You can search for resources in a project, folder, or organization, and filter the returned results using a query.
Before you begin
Enable the Cloud Asset Inventory API in the project you're running Cloud Asset Inventory commands from.
Make sure your account has the correct role to call the Cloud Asset Inventory API. For individual permissions for each call type, see Permissions.
Construct a query
Before constructing a query, it can be useful to start with a search request that doesn't specify a query. Use the fields and values from the full response to create a query using the search query syntax, and refine it until the results you want are returned.
Fields that can be used in a query are detailed in the searchAllResources reference documentation.
Not all resources can be searched. See Resource types for resource names and to check if they are available to the search APIs.
Search for your resources
Console
To search for resource metadata, complete the following steps.
-
Go to the Asset Inventory page in the Google Cloud console.
- Change to the project, folder, or organization you want to search.
- Click the Resource tab.
-
To search resources, enter a query in the Filter field. See Search query syntax to learn how to write a search query.
To make constructing queries easier, you can click the Filter field to display and add the available searchable fields to your query.
After performing a search, the resources matching the query are listed in the Results table. Double-click your query to edit it, or use the Filter results pane to retrict the search results by specific criteria.
To view the query as a Google Cloud CLI command, click View query.
To export the results, click Download CSV.
gcloud
gcloud asset search-all-resources \ --scope=SCOPE_PATH \ --query="QUERY" \ --asset-types=ASSET_TYPE_1,ASSET_TYPE_2,... \ --order-by="ORDER_BY" \ --read-mask="READ_MASK"
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that has the assets you want to search for. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that has the assets you want to search for.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that has the assets you want to search for.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that has the assets you want to search for.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
QUERY
: Optional. The query expression. If not specified or empty, all resources are searched for in the specified scope. To learn how to write a search query, see Search query syntax. ASSET_TYPE_#
: Optional. A comma-separated list of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. When--asset-types
isn't specified, all asset types are returned.-
ORDER_BY
: Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. AddDESC
after the field name to indicate descending order. See the reference documentation for what fields can be sorted. READ_MASK
: Optional. A comma-separated list of fields specifying which fields to be returned in the results. See thefor the fields that are returned by default, and other conditions to keep in mind when specifying a read mask.
You can use the --format
and
--flatten
flags to format the
gcloud CLI output.
See the gcloud CLI reference for all options.
Example
Run the following command to get a list of all the Compute Engine instances in the
my-project
project with the word instance
followed by a 1
in their full resource name. The results are in
descending order by name, and because of the read mask, only the name
and
location
fields are returned.
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="name:instance 1" \ --asset-types=compute.googleapis.com/Instance \ --order-by="name DESC" \ --read-mask="name,location"
Example response
--- location: us-central1-a name: //compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-2-1 --- location: us-central1-a name: //compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-1
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:searchAllResources
Request JSON body:
{ "query": "QUERY", "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "orderBy": "ORDER_BY", "pageSize": "PAGE_SIZE", "pageToken": "PAGE_TOKEN", "readMask": "READ_MASK" }
Provide the following values:
-
SCOPE_PATH
: Use one of the following values:The allowed values are:
-
projects/PROJECT_ID
, wherePROJECT_ID
is the ID of the project that has the assets you want to search for. -
projects/PROJECT_NUMBER
, wherePROJECT_NUMBER
is the number of the project that has the assets you want to search for.How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
-
Go to the Welcome page in the Google Cloud console.
- Click the switcher list box in the menu bar.
-
Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to the Manage resources page and filter the list using the name of that project.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
-
folders/FOLDER_ID
, whereFOLDER_ID
is the ID of the folder that has the assets you want to search for.How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the
--format
flag to see more information about the found folders.The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_ID
-
-
organizations/ORGANIZATION_ID
, whereORGANIZATION_ID
is the ID of the organization that has the assets you want to search for.How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher list box in the menu bar.
