Searching resources

The Cloud Asset API allows you to use a custom query language to query resource metadata on a project, folder, or organization.

Before you begin

Enable the Cloud Asset API for your project.
Grant the cloudasset.assets.searchAllResources permission to the user account or service account that is making the request. This permission is included in basic roles and predefined roles listed in Roles.

Search resources

Console

To search all resources, complete the following steps.

Go to the Asset Inventory page in the Google Cloud console.

Go to Asset Inventory
To set the scope of your search, open the Projects list box in the menu bar, and then select the organization, folder, or project to query.
Select the Resource tab.
To search resources, enter the query text in the Filter bar. Select the text box, and then a list of searchable fields display. Resource search supports multiple fields. Learn more about query syntax.
Search results can also be filtered by the pre-defined Asset type, Project, and Location filters in the Filter results pane.

The resources matching the query are listed in the Result table.

To view the query as a Google Cloud CLI command, select View query.

To export the results, select Download CSV.

gcloud

You can call SearchAllResources using the gcloud asset search-all-resources command. You must be running Google Cloud CLI version 302.0.0 or newer. You can check your version with the gcloud version command.

gcloud asset search-all-resources \
    --scope=SCOPE \
    --query=QUERY \
    --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \
    --order-by=ORDER_BY \
    --read-mask=READ_MASK

Provide the following values:

SCOPE: Optional. A scope can be a project, a folder, or an organization. The search is limited to the Google Cloud resources in this scope. The caller must be granted the cloudasset.assets.searchAllResources permission on the desired scope. If not specified, the configured project property is used.

The allowed values are:
- projects/PROJECT_ID
- projects/PROJECT_NUMBER
  How to find a Google Cloud project number
  Console
  
  To find a Google Cloud project number, complete the following steps:
  
  Go to the Dashboard page in the Google Cloud console.
  
  Go to Dashboard
  
  Click the switcher box in the menu bar.
  
  Select your organization from the Select from box, and then search for your project name.
  
  Click the project name to switch to that project. The project number is shown in the Project info card.
  
  gcloud CLI
  
  You can retrieve a Google Cloud project number with the following command:
  
  gcloud projects describe PROJECT_ID --format="value(projectNumber)"
- folders/FOLDER_ID
  How to find a Google Cloud folder ID
  Console
  
  To find a Google Cloud folder ID, complete the following steps:
  
  Go to the Google Cloud console.
  
  Go to the Google Cloud console
  
  Click the switcher box in the menu bar.
  
  Click the Select from box, and then select your organization.
  
  Search for your folder name. The folder ID is shown next to the folder name.
  
  gcloud CLI
  
  You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
  
  gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
  
  Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.
  
  To get the ID of a folder within another folder, list the subfolders:
  
  gcloud resource-manager folders list --folder=FOLDER_ID
- organizations/ORGANIZATION_ID
  How to find a Google Cloud organization ID
  Console
  
  To find a Google Cloud organization ID, complete the following steps:
  
  Go to the Google Cloud console.
  
  Go to the Google Cloud console
  
  Click the switcher box in the menu bar.
  
  Click the Select from box, and then select your organization.
  
  Click the All tab. The organization ID is shown next to the organization name.
  
  gcloud CLI
  
  You can retrieve a Google Cloud organization ID with the following command:
  
  gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
QUERY: Optional. The query statement. See Query syntax for more information. If not specified or empty, it searches all the resources in the specified scope.

