This topic lists the supported asset types in Cloud Asset Inventory. Please see the overview topic for all Cloud Asset API services.
For types supported by the export, list and monitor services, see supported resource types, supported policy types, supported runtime information types and supported relationship types.
For types supported by the search service, see searchable asset types and supported relationship types.
For types supported by the analysis service, see analyzable asset types.
Supported resource types
Cloud Asset Inventory supports and returns the following resource types. You can use this list to identify which types the service supports, but be sure to use the full resource name format when working with Cloud Asset Inventory. Learn more about Cloud API resource naming.
| Service | Launch stage/Resource |
|---|---|
| API keysNote: location field may not be populated for API keys assets. | GAAPI reference • apikeys.googleapis.com/Key |
| App EngineNote: location field may not be populated for App Engine assets. | GAAPI reference • appengine.googleapis.com/Application• appengine.googleapis.com/Service• appengine.googleapis.com/Version |
| Artifact Registry | GAAPI reference
• artifactregistry.googleapis.com/DockerImage• artifactregistry.googleapis.com/Repository
|
| Backup for GKE | GAAPI reference• gkebackup.googleapis.com/BackupPlan• gkebackup.googleapis.com/Backup• gkebackup.googleapis.com/VolumeBackup• gkebackup.googleapis.com/RestorePlan• gkebackup.googleapis.com/Restore• gkebackup.googleapis.com/VolumeRestore |
| BigQuery | GAAPI reference• bigquery.googleapis.com/Dataset• bigquery.googleapis.com/Table• bigquery.googleapis.com/Model |
| Cloud Bigtable | GAAPI reference• bigtableadmin.googleapis.com/AppProfile• bigtableadmin.googleapis.com/Backup• bigtableadmin.googleapis.com/Cluster• bigtableadmin.googleapis.com/Instance• bigtableadmin.googleapis.com/Table |
| Cloud Billing | GAAPI reference• cloudbilling.googleapis.com/BillingAccount• cloudbilling.googleapis.com/ProjectBillingInfo |
| Certificate Authority ServiceNote: IAM policies may be missing for privateca.googleapis.com/CertificateRevocationList. | GAAPI reference• privateca.googleapis.com/CaPool• privateca.googleapis.com/Certificate• privateca.googleapis.com/CertificateAuthority• privateca.googleapis.com/CertificateRevocationList• privateca.googleapis.com/CertificateTemplate |
| Cloud Functions | GAAPI reference• cloudfunctions.googleapis.com/CloudFunction |
| Cloud Run | GAAPI reference• run.googleapis.com/DomainMapping• run.googleapis.com/Execution• run.googleapis.com/Job• run.googleapis.com/Revision• run.googleapis.com/Service |
| Container RegistryNote: Container Registry implements the Docker HTTP API V2 and does not provide a public API. | GA
• containerregistry.googleapis.com/Image
|
| Dataplex | GA API reference
• dataplex.googleapis.com/Lake
• dataplex.googleapis.com/Task
• dataplex.googleapis.com/Zone
• dataplex.googleapis.com/Asset |
| Dataproc | GA API reference
• dataproc.googleapis.com/AutoscalingPolicy
• dataproc.googleapis.com/Batch
• dataproc.googleapis.com/Cluster
• dataproc.googleapis.com/Job
• dataproc.googleapis.com/WorkflowTemplate |
| Dialogflow CX | GAAPI reference
• dialogflow.googleapis.com/Agent• dialogflow.googleapis.com/LocationSettings
|
| Dialogflow ES | GAAPI reference
• dialogflow.googleapis.com/ConversationProfile• dialogflow.googleapis.com/KnowledgeBase
|
| Cloud Data Loss Prevention | GAAPI reference
• dlp.googleapis.com/StoredInfoType
• dlp.googleapis.com/DeidentifyTemplate
• dlp.googleapis.com/DlpJob
• dlp.googleapis.com/InspectTemplate