- Select your organization from the list box.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
-
-
QUERY
: Optional. The query expression. If not specified or empty, all resources are searched for in the specified scope. To learn how to write a search query, see Search query syntax. ASSET_TYPE_#
: Optional. An array of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENT
error is returned. WhenassetTypes
isn't specified, all asset types are returned.-
ORDER_BY
: Optional. A comma-separated list of fields specifying the sorting order of the results. The default order is ascending. AddDESC
after the field name to indicate descending order. See the reference documentation for what fields can be sorted. -
PAGE_SIZE
: Optional. The number of results to return per page. The maximum is 500. If the value is set to0
or a negative value, an appropriate default is selected. AnextPageToken
is returned to retrieve subsequent results. -
PAGE_TOKEN
: Optional. Long request responses are separated over multiple pages. WhenpageToken
isn't specified, the first page is returned. Subsequent pages can be called by using the previous response'snextPageToken
as thepageToken
value. READ_MASK
: Optional. A comma-separated list of fields specifying which fields to be returned in the results. See thefor the fields that are returned by default, and other conditions to keep in mind when specifying a read mask.
See the REST reference for all options.
Command examples
Run one of the following commands to get a list of all the Compute Engine instances in the
my-project
project with the word instance
followed by a 1
in their full resource name. The results are in
descending order by name, and only the name
and location
fields are
returned.
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "query": "name:instance 1", "assetTypes": ["compute.googleapis.com/Instance"], "orderBy": "name DESC", "readMask": "name,location" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "query": "name:instance 1", "assetTypes": ["compute.googleapis.com/Instance"], "orderBy": "name DESC", "readMask": "name,location" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Example response
{ "results": [ { "name": "//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-2-1", "location": "us-central1-a" }, { "name": "//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-1", "location": "us-central1-a" } ] }
C#
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Cloud Asset Inventory, see Cloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Additional search examples
The following code samples show specific search queries for both gcloud and REST to help you to construct your own searches.
All resources in a project
The following sample shows how to search for all resources in the my-project
project.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --format="table(assetType.basename(), name.basename(), name.scope(projects).segment(0):label=PROJECT_ID, labels)"
REST
HTTP method and URL:
GET https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Compute Engine instances by description
The following sample shows how to search for Compute Engine instances in the
my-project
project with the exact name instance-prod
.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="description=instance-prod" \ --asset-types=compute.googleapis.com/Instance \ --format="table(name, assetType, location)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "description=instance-prod", "readMask": "name,assetType,location" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "description=instance-prod", "readMask": "name,assetType,location" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "description=instance-prod", "readMask": "name,assetType,location" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
To search for instances that have instance-prod
in their name (such as
instance-prod-1
and instance-prod-2
) instead of an exact match, replace
=instance-prod
with :instance-prod
.
Compute Engine instances by label
The following sample shows how to search for Compute Engine instances in the
my-project
project with a label named env
.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="labels.env:*" \ --asset-types=compute.googleapis.com/Instance \ --format="table(name, assetType, labels)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "labels.env:*", "readMask": "name,assetType,labels" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "labels.env:*", "readMask": "name,assetType,labels" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "labels.env:*", "readMask": "name,assetType,labels" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Compute Engine instances by TagKey
The following sample shows how to search for Compute Engine instances in the
my-project
project that have directly attached Tags with a
TagKey
.namespacedName
containing env
.
To search by effective TagKeys instead, replace tagKeys
with
effectiveTagKeys
.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="tagKeys:env" \ --asset-types=compute.googleapis.com/Instance \ --format="table(name, assetType, tags)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "tagKeys:env", "readMask": "name,assetType,tags" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "tagKeys:env", "readMask": "name,assetType,tags" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "tagKeys:env", "readMask": "name,assetType,tags" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Compute Engine instances by TagValue
The following sample shows how to search for Compute Engine instances in the
my-project
project that have directly attached Tags where the
TagValue
.namespacedName
contains prod
or sea
, and the instance name does not contain instance1
.