Examples:
- name:Important to find Google Cloud resources whose name contains the word Important.
- name=Important to find the Google Cloud resource whose name is exactly Important.
- displayName:Impor* to find Google Cloud resources whose display name contains Impor as a prefix of any word.
- location:us-west* to find Google Cloud resources whose location has two words with us and west as prefixes.
- labels:prod to find Google Cloud resources that have a label where either the key or the value contains the word prod.
- labels.env:prod to find Google Cloud resources that have a label where the key is env and the value contains the word prod.
- labels.env:* to find Google Cloud resources that have a label where the key is env.
- tagKeys:env to find Google Cloud resources that are directly attached to Tags where the TagKey.namespacedName contains env.
- tagValues:prod* to find Google Cloud resources that are directly attached to Tags where the TagValue.namespacedName contains a word prefixed by prod.
- tagValueIds=tagValues/123 to find Google Cloud resources that are directly attached to Tags where the TagValue.name is exactly tagValues/123.
- effectiveTagKeys:env to find Google Cloud resources that are directly attached to or inherit Tags where the TagKey.namespacedName contains env.
- effectiveTagValues:prod* to find Google Cloud resources that are directly attached to or inherit Tags where the TagValue.namespacedName contains a word prefixed by prod.
- effectiveTagValueIds=tagValues/123 to find Google Cloud resources that are directly attached to or inherit Tags where the TagValue.name is exactly tagValues/123.
- kmsKeys:key to find Google Cloud resources encrypted with customer-managed encryption keys whose name contains the word key.
- relationships:instance-group-1 to find Google Cloud resources that have relationships with instance-group-1 in the related resource name.
- relationships:INSTANCE_TO_INSTANCEGROUP to find Compute Engine instances that have relationships of type INSTANCE_TO_INSTANCEGROUP.
- relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1 to find Compute Engine instances that have relationships with instance-group-1 in the Compute Engine instance group resource name, for relationship type INSTANCE_TO_INSTANCEGROUP.
- state:ACTIVE to find Google Cloud resources whose state contains ACTIVE as a word.
- NOT state:ACTIVE to find Google Cloud resources whose state doesn't contain ACTIVE as a word.
- createTime<1609459200 or createTime<2021-01-01 or createTime<"2021-01-01T00:00:00" to find Google Cloud resources that were created before 2021-01-01 00:00:00 UTC. 1609459200 is the epoch timestamp in seconds of 2021-01-01 00:00:00 UTC.
- updateTime>1609459200 or updateTime>2021-01-01 or updateTime>"2021-01-01T00:00:00" to find Google Cloud resources that were updated after 2021-01-01 00:00:00 UTC. 1609459200 is the epoch timestamp in seconds of 2021-01-01 00:00:00 UTC.
- project:12345 to find Google Cloud resources that belong to a Google Cloud project with number 12345.
- folders:(123 or 456) to find Google Cloud resources that belong to a Google Cloud folder with numbers 123 or 456.
- organization:123 to find Google Cloud resources that belong to a Google Cloud organization with number 123.
- parentFullResourceName:ImportantName to find Google Cloud resources whose parent's name contains ImportantName.
- parentAssetType:Project to find Google Cloud resources whose parent's asset type contains Project.
- Important to find Google Cloud resources that contain the word Important in any of the searchable fields.
- Impor* to find Google Cloud resources that contain Impor as a prefix of any word in any of the searchable fields.
- Important location:(us-west1 OR global) to find Google Cloud resources that contain the word Important in any of the searchable fields and are also located in the us-west1 region or the global location.
ASSET_TYPE: Optional. A list of asset types that this request searches for. If empty, it searches all the searchable asset types. RE2-compatible regular expressions are supported. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error is returned.
ORDER_BY: Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add DESC after the field name to indicate descending order. Redundant space characters are ignored. Example: "location DESC, name". Only singular primitive fields in the response are sortable:
- name
- assetType
- project
- displayName
- description
- location
- createTime
- updateTime
- state
- parentFullResourceName
- parentAssetType
All the other fields such as repeated fields (for example, networkTags, kmsKeys), map fields (for example, labels) and struct fields (for example, additionalAttributes) are not supported.
READ_MASK: Optional. A comma-separated list of fields specifying which fields to be returned in the results. If not specified, all fields except versionedResources are returned. If only "*" is specified, all fields are returned. Examples: "name,location", "name,versionedResources", "*".

