Viewing VM Manager data

This topic shows you how to configure Cloud Asset Inventory and VM Manager's OS inventory so that you can view the runtime information of your VMs.

Before you begin

Before you begin, complete the following steps.

  1. Enable the Cloud Asset Inventory API on the project where you'll be running the API commands.

    Enable the Cloud Asset Inventory API

  2. Configure the permissions that are required to call the Cloud Asset Inventory API using either the gcloud CLI or the API.

  3. Complete the following steps to set up your environment.

    gcloud CLI

    To set up your environment to use the gcloud CLI to call the Cloud Asset Inventory API, install the Google Cloud CLI on your local client.

    REST

    To set up your environment to call the Cloud Asset Inventory API with the curl command, complete the following steps.

    1. Confirm that you have access to the curl command.

    2. Ensure that you grant your account one of the following roles on your project, folder, or organization.

      • Cloud Asset Viewer role (roles/cloudasset.viewer)

      • Owner basic role (roles/owner)

Enabling OS inventory

To enable OS inventory, which is part of the VM Manager suite, complete the relevant steps in Set up VM Manager.

Setting permissions

Ensure that your account has the cloudasset.assets.exportOSInventories permission on the root resource that contains the assets you want export. You can grant this permission individually, or you can grant one of the following roles on the root resource.

  • Cloud Asset Viewer (roles/cloudasset.viewer) role

  • Cloud Asset Owner (roles/cloudasset.owner) role

Learn more about configuring permissions and Cloud Asset Inventory IAM roles.

Exporting VM Manager data to BigQuery

To export OS inventory snapshot at a given timestamp, use the following command.

gcloud

Projects

gcloud asset export \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --content-type=os-inventory \
    --snapshot-time="SNAPSHOT_TIME" \
    --bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
    --output-bigquery-force

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is being exported.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • SNAPSHOT_TIME: Optional. The time at which you want to take a snapshot of your assets. The value must be the current time or a time in the past. By default, a snapshot is taken at the current time. For information on time formats, see gcloud topic datetimes.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

Other flags:

  • --output-bigquery-force: Overwrites the destination table if it exists.

Folders

gcloud asset export \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --content-type=os-inventory \
    --snapshot-time="SNAPSHOT_TIME" \
    --bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
    --output-bigquery-force

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is being exported.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
        --organization=$(gcloud organizations describe ORGANIZATION_NAME \
          --format="value(name.segment(1))") \
        --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
        --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • SNAPSHOT_TIME: Optional. The time at which you want to take a snapshot of your assets. The value must be the current time or a time in the past. By default, a snapshot is taken at the current time. For information on time formats, see gcloud topic datetimes.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

Other flags:

  • --output-bigquery-force: Overwrites the destination table if it exists.

Organizations

gcloud asset export \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --content-type=os-inventory \
    --snapshot-time="SNAPSHOT_TIME" \
    --bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
    --output-bigquery-force

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is being exported.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • SNAPSHOT_TIME: Optional. The time at which you want to take a snapshot of your assets. The value must be the current time or a time in the past. By default, a snapshot is taken at the current time. For information on time formats, see gcloud topic datetimes.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

Other flags:

  • --output-bigquery-force: Overwrites the destination table if it exists.

REST

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "contentType": "OS_INVENTORY",
          "readTime": "SNAPSHOT_TIME",
          "outputConfig": {
            "bigqueryDestination": {
              "dataset": "projects/PROJECT_ID/datasets/DATASET_ID",
              "table": "TABLE_NAME",
              "force": true
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:exportAssets

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • SNAPSHOT_TIME: Optional. The time at which you want to take a snapshot of your assets, in RFC 3339 format. The value must be the current time or a time no more than 35 days in the past. When not provided, a snapshot is taken at the current time.

  • PROJECT_ID: The ID of the project that the BigQuery table is in.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

To export VM Manager vulnerability reports from a project to BigQuery, use the following command.

gcloud

Projects

gcloud asset export \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
    --output-bigquery-force

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is being exported.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

Other flags:

  • --output-bigquery-force: Overwrites the destination table if it exists.