To search by effective TagValues instead, replace tagValues
with
effectiveTagValues
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="tagValues:(prod OR sea) (NOT name:instance1)" \ --asset-types=compute.googleapis.com/Instance \ --format="table(name, assetType, tags)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "tagValues:(prod OR sea) (NOT name:instance1)", "readMask": "name,assetType,tags" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "tagValues:(prod OR sea) (NOT name:instance1)", "readMask": "name,assetType,tags" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "tagValues:(prod OR sea) (NOT name:instance1)", "readMask": "name,assetType,tags" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Compute Engine instances created after a specific time
The following sample shows how to search for Compute Engine instances in the
my-project
project that were created after 31 December, 2023.
For more information on datetime comparisons, see Numerical and timestamp comparison.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="createTime>2023-31-12" \ --asset-types=compute.googleapis.com/Instance \ --format="table(name, assetType, location)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "createTime>2023-31-12", "readMask": "name,assetType,location" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "createTime>2023-31-12", "readMask": "name,assetType,location" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "createTime>2023-31-12", "readMask": "name,assetType,location" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Compute Engine instances located in the US
The following sample shows how to search for Compute Engine instances in the
my-project
project that are located in the US.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="location:us-*" \ --asset-types=compute.googleapis.com/Instance \ --format="table(name, assetType, location)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "location:us-*", "readMask": "name,assetType,location" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "location:us-*", "readMask": "name,assetType,location" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "location:us-*", "readMask": "name,assetType,location" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
Compute Engine instances that are running
The following sample shows how to search for Compute Engine instances that are
running in the my-project
project.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="state=RUNNING" \ --asset-types=compute.googleapis.com/Instance \ --read-mask="name,assetType,location,versionedResources" \ --format="table(name, assetType, location, versionedResources)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "state=RUNNING", "readMask": "name,assetType,location,versionedResources" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "state=RUNNING", "readMask": "name,assetType,location,versionedResources" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "compute.googleapis.com/Instance", "pageSize": 1, "query": "state=RUNNING", "readMask": "name,assetType,location,versionedResources" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
IAM deny policies
The following sample shows how to search for
IAM deny policies in the my-project
project.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --asset-types=iam.googleapis.com/PolicyV2 \ --query="name:denypolicies"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "assetTypes": "iam.googleapis.com/PolicyV2", "pageSize": 1, "query": "name:denypolicies" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "assetTypes": "iam.googleapis.com/PolicyV2", "pageSize": 1, "query": "name:denypolicies" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "assetTypes": "iam.googleapis.com/PolicyV2", "pageSize": 1, "query": "name:denypolicies" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
To search for Compute Engine instances that aren't running, replace
state=RUNNING
with NOT state:running
.
Related Google Cloud resources
Relationship queries are only available for Security Command Center Premium and Enterprise tier subscribers.
The following sample shows how to search for
related
resources in the my-project
project, for supported
relationship types. For example,
search for all Compute Engine instances that are part of
instance groups that have instance-group
in
their full resource names.
gcloud
gcloud asset search-all-resources \ --scope=projects/my-project \ --query="relationships:instance-group" \ --format="table(name, assetType, relationships)"
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
Request JSON body:
{ "pageSize": 1, "query": "relationships:instance-group", "readMask": "name,assetType,relationships" }
Command examples
curl (Linux, macOS, or Cloud Shell)
curl -X POST \ -H "X-HTTP-Method-Override: GET" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ "pageSize": 1, "query": "relationships:instance-group", "readMask": "name,assetType,relationships" }' \ https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources
PowerShell (Windows)
$cred = gcloud auth print-access-token $headers = @{ "X-HTTP-Method-Override" = "GET"; "Authorization" = "Bearer $cred" } $body = @" { "pageSize": 1, "query": "relationships:instance-group", "readMask": "name,assetType,relationships" } "@ Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body $body ` -Uri "https://cloudasset.googleapis.com/v1/projects/my-project:searchAllResources" | Select-Object -Expand Content
You can also specify the type of relationship you want to search for. For
example, to search for the INSTANCE_TO_INSTANCEGROUP
relationship type, use
the query relationships.INSTANCE_TO_INSTANCEGROUP
. To search for that
relationship type with a full resource name that contains instance-group
, use
the query relationships.INSTANCE_TO_INSTANCEGROUP:instance-group
.