The following fields are returned by default if --read-mask isn't specified:
- name
- assetType
- project
- folders
- organization
- displayName
- description
- location
- labels
- tags
- networkTags
- kmsKeys
- createTime
- updateTime
- state
- additionalAttributes
- parentFullResourceName
- parentAssetType
Some fields of large size, such as versionedResources, attachedResources and effectiveTags, are not returned by default, but you can specify them in the --read-mask parameter if you want to include them. If "*" is specified, all available fields are returned. Examples: "name,location,effectiveTags", "name,versionedResources", "*".

The following are example gcloud commands:

Find all resources in organizations/123456 whose name contains the word mycompany:

gcloud asset search-all-resources \
    --scope=organizations/123456 \
    --query="name:mycompany"

Find all resources in organizations/123456 whose name contains the word mycompany, with full metadata included:

gcloud asset search-all-resources \
    --scope=organizations/123456 \
    --query="name:mycompany" \
    --read-mask="name,versionedResources"

REST

You can call SearchAllResources using a valid OAuth token for a project. To call the SearchAllResources method from Cloud Shell or any console where the gcloud command is available:

If you haven't configured your project's OAuth consent screen, you need to do so. An email address and product name are required for the OAuth consent screen.

Caution: Don't enter any confidential information on the OAuth consent screen. Any information you save to the OAuth consent screen might be publicly visible for anyone who accesses your URL. Email and product details are displayed on the login screen and when someone tries to access a resource for which they don't have permission.
1. Go to the OAuth consent screen page for your project.
  
  Go to OAuth consent screen
2. Enter the Application name you want to display.
3. Under Support email, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
4. Add any optional details you'd like.
5. Click Save.
Create an OAuth token for your project. See Setting up OAuth 2.0 for more information.
1. Go to the Create OAuth client ID page.
  
  Go to Create OAuth client ID
2. Select Desktop app as your Application type.
3. Click Create.
4. Download the client_secret.json file.
5. Go to the Credentials page.
  
  Go to Credentials
6. To the right of your new Client ID, click Download JSON.
7. Securely store the file in a location that only your app can access.
Log in using the JSON file with the following command.
```
gcloud auth application-default login --client-id-file=YOUR_JSON_FILE
```
This command prompts you to open a link. Make sure the page shows the Application name you set in your OAuth consent screen.
You can now query resources using curl commands.
```
curl -X POST \
     -H "X-HTTP-Method-Override: GET" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "assetTypes": [
            "ASSET_TYPE_1",
            "ASSET_TYPE_2",
            "..."
          ],
          "orderBy": "ORDER_BY",
          "pageSize": PAGE_SIZE,
          "query": "QUERY",
          "readMask": "READ_MASK"
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:searchAllIamPolicies
```
Note: This is a GET method. However, the server doesn't accept a body for GET methods and the request URL is also length limited. To avoid errors, use a POST instead, and set a header of X-HTTP-Method-Override: GET.

Provide the following values:
- ASSET_TYPE: Optional. A list of asset types that this request searches for. If empty, it searches all the searchable asset types. Regular expressions are supported. If the regular expression does not match any supported asset type, an INVALID_ARGUMENT error is returned.
- ORDER_BY: Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. Add " DESC" after the field name to indicate descending order. Redundant space characters are ignored. Example: "location DESC, name". Only singular primitive fields in the response are sortable:
  - name
  - assetType
  - project
  - displayName
  - description
  - location
  - createTime
  - updateTime
  - state
  - parentFullResourceName
  - parentAssetType
  All the other fields such as repeated fields (for example, networkTags, kmsKeys), map fields (for example, labels) and struct fields (for example, additionalAttributes) are not supported.
- PAGE_SIZE: Optional. The number of results to return per page. The maximum is 500. If the value is set to 0 or a negative value, an appropriate default is selected. A nextPageToken is returned to retrieve subsequent results.
- QUERY: Optional. The query statement. See Query syntax for more information. If not specified or empty, it searches all the resources in the specified scope.
  
