Method: searchAllResources

string

Required. A scope can be a project, a folder, or an organization. The search is limited to the resources within the scope. The caller must be granted the cloudasset.assets.searchAllResources permission on the desired scope.

The allowed values are:

• projects/{PROJECT_ID} (e.g., "projects/foo-bar")
• projects/{PROJECT_NUMBER} (e.g., "projects/12345678")
• folders/{FOLDER_NUMBER} (e.g., "folders/1234567")
• organizations/{ORGANIZATION_NUMBER} (e.g., "organizations/123456")

Authorization requires the following IAM permission on the specified resource scope:

• cloudasset.assets.searchAllResources

string

Optional. The query statement. See how to construct a query for more information. If not specified or empty, it will search all the resources within the specified scope.

Examples:

• name:Important to find Google Cloud resources whose name contains Important as a word.
• name=Important to find the Google Cloud resource whose name is exactly Important.
• displayName:Impor* to find Google Cloud resources whose display name contains Impor as a prefix of any word in the field.
• location:us-west* to find Google Cloud resources whose location contains both us and west as prefixes.
• labels:prod to find Google Cloud resources whose labels contain prod as a key or value.
• labels.env:prod to find Google Cloud resources that have a label env and its value is prod.
• labels.env:* to find Google Cloud resources that have a label env.
• tagKeys:env to find Google Cloud resources that have directly attached tags where the TagKey.namespacedName contains env.
• tagValues:prod* to find Google Cloud resources that have directly attached tags where the TagValue.namespacedName contains a word prefixed by prod.
• tagValueIds=tagValues/123 to find Google Cloud resources that have directly attached tags where the TagValue.name is exactly tagValues/123.
• effectiveTagKeys:env to find Google Cloud resources that have directly attached or inherited tags where the TagKey.namespacedName contains env.
• effectiveTagValues:prod* to find Google Cloud resources that have directly attached or inherited tags where the TagValue.namespacedName contains a word prefixed by prod.
• effectiveTagValueIds=tagValues/123 to find Google Cloud resources that have directly attached or inherited tags where the TagValue.name is exactly tagValues/123.
• kmsKey:key to find Google Cloud resources encrypted with a customer-managed encryption key whose name contains key as a word. This field is deprecated. Use the kmsKeys field to retrieve Cloud KMS key information.
• kmsKeys:key to find Google Cloud resources encrypted with customer-managed encryption keys whose name contains the word key.
• relationships:instance-group-1 to find Google Cloud resources that have relationships with instance-group-1 in the related resource name.
• relationships:INSTANCE_TO_INSTANCEGROUP to find Compute Engine instances that have relationships of type INSTANCE_TO_INSTANCEGROUP.
• relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1 to find Compute Engine instances that have relationships with instance-group-1 in the Compute Engine instance group resource name, for relationship type INSTANCE_TO_INSTANCEGROUP.
• sccSecurityMarks.key=value to find Cloud resources that are attached with security marks whose key is key and value is value.
• sccSecurityMarks.key:* to find Cloud resources that are attached with security marks whose key is key.
• state:ACTIVE to find Google Cloud resources whose state contains ACTIVE as a word.
• NOT state:ACTIVE to find Google Cloud resources whose state doesn't contain ACTIVE as a word.
• createTime<1609459200 to find Google Cloud resources that were created before 2021-01-01 00:00:00 UTC. 1609459200 is the epoch timestamp of 2021-01-01 00:00:00 UTC in seconds.
• updateTime>1609459200 to find Google Cloud resources that were updated after 2021-01-01 00:00:00 UTC. 1609459200 is the epoch timestamp of 2021-01-01 00:00:00 UTC in seconds.
• Important to find Google Cloud resources that contain Important as a word in any of the searchable fields.
• Impor* to find Google Cloud resources that contain Impor as a prefix of any word in any of the searchable fields.
• Important location:(us-west1 OR global) to find Google Cloud resources that contain Important as a word in any of the searchable fields and are also located in the us-west1 region or the global location.

string

Optional. A list of asset types that this request searches for. If empty, it will search all the asset types supported by search APIs.

Regular expressions are also supported. For example:

• "compute.googleapis.com.*" snapshots resources whose asset type starts with "compute.googleapis.com".
• ".*Instance" snapshots resources whose asset type ends with "Instance".
• ".*Instance.*" snapshots resources whose asset type contains "Instance".

