.

filter

string

The expression to filter the governed assets in result. The only supported fields for governed resources are governedResource.project and governedResource.folders. The only supported fields for governed iam policies are governedIamPolicy.project and governedIamPolicy.folders. The only supported operator is =.

Example 1: governedResource.project="projects/12345678" filter will return all governed resources under projects/12345678 including the project ifself, if applicable.

Example 2: governedIamPolicy.folders="folders/12345678" filter will return all governed iam policies under folders/12345678, if applicable.

pageToken

string

The pagination token to retrieve the next page.

pageSize

integer

The maximum number of items to return per page. If unspecified, AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets will contain 100 items with a maximum of 200.

Request body

The request body must be empty.

Response body

If successful, the response body contains data with the following structure:

The response message for AssetService.AnalyzeOrgPolicyGovernedAssets.

JSON representation
{
  "governedAssets": [
    {
      object (GovernedAsset)
    }
  ],
  "constraint": {
    object (AnalyzerOrgPolicyConstraint)
  },
  "nextPageToken": string
}
Fields
governedAssets[]

object (GovernedAsset)

The list of the analyzed governed assets.

constraint

object (AnalyzerOrgPolicyConstraint)

The definition of the constraint in the request.

nextPageToken

string

The page token to fetch the next page for AnalyzeOrgPolicyGovernedAssetsResponse.governed_assets.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GovernedAsset

Represents a Google Cloud asset(resource or IAM policy) governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

JSON representation
{
  "consolidatedPolicy": {
    object (AnalyzerOrgPolicy)
  },
  "policyBundle": [
    {
      object (AnalyzerOrgPolicy)
    }
  ],

  // Union field governed_asset can be only one of the following:
  "governedResource": {
    object (GovernedResource)
  },
  "governedIamPolicy": {
    object (GovernedIamPolicy)
  }
  // End of list of possible types for union field governed_asset.
}
Fields
consolidatedPolicy

object (AnalyzerOrgPolicy)

The consolidated policy for the analyzed asset. The consolidated policy is computed by merging and evaluating AnalyzeOrgPolicyGovernedAssetsResponse.GovernedAsset.policy_bundle. The evaluation will respect the organization policy hierarchy rules.

policyBundle[]

object (AnalyzerOrgPolicy)

The ordered list of all organization policies from the [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][] to the scope specified in the request.

If the constraint is defined with default policy, it will also appear in the list.

Union field governed_asset.

governed_asset can be only one of the following:

governedResource

object (GovernedResource)

A Google Cloud resource governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

governedIamPolicy

object (GovernedIamPolicy)

An IAM policy governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

GovernedResource

The Google Cloud resources governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

JSON representation
{
  "fullResourceName": string,
  "parent": string,
  "project": string,
  "folders": [
    string
  ],
  "organization": string
}
Fields
fullResourceName

string

The full resource name of the Google Cloud resource.

parent

string

The full resource name of the parent of AnalyzeOrgPolicyGovernedAssetsResponse.GovernedResource.full_resource_name.

project

string

The project that this resource belongs to, in the form of projects/{PROJECT_NUMBER}. This field is available when the resource belongs to a project.

folders[]

string

The folder(s) that this resource belongs to, in the form of folders/{FOLDER_NUMBER}. This field is available when the resource belongs(directly or cascadingly) to one or more folders.

organization

string

The organization that this resource belongs to, in the form of organizations/{ORGANIZATION_NUMBER}. This field is available when the resource belongs(directly or cascadingly) to an organization.

GovernedIamPolicy

The IAM policies governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint.

JSON representation
{
  "attachedResource": string,
  "policy": {
    object (Policy)
  },
  "project": string,
  "folders": [
    string
  ],
  "organization": string
}
Fields
attachedResource

string

The full resource name of the resource associated with this IAM policy. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Cloud Asset Inventory Resource Name Format for more information.

policy

object (Policy)

The IAM policy directly set on the given resource.

project

string

The project that this IAM policy belongs to, in the form of projects/{PROJECT_NUMBER}. This field is available when the IAM policy belongs to a project.

folders[]

string

The folder(s) that this IAM policy belongs to, in the form of folders/{FOLDER_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to one or more folders.

organization

string

The organization that this IAM policy belongs to, in the form of organizations/{ORGANIZATION_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to an organization.