  Examples:
  - name:Important to find Google Cloud resources whose name contains the word "Important".
  - name=Important to find the Google Cloud resource whose name is exactly "Important".
  - displayName:Impor* to find Google Cloud resources whose display name contains "Impor" as a prefix of any word.
  - location:us-west* to find Google Cloud resources whose location contains both "us" and "west" as prefixes.
  - labels:prod to find Google Cloud resources that have a label where either the key or the value contains the word "prod".
  - labels.env:prod to find Google Cloud resources that have a label where the key is "env" and the value contains the word "prod".
  - labels.env:* to find Google Cloud resources that have a label where the key is "env".
  - tagKeys:env to find Google Cloud resources that are directly attached to Tags where the TagKey.namespacedName contains "env".
  - tagValues:prod* to find Google Cloud resources that are directly attached to Tags where the TagValue.namespacedName contains a word prefixed by "prod".
  - tagValueIds=tagValues/123 to find Google Cloud resources that are directly attached to Tags where the TagValue.name is exactly "tagValues/123".
  - effectiveTagKeys:env to find Google Cloud resources that are directly attached to or inherit Tags where the TagKey.namespacedName contains env.
  - effectiveTagValues:prod* to find Google Cloud resources that are directly attached to or inherit Tags where the TagValue.namespacedName contains a word prefixed by prod.
  - effectiveTagValueIds=tagValues/123 to find Google Cloud resources that are directly attached to or inherit Tags where the TagValue.name is exactly tagValues/123.
  - kmsKey:key to find Google Cloud resources encrypted with a customer-managed encryption key whose name contains key as a word. This field is deprecated. Please use the kmsKeys field to retrieve Cloud KMS key information.
  - kmsKeys:key to find Google Cloud resources encrypted with customer-managed encryption keys whose name contains the word "key".
  - relationships:instance-group-1 to find Google Cloud resources that have relationships with instance-group-1 in the related resource name.
  - relationships:INSTANCE_TO_INSTANCEGROUP to find Compute Engine instances that have relationships of type INSTANCE_TO_INSTANCEGROUP.
  - relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1 to find Compute Engine instances that have relationships with instance-group-1 in the Compute Engine instance group resource name, for relationship type INSTANCE_TO_INSTANCEGROUP.
  - state:ACTIVE to find Google Cloud resources whose state contains "ACTIVE" as a word.
  - NOT state:ACTIVE to find Google Cloud resources whose state doesn't contain "ACTIVE" as a word.
  - createTime<1609459200 or createTime<2021-01-01 or createTime<"2021-01-01T00:00:00" to find Google Cloud resources that were created before 2021-01-01 00:00:00 UTC. 1609459200 is the epoch timestamp in seconds of 2021-01-01 00:00:00 UTC.
  - updateTime>1609459200 or updateTime>2021-01-01 or updateTime>"2021-01-01T00:00:00" to find Google Cloud resources that were updated after 2021-01-01 00:00:00 UTC. 1609459200 is the epoch timestamp in seconds of 2021-01-01 00:00:00 UTC.
  - project:12345 to find Google Cloud resources that belong to a Google Cloud project with number 12345.
  - folders:(123 or 456) to find Google Cloud resources that belong to a Google Cloud folder with numbers 123 or 456.
  - organization:123 to find Google Cloud resources that belong to a Google Cloud organization with number 123.
  - parentFullResourceName:ImportantName to find Google Cloud resources whose parent's name contains ImportantName.
  - parentAssetType:Project to find Google Cloud resources whose parent's asset type contains Project.
  - Important to find Google Cloud resources that contain the word "Important" in any of the searchable fields.
  - Impor* to find Google Cloud resources that contain "Impor" as a prefix of any word in any of the searchable fields.
  - Important location:(us-west1 OR global) to find Google Cloud resources that contain the word Important in any of the searchable fields and are also located in the us-west1 region or the global location.
- READ_MASK: Optional. A comma-separated list of fields specifying which fields to be returned in the results. If not specified, all fields except versionedResources are returned. If only "*" is specified, all fields are returned. Examples: "name,location", "name,versionedResources", "*".
  
  The following fields are returned by default if read_mask isn't specified:
  - name
  - assetType
  - project
  - folders
  - organization
  - displayName
  - description
  - location
  - labels
  - tags
  - networkTags
  - kmsKeys
  - createTime
  - updateTime
  - state
  - additionalAttributes
  - parentFullResourceName
  - parentAssetType
  Some fields of large size, such as versionedResources, attachedResources and effectiveTags, are not returned by default, but you can specify them in the read_mask parameter if you want to include them. If "*" is specified, all available fields are returned. Examples: "name,location,effectiveTags", "name,versionedResources", "*".
- SCOPE: A scope can be a project, a folder, or an organization. The search is limited to the Google Cloud resources in this scope. The caller must be granted the cloudasset.assets.searchAllResources permission on the desired scope. If not specified, the configured project property is used.
  
  The allowed values are:
  - projects/PROJECT_ID
  - projects/PROJECT_NUMBER
    How to find a Google Cloud project number
    
    Console
    
    To find a Google Cloud project number, complete the following steps:
    
    Go to the Dashboard page in the Google Cloud console.
    
    Go to Dashboard
    
    Click the switcher box in the menu bar.
    
    Select your organization from the Select from box, and then search for your project name.
    
    Click the project name to switch to that project. The project number is shown in the Project info card.
    
    gcloud CLI
    
    You can retrieve a Google Cloud project number with the following command:
    
    gcloud projects describe PROJECT_ID --format="value(projectNumber)"
  - folders/FOLDER_ID
    How to find a Google Cloud folder ID
    
    Console
    
    To find a Google Cloud folder ID, complete the following steps:
    
    Go to the Google Cloud console.
    
    Go to the Google Cloud console
    
    Click the switcher box in the menu bar.
    
    Click the Select from box, and then select your organization.
    
    Search for your folder name. The folder ID is shown next to the folder name.
    
    gcloud CLI
    
    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
    
    gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
    
    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.
    
    To get the ID of a folder within another folder, list the subfolders:
    
    gcloud resource-manager folders list --folder=FOLDER_ID
  - organizations/ORGANIZATION_ID
    How to find a Google Cloud organization ID
    
    Console
    
    To find a Google Cloud organization ID, complete the following steps:
    
    Go to the Google Cloud console.
    
    Go to the Google Cloud console
    
    Click the switcher box in the menu bar.
    
    Click the Select from box, and then select your organization.
    
    Click the All tab. The organization ID is shown next to the organization name.
    
    gcloud CLI
    
    You can retrieve a Google Cloud organization ID with the following command:
    
    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Client library and API reference

SearchAllResources

How to construct a query

See query syntax to learn more about the query language.

See searching resources samples to learn more about the sample queries for various real use cases.

Query Google Cloud resources by resource metadata fields

To search resource metadata, a query expression is in the following formats:

Text Exact Match:

FIELD=QUERY
Text Partial Match:

FIELD:QUERY
Numerical Match: comparison operators (=, >, >=, <, <=)

FIELDcomparison operatorQUERY

A searchable resource metadata FIELD can be:

name: The full resource name of the resource. Note: Not all the asset types are searchable. See the list of searchable types.
displayName: The display name on the UI.
description: The text description of the resource in one or more paragraphs.
location: The location of the resource. Location can be global, regional (for example, us-east1), or zonal (for example, us-west1-b).
labels: Labels associated with this resource. Labels can match label keys, label values, or both. See Labelling and grouping Google Cloud Platform resources.