See RE2 for all supported regular expression syntax. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error will be returned.

integer

Optional. The page size for search result pagination. Page size is capped at 500 even if a larger value is given. If set to zero or a negative value, server will pick an appropriate default. Returned results may be fewer than requested. When this happens, there could be more results as long as nextPageToken is returned.

string

Optional. If present, then retrieve the next batch of results from the preceding call to this method. pageToken must be the value of nextPageToken from the previous response. The values of all other method parameters, must be identical to those in the previous call.

string

Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add " DESC" after the field name to indicate descending order. Redundant space characters are ignored. Example: "location DESC, name". Only the following fields in the response are sortable:

• name
• assetType
• project
• displayName
• description
• location
• createTime
• updateTime
• state
• parentFullResourceName
• parentAssetType

string (FieldMask format)

Optional. A comma-separated list of fields that you want returned in the results. The following fields are returned by default if not specified:

• name
• assetType
• project
• folders
• organization
• displayName
• description
• location
• labels
• tags
• effectiveTags
• networkTags
• kmsKeys
• createTime
• updateTime
• state
• additionalAttributes
• parentFullResourceName
• parentAssetType

Some fields of large size, such as versionedResources, attachedResources, effectiveTags etc., are not returned by default, but you can specify them in the readMask parameter if you want to include them. If "*" is specified, all available fields are returned. Examples: "name,location", "name,versionedResources", "*". Any invalid field path will trigger INVALID_ARGUMENT error.

This is a comma-separated list of fully qualified names of fields. Example: "user.displayName,photo".

string

The full resource name of this resource. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Cloud Asset Inventory Resource Name Format for more information.

To search against the name:

• Use a field query. Example: name:instance1
• Use a free text query. Example: instance1

string

The type of this resource. Example: compute.googleapis.com/Disk.

To search against the assetType:

• Specify the assetType field in your search request.

string

The project that this resource belongs to, in the form of projects/{PROJECT_NUMBER}. This field is available when the resource belongs to a project.

To search against project:

• Use a field query. Example: project:12345
• Use a free text query. Example: 12345
• Specify the scope field as this project in your search request.

string

The folder(s) that this resource belongs to, in the form of folders/{FOLDER_NUMBER}. This field is available when the resource belongs to one or more folders.

To search against folders:

• Use a field query. Example: folders:(123 OR 456)
• Use a free text query. Example: 123
• Specify the scope field as this folder in your search request.

string

The organization that this resource belongs to, in the form of organizations/{ORGANIZATION_NUMBER}. This field is available when the resource belongs to an organization.

To search against organization:

• Use a field query. Example: organization:123
• Use a free text query. Example: 123
• Specify the scope field as this organization in your search request.

string

The display name of this resource. This field is available only when the resource's Protobuf contains it.

To search against the displayName:

• Use a field query. Example: displayName:"My Instance"
• Use a free text query. Example: "My Instance"

string

One or more paragraphs of text description of this resource. Maximum length could be up to 1M bytes. This field is available only when the resource's Protobuf contains it.

To search against the description:

• Use a field query. Example: description:"important instance"
• Use a free text query. Example: "important instance"

string

Location can be global, regional like us-east1, or zonal like us-west1-b. This field is available only when the resource's Protobuf contains it.

To search against the location:

• Use a field query. Example: location:us-west*
• Use a free text query. Example: us-west*

map (key: string, value: string)

User labels associated with this resource. See Labelling and grouping Google Cloud resources for more information. This field is available only when the resource's Protobuf contains it.

To search against the labels:

• Use a field query:
  • query on any label's key or value. Example: labels:prod
  • query by a given label. Example: labels.env:prod
  • query by a given label's existence. Example: labels.env:*
• Use a free text query. Example: prod

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

Network tags associated with this resource. Like labels, network tags are a type of annotations used to group Google Cloud resources. See Labelling Google Cloud resources for more information. This field is available only when the resource's Protobuf contains it.

To search against the networkTags:

• Use a field query. Example: networkTags:internal
• Use a free text query. Example: internal

string

The Cloud KMS CryptoKey name or CryptoKeyVersion name.