• dlp.googleapis.com/JobTrigger
|
| Cloud DNS | GAAPI reference• dns.googleapis.com/ManagedZone• dns.googleapis.com/Policy |
| Eventarc | GAAPI reference• eventarc.googleapis.com/Trigger |
| Identity and Access Management | GAAPI reference• iam.googleapis.com/Role• iam.googleapis.com/ServiceAccount• iam.googleapis.com/ServiceAccountKey |
| Cloud Key Management Service | GAAPI reference• cloudkms.googleapis.com/KeyRing • cloudkms.googleapis.com/CryptoKey• cloudkms.googleapis.com/CryptoKeyVersion• cloudkms.googleapis.com/ImportJob• cloudkms.googleapis.com/EkmConnection |
| Pub/Sub | GA API reference• pubsub.googleapis.com/Topic• pubsub.googleapis.com/Subscription• pubsub.googleapis.com/Snapshot |
| Cloud Spanner | GAAPI reference• spanner.googleapis.com/Instance• spanner.googleapis.com/Database• spanner.googleapis.com/Backup |
| Cloud SQL Note that Cloud SQL asset change history can be incomplete, and data freshness can be stale for 2+ hours. | GAAPI reference• sqladmin.googleapis.com/Instance• sqladmin.googleapis.com/BackupRun |
| Cloud Storage | GAAPI reference• storage.googleapis.com/Bucket |
| Cloud OS Config Note that Cloud OS Config asset change history can be incomplete, and data freshness can be stale for 7+ hours. | GAAPI reference• osconfig.googleapis.com/PatchDeployment• osconfig.googleapis.com/VulnerabilityReport• osconfig.googleapis.com/OSPolicyAssignment• osconfig.googleapis.com/OSPolicyAssignmentReport |
| Compute Engine | GAAPI reference • compute.googleapis.com/Autoscaler• compute.googleapis.com/Address• compute.googleapis.com/GlobalAddress• compute.googleapis.com/BackendBucket• compute.googleapis.com/BackendService• compute.googleapis.com/Commitment• compute.googleapis.com/Disk• compute.googleapis.com/ExternalVpnGateway• compute.googleapis.com/Firewall• compute.googleapis.com/FirewallPolicy• compute.googleapis.com/ForwardingRule• compute.googleapis.com/GlobalForwardingRule• compute.googleapis.com/HealthCheck• compute.googleapis.com/HttpHealthCheck• compute.googleapis.com/HttpsHealthCheck• compute.googleapis.com/Image• compute.googleapis.com/Instance• compute.googleapis.com/InstanceGroup• compute.googleapis.com/InstanceGroupManager• compute.googleapis.com/InstanceTemplate• compute.googleapis.com/Interconnect• compute.googleapis.com/InterconnectAttachment• compute.googleapis.com/License• compute.googleapis.com/Network• compute.googleapis.com/NetworkEndpointGroup• compute.googleapis.com/NodeGroup• compute.googleapis.com/NodeTemplate• compute.googleapis.com/PacketMirroring• compute.googleapis.com/Project• compute.googleapis.com/RegionBackendService• compute.googleapis.com/RegionDisk• compute.googleapis.com/Reservation• compute.googleapis.com/ResourcePolicy• compute.googleapis.com/Route• compute.googleapis.com/Router•
compute.googleapis.com/SecurityPolicy•
compute.googleapis.com/ServiceAttachment•
compute.googleapis.com/Snapshot• compute.googleapis.com/SslCertificate• compute.googleapis.com/SslPolicy• compute.googleapis.com/Subnetwork• compute.googleapis.com/TargetHttpProxy• compute.googleapis.com/TargetHttpsProxy• compute.googleapis.com/TargetInstance• compute.googleapis.com/TargetPool• compute.googleapis.com/TargetTcpProxy• compute.googleapis.com/TargetSslProxy• compute.googleapis.com/TargetVpnGateway• compute.googleapis.com/UrlMap• compute.googleapis.com/VpnGateway• compute.googleapis.com/VpnTunnel |
|
Google Kubernetes Engine Note that networking.k8s.io/Ingress is only supported for Google Kubernetes Engine Cluster Version 1.18 or earlier. Note also that asset change history for networking.k8s.io/Ingress might be incomplete and data freshness can be stale.