Note: labels as a nested object does not support equals (=) operator.
labels.[key]: Label value identified by the label key associated with this resource. For example: labels.env:prod. Only hyphens (-), underscores (_), lowercase characters, and numbers are allowed in label keys. Keys must start with a lowercase character. International characters are allowed. See Labels Requirements.
tagKeys: TagKey.namespacedName of the Tags directly attached to this resource.
tagValues: TagValue.namespacedName of the Tags directly attached to this resource.
tagValueIds: TagValue.name of the Tags directly attached to this resource.
effectiveTagKeys: TagKey.namespacedName of the Tags directly attached or inherited to this resource.
effectiveTagValues: TagValue.namespacedName of the Tags directly attached or inherited to this resource.
effectiveTagValueIds: TagValue.name of the Tags directly attached or inherited to this resource.

networkTags: Network tags associated with this resource. See Labelling and grouping Google Cloud Platform resources.
kmsKey: The customer-managed encryption key used to encrypt this resource. This field is deprecated. Please use the kmsKeys field to retrieve Cloud KMS key information. See CryptoKey and CryptoKeyVersion.
kmsKeys: The customer-managed encryption keys used to encrypt this resource. See CryptoKey and CryptoKeyVersion.
relationships: The relationships associated with this resource. Relationships can match relationship type, related resource name, or both. See Supported relationship types.

Note: relationships as a nested object does not support equals (=) operator. To use relationships, you must subscribe to Security Command Center at the Premium tier.
relationships.[relationship_type]: The related resource name for a particular resource type associated with this resource. For example: relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1. See Supported relationship types.

Note: To use relationships, you must subscribe to Security Command Center at the Premium tier.
sccSecurityMarks: The actual content of Security Command Center security marks associated with the asset. For example: sccSecurityMarks.foo:bar. See Supported asset types in Security Command Center.
state: The text value of the state of this resource. Different resource types have different state definitions that are mapped from various fields of different resource types. Example: if the resource is an instance provided by Compute Engine, its state includes PROVISIONING, STAGING, RUNNING, STOPPING, SUSPENDING, SUSPENDED, REPAIRING, and TERMINATED. See status definition in API Reference. If the resource is a project provided by Cloud Resource Manager, its state includes LIFECYCLE_STATE_UNSPECIFIED, ACTIVE, DELETE_REQUESTED and DELETE_IN_PROGRESS. See lifecycleState definition in API Reference.
createTime: The create timestamp of this resource, at which the resource was created. The granularity is in seconds.
updateTime: The last update timestamp of this resource, at which the resource was last modified or deleted. The granularity is in seconds.
project: The number of the project that this resource belongs to.
folders: The numbers of the folders that this resource belongs to.
organization: The number of the organization that this resource belongs to.
parentFullResourceName: The name of the parent of this resource.
parentAssetType: The type of the parent of this resource.