This field only presents for the purpose of backward compatibility. Use the kmsKeys field to retrieve Cloud KMS key information. This field is available only when the resource's Protobuf contains it and will only be populated for these resource types for backward compatible purposes.

To search against the kmsKey:

• Use a field query. Example: kmsKey:key
• Use a free text query. Example: key

string

The Cloud KMS CryptoKey names or CryptoKeyVersion names. This field is available only when the resource's Protobuf contains it.

To search against the kmsKeys:

• Use a field query. Example: kmsKeys:key
• Use a free text query. Example: key

string (Timestamp format)

The create timestamp of this resource, at which the resource was created. The granularity is in seconds. Timestamp.nanos will always be 0. This field is available only when the resource's Protobuf contains it.

To search against createTime:

• Use a field query.
  • value in seconds since unix epoch. Example: createTime > 1609459200
  • value in date string. Example: createTime > 2021-01-01
  • value in date-time string (must be quoted). Example: createTime > "2021-01-01T00:00:00"

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

The last update timestamp of this resource, at which the resource was last modified or deleted. The granularity is in seconds. Timestamp.nanos will always be 0. This field is available only when the resource's Protobuf contains it.

To search against updateTime:

• Use a field query.
  • value in seconds since unix epoch. Example: updateTime < 1609459200
  • value in date string. Example: updateTime < 2021-01-01
  • value in date-time string (must be quoted). Example: updateTime < "2021-01-01T00:00:00"

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

The state of this resource. Different resources types have different state definitions that are mapped from various fields of different resource types. This field is available only when the resource's Protobuf contains it.

Example: If the resource is an instance provided by Compute Engine, its state will include PROVISIONING, STAGING, RUNNING, STOPPING, SUSPENDING, SUSPENDED, REPAIRING, and TERMINATED. See status definition in API Reference. If the resource is a project provided by Resource Manager, its state will include LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and DELETE_IN_PROGRESS. See lifecycleState definition in API Reference.

To search against the state:

• Use a field query. Example: state:RUNNING
• Use a free text query. Example: RUNNING

object (Struct format)

The additional searchable attributes of this resource. The attributes may vary from one resource type to another. Examples: projectId for Project, dnsName for DNS ManagedZone. This field contains a subset of the resource metadata fields that are returned by the List or Get APIs provided by the corresponding Google Cloud service (e.g., Compute Engine). see API references and supported searchable attributes to see which fields are included.

You can search values of these fields through free text search. However, you should not consume the field programically as the field names and values may change as the Google Cloud service updates to a new incompatible API version.

To search against the additionalAttributes:

• Use a free text query to match the attributes values. Example: to search additionalAttributes = { dnsName: "foobar" }, you can issue a query foobar.

string

The full resource name of this resource's parent, if it has one. To search against the parentFullResourceName:

• Use a field query. Example: parentFullResourceName:"project-name"
• Use a free text query. Example: project-name

object (VersionedResource)

Versioned resource representations of this resource. This is repeated because there could be multiple versions of resource representations during version migration.

This versionedResources field is not searchable. Some attributes of the resource representations are exposed in additionalAttributes field, so as to allow users to search on them.

object (AttachedResource)

Attached resources of this resource. For example, an OSConfig Inventory is an attached resource of a Compute Instance. This field is repeated because a resource could have multiple attached resources.

This attachedResources field is not searchable. Some attributes of the attached resources are exposed in additionalAttributes field, so as to allow users to search on them.

map (key: string, value: object (RelatedResources))

A map of related resources of this resource, keyed by the relationship type. A relationship type is in the format of {SourceType}_{ACTION}_{DestType}. Example: DISK_TO_INSTANCE, DISK_TO_NETWORK, INSTANCE_TO_INSTANCEGROUP. See supported relationship types.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

This field is only present for the purpose of backward compatibility. Use the tags field instead.

TagKey namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}. To search against the tagKeys:

• Use a field query. Example:

  • tagKeys:"123456789/env*"
  • tagKeys="123456789/env"
  • tagKeys:"env"

• Use a free text query. Example:

  • env

string

This field is only present for the purpose of backward compatibility. Use the tags field instead.