|
GAAPI reference• container.googleapis.com/Cluster• container.googleapis.com/NodePoolAPI reference• k8s.io/Node• k8s.io/Pod• k8s.io/Namespace• k8s.io/Service• apps.k8s.io/Deployment• apps.k8s.io/ReplicaSet• rbac.authorization.k8s.io/Role• rbac.authorization.k8s.io/RoleBinding• rbac.authorization.k8s.io/ClusterRole• rbac.authorization.k8s.io/ClusterRoleBinding• networking.k8s.io/NetworkPolicy• batch.k8s.io/Job |
BetaAPI reference• extensions.k8s.io/Ingress• networking.k8s.io/Ingress |
|
| Resource ManagerNote that TagKey, TagValue and TagBinding asset change history might be incomplete, data freshness can be stale for 7+ hours. | GAAPI reference• cloudresourcemanager.googleapis.com/Organization• cloudresourcemanager.googleapis.com/Folder• cloudresourcemanager.googleapis.com/Project• cloudresourcemanager.googleapis.com/TagKey• cloudresourcemanager.googleapis.com/TagValue• cloudresourcemanager.googleapis.com/TagBinding |
| Service UsageNote that Service Usage asset change history might be incomplete, data freshness can be stale for 12+ hours, and the field config in the metadata is not supported yet. | GAAPI reference• serviceusage.googleapis.com/Service |
| Cloud Data Fusion | GAAPI reference• datafusion.googleapis.com/Instance |
| Cloud LoggingNote that Cloud Logging asset change history might be incomplete. Data freshness can be stale for 12+ hours. | GAAPI reference• logging.googleapis.com/LogBucket• logging.googleapis.com/LogMetric• logging.googleapis.com/LogSink |
| Network Management API | GA API reference • networkmanagement.googleapis.com/ConnectivityTest |
| Managed Service for Microsoft Active Directory | GA API reference • managedidentities.googleapis.com/Domain |
| Game Servers | GA API reference • gameservices.googleapis.com/GameServerCluster• gameservices.googleapis.com/Realm• gameservices.googleapis.com/GameServerConfig• gameservices.googleapis.com/GameServerDeployment |
| Dataflow Note that Dataflow asset change history can be incomplete, and data freshness can be stale for 7+ hours. | GA API reference • dataflow.googleapis.com/Job |
| Hub | GA API reference • gkehub.googleapis.com/Membership |
| Secret Manager Note that the location field in the Secret Manager asset does not reflect the replication policy of the Secret. Instead use the replication field to get that information. | GA API reference • secretmanager.googleapis.com/Secret• secretmanager.googleapis.com/SecretVersion |
| Cloud TPU | GA API reference • tpu.googleapis.com/Node |
| Cloud Composer Note that Cloud Composer v1beta1 is supported. The resources in v1beta1 are a superset of those in v1. | Beta API reference • composer.googleapis.com/Environment |
| Filestore |
GAAPI reference• file.googleapis.com/Instance |
BetaAPI reference• file.googleapis.com/Backup |
|
| Service Directory | GA API reference • servicedirectory.googleapis.com/Namespace |
| Assured Workloads | GA API reference • assuredworkloads.googleapis.com/Workload |
| API Gateway | GA API reference • apigateway.googleapis.com/Api• apigateway.googleapis.com/ApiConfig• apigateway.googleapis.com/Gateway |
| App Engine Memcache | GA API reference • memcache.googleapis.com/Instance |
| Document AI | GAAPI reference• documentai.googleapis.com/HumanReviewConfig• documentai.googleapis.com/LabelerPool• documentai.googleapis.com/Processor• documentai.googleapis.com/ProcessorVersion |
| Memorystore for Redis | GA API reference • redis.googleapis.com/Instance |
Vertex AI Note that deployedModels field in Model and Endpoint is not populated. Vertex AI asset change history can be incomplete, and data freshness can be stale for 7+ hours. Some Datasets' metadata (e.g. TABLE data type) could be stale due to an ongoing data issue. |
GA API reference • aiplatform.googleapis.com/BatchPredictionJob• aiplatform.googleapis.com/CustomJob• aiplatform.googleapis.com/DataLabelingJob• aiplatform.googleapis.com/Dataset• aiplatform.googleapis.com/Endpoint• aiplatform.googleapis.com/HyperparameterTuningJob• aiplatform.googleapis.com/MetadataStore• aiplatform.googleapis.com/Model• aiplatform.googleapis.com/ModelDeploymentMonitoringJob• aiplatform.googleapis.com/PipelineJob• aiplatform.googleapis.com/SpecialistPool• aiplatform.googleapis.com/TrainingPipeline |
| Cloud Monitoring | GA API reference • monitoring.googleapis.com/AlertPolicy |
| Serverless VPC Access | GA API reference • vpcaccess.googleapis.com/Connector |
| Service Management Note that Service Management asset change history can be incomplete, data freshness can be stale for 7+ hours. | GA API reference • servicemanagement.googleapis.com/ManagedService |
| Dataproc Metastore | GA API reference • metastore.googleapis.com/Service• metastore.googleapis.com/MetadataImport• metastore.googleapis.com/Backup |