Examples: query by specific field

Find all resources in your scope whose name contains the word Important:
```
name:Important
```
Find all resources in your scope whose displayName contains a word with prefix prod:
```
displayName:prod*
```
Find all resources in your scope whose location contains the word us:
```
location:us
```
Find all resources in your scope whose location exactly equals us:
```
location=us
```
Find all resources in your scope that have directly attached Tags with TagKey.namespacedName containing the word env:
```
tagKeys:env
```
Find all resources in your scope that have directly attached Tags with TagValue.namespacedName containing a word prefixed by prod:
```
tagValues:prod*
```
Find all resources in your scope that have a directly attached Tags with TagValue.name exactly equal to tagValues/123:
```
tagValueIds=tagValues/123
```
Find all resources in your scope that have a directly attached Tags with TagValue.namespacedName.
```
tagValues:*
```
Find all resources in your scope that have directly attached or inherited Tags with TagKey.namespacedName containing the word env:
```
effectiveTagKeys:env
```
Find all resources in your scope that have directly attached or inherited Tags with TagValue.namespacedName containing a word prefixed by prod:
```
effectiveTagValues:prod*
```
Find all resources in your scope that have a directly attached or inherited Tags with TagValue.name exactly equal to tagValues/123:
```
effectiveTagValueIds=tagValues/123
```
Find all resources in your scope that have a directly attached or inherited Tags with TagValue.namespacedName.
```
effectivetagValues:*
```
Find all resources in your scope that have a label where either the key or the value contains the word prod:
```
labels:prod
```
Find all resources in your scope that have a label where the key is env and the value contains the word prod:
```
labels.env:prod
```
Find all resources in your scope that have a label where the key is env and the value exactly equals prod:
```
labels.env=prod
```
Find all resources in your scope that have a label where the key is env:
```
labels.env:*
```
Find all resources in your scope that one of whose networkTags contains the word internal:
```
networkTags:internal
```
Find all resources in your scope that one of whose networkTags exactly equals internal:
```
networkTags=internal
```
Find all resources in your scope that have relationships with instance-group-1 in the related resource name:
```
relationships:instance-group-1
```
Find compute instances in your scope that have relationships of type INSTANCE_TO_INSTANCEGROUP:
```
relationships:INSTANCE_TO_INSTANCEGROUP
```
Find compute instances in your scope that have relationships with instance-group-1 in the compute instance group resource name, for relationship type INSTANCE_TO_INSTANCEGROUP:
```
relationships.INSTANCE_TO_INSTANCEGROUP:instance-group-1
```
Find all resources in your scope whose kmsKeys contains the word key:
```
kmsKeys:key
```
Find all resources in your scope whose kmsKeys exactly equals key:
```
kmsKeys=key
```
Find all resources in your scope whose sccSecurityMarks contains the exact key-value pair (key, value):
```
sccSecurityMarks.key=value
```
Find all resources in your scope whose sccSecurityMarks contains the key-value pair where the key is key:
```
sccSecurityMarks.key:*
```
Find all resources in your scope whose state contains the word ACTIVE:
```
state:ACTIVE
```
Find all resources in your scope whose state doesn't contain the word ACTIVE:
```
NOT state:ACTIVE
```
Find all resources in your scope that were created before 2021-01-01 00:00:00 UTC (1609459200 is the epoch timestamp in seconds of 2021-01-01 00:00:00 UTC):
```
createTime<1609459200
createTime<2021-01-01
createTime<"2021-01-01T00:00:00"
```
Find all resources in your scope that were updated after 2021-01-01 00:00:00 UTC (1609459200 is the epoch timestamp in seconds of 2021-01-01 00:00:00 UTC):
```
updateTime>1609459200
updateTime>2021-01-01
updateTime>"2021-01-01T00:00:00"
```
Find all resources in your scope whose project has number 123:
```
project:123
```
Find all resources in your scope contained in folder with number 123:
```
folders:123
```
Find all resources in your scope whose organization has number 123:
```
organization:123
```
Find all resources in your scope whose parentFullResourceName contains ImportantName:
```
parentFullResourceName:ImportantName
```
Find all resources in your scope whose parentAssetType contains Project:
```
parentAssetType:Project
```
Find all resources in your scope whose name contains the word Important and description contains a word with the prefix import:
```
name:Important description:import*
```
Find all resources in your scope whose name contains the word Important or description contains a word with the prefix import:
```
name:Important OR description:import*
```

Query Google Cloud resources by free text

You can also simply use a free text query without specifying a field. Then it returns resources, as long as there is a field in the resource metadata matching the query.

Examples: query by free text

Find all resources in your scope whose metadata fields (for example, name, displayName, description) contain the word Important:
```
Important
```
Find all resources in your scope whose metadata fields (for example, name, displayName, description) contain a word with the prefix import:
```
import*
```
Find all resources in your scope whose metadata fields (for example, name, displayName, description) contain the word Important and also contain a word with the prefix prod:
```
Important prod*
```

Searching resources

Before you begin

Search resources

Console

gcloud

Console

gcloud CLI

Console

gcloud CLI

Console

gcloud CLI

REST

Console

gcloud CLI

Console

gcloud CLI

Console

gcloud CLI

Client library and API reference

How to construct a query

Query Google Cloud resources by resource metadata fields

Examples: query by specific field

Query Google Cloud resources by free text

Examples: query by free text