TagValue namespaced names, in the format of {ORG_ID}/{TAG_KEY_SHORT_NAME}/{TAG_VALUE_SHORT_NAME}. To search against the tagValues:

• Use a field query. Example:

  • tagValues:"env"
  • tagValues:"env/prod"
  • tagValues:"123456789/env/prod*"
  • tagValues="123456789/env/prod"

• Use a free text query. Example:

  • prod

string

This field is only present for the purpose of backward compatibility. Use the tags field instead.

TagValue IDs, in the format of tagValues/{TAG_VALUE_ID}. To search against the tagValueIds:

• Use a field query. Example:

  • tagValueIds="tagValues/456"

• Use a free text query. Example:

  • 456

object (Tag)

The tags directly attached to this resource.

To search against the tags:

• Use a field query. Example:

  • tagKeys:"123456789/env*"
  • tagKeys="123456789/env"
  • tagKeys:"env"
  • tagKeyIds="tagKeys/123"
  • tagValues:"env"
  • tagValues:"env/prod"
  • tagValues:"123456789/env/prod*"
  • tagValues="123456789/env/prod"
  • tagValueIds="tagValues/456"

• Use a free text query. Example:

  • env/prod

object (EffectiveTagDetails)

The effective tags on this resource. All of the tags that are both attached to and inherited by a resource are collectively called the effective tags. For more information, see tag inheritance.

To search against the effectiveTags:

• Use a field query. Example:
  • effectiveTagKeys:"123456789/env*"
  • effectiveTagKeys="123456789/env"
  • effectiveTagKeys:"env"
  • effectiveTagKeyIds="tagKeys/123"
  • effectiveTagValues:"env"
  • effectiveTagValues:"env/prod"
  • effectiveTagValues:"123456789/env/prod*"
  • effectiveTagValues="123456789/env/prod"
  • effectiveTagValueIds="tagValues/456"

object (AssetEnrichment)

Enrichments of the asset. Currently supported enrichment types with v1.searchAllResources API:

• RESOURCE_OWNERS

The corresponding read masks in order to get the enrichment:

• enrichments.resource_owners

The corresponding required permissions:

• cloudasset.assets.searchEnrichmentResourceOwners

Example query to get resource owner enrichment:

  scope: "projects/my-project"
  query: "name: my-project"
  assetTypes: "cloudresourcemanager.googleapis.com/Project"
  readMask: {
     paths: "assetType"
     paths: "name"
     paths: "enrichments.resource_owners"
  }

string

The type of this resource's immediate parent, if there is one.

To search against the parentAssetType:

• Use a field query. Example: parentAssetType:"cloudresourcemanager.googleapis.com/Project"
• Use a free text query. Example: cloudresourcemanager.googleapis.com/Project

map (key: string, value: string)

The actual content of Security Command Center security marks associated with the asset.

To search against SCC SecurityMarks field:

• Use a field query:
  • query by a given key value pair. Example: sccSecurityMarks.foo=bar
  • query by a given key's existence. Example: sccSecurityMarks.foo:*

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

API version of the resource.

Example: If the resource is an instance provided by Compute Engine v1 API as defined in https://cloud.google.com/compute/docs/reference/rest/v1/instances, version will be "v1".

object (Struct format)

JSON representation of the resource as defined by the corresponding service providing this resource.

Example: If the resource is an instance provided by Compute Engine, this field will contain the JSON representation of the instance as defined by Compute Engine: https://cloud.google.com/compute/docs/reference/rest/v1/instances.

You can find the resource definition for each supported resource type in this table: https://cloud.google.com/asset-inventory/docs/supported-asset-types

string

The type of this attached resource.

Example: osconfig.googleapis.com/Inventory

You can find the supported attached asset types of each resource in this table: https://cloud.google.com/asset-inventory/docs/supported-asset-types

object (VersionedResource)

Versioned resource representations of this attached resource. This is repeated because there could be multiple versions of the attached resource representations during version migration.

object (RelatedResource)

The detailed related resources of the primary resource.

string

The type of the asset. Example: compute.googleapis.com/Instance

string

The full resource name of the related resource. Example: //compute.googleapis.com/projects/my_proj_123/zones/instance/instance123

object (ResourceOwners)

The resource owners for a resource.

Note that this field only contains the members that have "roles/owner" role in the resource's IAM Policy.

string

List of resource owners.