| Cloud Healthcare APINote that Cloud Healthcare API asset change history can be incomplete, data freshness can be stale for 7+ hours. | GAAPI reference• healthcare.googleapis.com/ConsentStore• healthcare.googleapis.com/Dataset• healthcare.googleapis.com/DicomStore• healthcare.googleapis.com/FhirStore• healthcare.googleapis.com/Hl7V2Store |
| Firestore | GA API reference • firestore.googleapis.com/Database |
| Firebase | GA API reference • firebase.googleapis.com/FirebaseProject• firebase.googleapis.com/FirebaseAppInfo |
| Network ConnectivityNote that Network Connectivity Hub.routing_vpcs data freshness can be delayed by several hours. | GAAPI reference• networkconnectivity.googleapis.com/Hub• networkconnectivity.googleapis.com/Spoke |
| Database Migration Service | GAAPI reference
• datamigration.googleapis.com/MigrationJob
• datamigration.googleapis.com/ConnectionProfile |
| Datastream | GAAPI reference• datastream.googleapis.com/ConnectionProfile• datastream.googleapis.com/PrivateConnection• datastream.googleapis.com/Stream |
| Anthos clusters on-premNote that Anthos clusters on-prem metadata is from Confluence, which has no public API. | BetaAPI reference• anthos.googleapis.com/ConnectedCluster |
| Organization Policy Service | GAAPI reference• orgpolicy.googleapis.com/Policy |
Supported policy types
The Cloud Asset API supports the following policy types in Google Cloud:
| Policy | Launch stage/Supported resource |
|---|---|
| IAM | GAAPI reference • All supported resource types aboveThe following IAP resource types:• iap.googleapis.com/Web• iap.googleapis.com/WebType• iap.googleapis.com/WebService• iap.googleapis.com/WebServiceVersion• iap.googleapis.com/Tunnel• iap.googleapis.com/TunnelZone• iap.googleapis.com/TunnelInstance |
| Organization Policy | GAAPI reference• cloudresourcemanager.googleapis.com/Organization• cloudresourcemanager.googleapis.com/Folder• cloudresourcemanager.googleapis.com/Project |
| Access Policy (VPC Service Controls Policy) | GAAPI reference• cloudresourcemanager.googleapis.com/Organization |
Supported runtime information types
The Cloud Asset API supports the following runtime information types in Google Cloud:
| Runtime information | Launch stage/Supported resource |
|---|---|
| OS inventoryProvides information on the operating system, installed packages, and available package updates for an instance. Learn more about OS inventory management. | GA• compute.googleapis.com/Instance |
Supported relationship types
To use relationship types, you must subscribe to Security Command Center at the Premium tier.
These relationship types are supported in the export, list, search and monitor services. The analysis service does not support relationship types.
| Supported asset type | Relationship types |
|---|---|
• compute.googleapis.com/Instance |
INSTANCE_TO_INSTANCEGROUP Represents a relationship from a Compute Engine instance to Compute Engine instance group(s) which provides information about the instance group(s) that an instance is in. INSTANCE_TO_INSTANCEGROUPMANAGER Represents a relationship from a Compute Engine instance to Compute Engine instance group manager(s) which provides information about the instance group manager(s) that an instance is managed by. |
• compute.googleapis.com/InstanceGroup |
INSTANCEGROUP_TO_INSTANCEGROUPMANAGER Represents a relationship from a Compute Engine instance-group to a Compute Engine instance group manager which provides information about the instance group manager that an instance group is managed by. |
• k8s.io/Namespace |
NAMESPACE_TO_CLUSTER Represents a relationship from a Kubernetes namespace to a Google Kubernetes Engine(GKE) cluster which provides information about the GKE cluster that a Kubernetes namespace is in. |
• k8s.io/Node |
NODE_TO_CLUSTER Represents a relationship from a Kubernetes node to a GKE cluster which provides information about the GKE cluster that a Kubernetes node is in. NODE_TO_COMPUTE_INSTANCE Represents a relationship from a Kubernetes node to a Compute Engine instance which provides information about the compute instance that a Kubernetes node is in. |
• appengine.googleapis.com/Service |
SERVICE_TO_APPLICATION Represents a relationship from an App Engine service to an App Engine application which provides information about the App Engine application that a service is in. |
• appengine.googleapis.com/Version |
VERSION_TO_APPLICATION Represents a relationship from an App Engine version to an App Engine application which provides information about the App Engine application that a version is in. VERSION_TO_SERVICE Represents a relationship from an App Engine version to an App Engine service which provides information about the App Engine service that a version is in. |
Searchable asset types
The following asset types are supported by the Search Assets APIs:
Analyzable asset types
The following asset types are supported by the Asset Analysis APIs: