- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- GovernedAsset
- GovernedResource
- GovernedIamPolicy
- Try it!
Analyzes organization policies governed assets (Google Cloud resources or policies) under a scope. This RPC supports custom constraints and the following canned constraints:
- constraints/ainotebooks.accessMode
- constraints/ainotebooks.disableFileDownloads
- constraints/ainotebooks.disableRootAccess
- constraints/ainotebooks.disableTerminal
- constraints/ainotebooks.environmentOptions
- constraints/ainotebooks.requireAutoUpgradeSchedule
- constraints/ainotebooks.restrictVpcNetworks
- constraints/compute.disableGuestAttributesAccess
- constraints/compute.disableInstanceDataAccessApis
- constraints/compute.disableNestedVirtualization
- constraints/compute.disableSerialPortAccess
- constraints/compute.disableSerialPortLogging
- constraints/compute.disableVpcExternalIpv6
- constraints/compute.requireOsLogin
- constraints/compute.requireShieldedVm
- constraints/compute.restrictLoadBalancerCreationForTypes
- constraints/compute.restrictProtocolForwardingCreationForTypes
- constraints/compute.restrictXpnProjectLienRemoval
- constraints/compute.setNewProjectDefaultToZonalDNSOnly
- constraints/compute.skipDefaultNetworkCreation
- constraints/compute.trustedImageProjects
- constraints/compute.vmCanIpForward
- constraints/compute.vmExternalIpAccess
- constraints/gcp.detailedAuditLoggingMode
- constraints/gcp.resourceLocations
- constraints/iam.allowedPolicyMemberDomains
- constraints/iam.automaticIamGrantsForDefaultServiceAccounts
- constraints/iam.disableServiceAccountCreation
- constraints/iam.disableServiceAccountKeyCreation
- constraints/iam.disableServiceAccountKeyUpload
- constraints/iam.restrictCrossProjectServiceAccountLienRemoval
- constraints/iam.serviceAccountKeyExpiryHours
- constraints/resourcemanager.accessBoundaries
- constraints/resourcemanager.allowedExportDestinations
- constraints/sql.restrictAuthorizedNetworks
- constraints/sql.restrictNoncompliantDiagnosticDataAccess
- constraints/sql.restrictNoncompliantResourceCreation
- constraints/sql.restrictPublicIp
- constraints/storage.publicAccessPrevention
- constraints/storage.restrictAuthTypes
- constraints/storage.uniformBucketLevelAccess
This RPC only returns either resources of types supported by search APIs or IAM policies.
HTTP request
GET https://cloudasset.googleapis.com/v1/{scope=*/*}:analyzeOrgPolicyGovernedAssets
The URL uses gRPC Transcoding syntax.
Path parameters
Parameters | |
---|---|
scope |
Required. The organization to scope the request. Only organization policies within the scope will be analyzed. The output assets will also be limited to the ones governed by those in-scope organization policies.
Authorization requires one or more of the following IAM permissions on the specified resource
|
Query parameters
Parameters | |
---|---|
constraint |
Required. The name of the constraint to analyze governed assets for. The analysis only contains analyzed organization policies for the provided constraint. |
filter |
The expression to filter For governed resources, filtering is currently available for bare literal values and the following fields: * governedResource.project * governedResource.folders * consolidatedPolicy.rules.enforce When filtering by For governed IAM policies, filtering is currently available for bare literal values and the following fields: * governedIamPolicy.project * governedIamPolicy.folders * consolidatedPolicy.rules.enforce When filtering by |
pageToken |
The pagination token to retrieve the next page. |
pageSize |
The maximum number of items to return per page. If unspecified, |
Request body
The request body must be empty.
Response body
The response message for AssetService.AnalyzeOrgPolicyGovernedAssets
.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "governedAssets": [ { object ( |
Fields | |
---|---|
governedAssets[] |
The list of the analyzed governed assets. |
constraint |
The definition of the constraint in the request. |
nextPageToken |
The page token to fetch the next page for |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
GovernedAsset
Represents a Google Cloud asset(resource or IAM policy) governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint
.
JSON representation |
---|
{ "consolidatedPolicy": { object ( |
Fields | |
---|---|
consolidatedPolicy |
The consolidated policy for the analyzed asset. The consolidated policy is computed by merging and evaluating |
policyBundle[] |
The ordered list of all organization policies from the [AnalyzeOrgPoliciesResponse.OrgPolicyResult.consolidated_policy.attached_resource][] to the scope specified in the request. If the constraint is defined with default policy, it will also appear in the list. |
Union field
|
|
governedResource |
A Google Cloud resource governed by the organization policies of the |
governedIamPolicy |
An IAM policy governed by the organization policies of the |
GovernedResource
The Google Cloud resources governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint
.
JSON representation |
---|
{
"fullResourceName": string,
"parent": string,
"project": string,
"folders": [
string
],
"organization": string,
"assetType": string,
"effectiveTags": [
{
object ( |
Fields | |
---|---|
fullResourceName |
The full resource name of the Google Cloud resource. |
parent |
The full resource name of the parent of |
project |
The project that this resource belongs to, in the format of projects/{PROJECT_NUMBER}. This field is available when the resource belongs to a project. |
folders[] |
The folder(s) that this resource belongs to, in the format of folders/{FOLDER_NUMBER}. This field is available when the resource belongs (directly or cascadingly) to one or more folders. |
organization |
The organization that this resource belongs to, in the format of organizations/{ORGANIZATION_NUMBER}. This field is available when the resource belongs (directly or cascadingly) to an organization. |
assetType |
The asset type of the |
effectiveTags[] |
The effective tags on this resource. |
GovernedIamPolicy
The IAM policies governed by the organization policies of the AnalyzeOrgPolicyGovernedAssetsRequest.constraint
.
JSON representation |
---|
{
"attachedResource": string,
"policy": {
object ( |
Fields | |
---|---|
attachedResource |
The full resource name of the resource on which this IAM policy is set. Example: |
policy |
The IAM policy directly set on the given resource. |
project |
The project that this IAM policy belongs to, in the format of projects/{PROJECT_NUMBER}. This field is available when the IAM policy belongs to a project. |
folders[] |
The folder(s) that this IAM policy belongs to, in the format of folders/{FOLDER_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to one or more folders. |
organization |
The organization that this IAM policy belongs to, in the format of organizations/{ORGANIZATION_NUMBER}. This field is available when the IAM policy belongs (directly or cascadingly) to an organization. |
assetType |
The asset type of the |