Folders

gcloud asset export \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
    --output-bigquery-force

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is being exported.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
        --organization=$(gcloud organizations describe ORGANIZATION_NAME \
          --format="value(name.segment(1))") \
        --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
        --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

Other flags:

  • --output-bigquery-force: Overwrites the destination table if it exists.

Organizations

gcloud asset export \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
    --output-bigquery-force

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is being exported.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

Other flags:

  • --output-bigquery-force: Overwrites the destination table if it exists.

REST

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "assetTypes": ["osconfig.googleapis.com/VulnerabilityReport"],
          "contentType": "RESOURCE",
          "outputConfig": {
            "bigqueryDestination": {
              "dataset": "projects/PROJECT_ID/datasets/DATASET_ID",
              "table": "TABLE_NAME",
              "force": true
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:exportAssets

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • PROJECT_ID: The ID of the project that the BigQuery table is in.

  • DATASET_ID: The ID of the BigQuery dataset.

  • TABLE_NAME: The table to which you're exporting your metadata.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Other parameters:

  • "force": true: Overwrites the destination table if it exists.

Existing tables

Appending the export output to an existing table is not supported. The destination table must be empty or you must overwrite it. To overwrite it, use the --output-bigquery-force flag with the gcloud CLI, or use force with the REST API.

If the output table is in use when you try to write to it, a 400 response is returned with the message Request contains an invalid argument.

Exporting VM Manager data to Cloud Storage

To export the VM Manager inventory data for all VM instances in a project, use the following gcloud CLI command or the Cloud Asset Inventory API.

gcloud

Projects

gcloud asset export \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --content-type=os-inventory \
    --output-path="gs://BUCKET_NAME/FILENAME"

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is being exported.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

Folders

gcloud asset export \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --content-type=os-inventory \
    --output-path="gs://BUCKET_NAME/FILENAME"

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is being exported.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
        --organization=$(gcloud organizations describe ORGANIZATION_NAME \
          --format="value(name.segment(1))") \
        --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
        --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

Organizations

gcloud asset export \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --content-type=os-inventory \
    --output-path="gs://BUCKET_NAME/FILENAME"

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is being exported.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

REST

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "contentType": "OS_INVENTORY",
          "outputConfig": {
            "gcsDestination": {
              "uri": "gs://BUCKET_NAME/FILENAME"
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:exportAssets

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

To export VM Manager vulnerability reports from a project to Cloud Storage, use the following gcloud CLI command or the Cloud Asset Inventory API.

gcloud

Projects

gcloud asset export \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --output-path="gs://BUCKET_NAME/FILENAME"

Provide the following values:

  • PROJECT_ID: The ID of the project whose metadata is being exported.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

Folders

gcloud asset export \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --output-path="gs://BUCKET_NAME/FILENAME"

Provide the following values:

  • FOLDER_ID: The ID of the folder whose metadata is being exported.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
        --organization=$(gcloud organizations describe ORGANIZATION_NAME \
          --format="value(name.segment(1))") \
        --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
        --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

Organizations

gcloud asset export \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --output-path="gs://BUCKET_NAME/FILENAME"

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization whose metadata is being exported.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

REST

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "assetTypes": ["osconfig.googleapis.com/VulnerabilityReport"],
          "contentType": "RESOURCE",
          "outputConfig": {
            "gcsDestination": {
              "uri": "gs://BUCKET_NAME/FILENAME"
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:exportAssets

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project with gcloud config set project. Read more about billing projects.

  • BUCKET_NAME: The name of the Cloud Storage bucket to write to.

  • FILENAME: The file in your Cloud Storage bucket to write to.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

Existing files

If the output file is in use when you try to write to a storage bucket, a 400 response is returned with the message Request contains an invalid argument.

Getting VM Manager data history

To get the history of all OS inventory assets for a specified VM instance in a project, folder, or organization, run the following commands.

gcloud

Projects

gcloud asset get-history \
    --project=PROJECT_ID \
    --asset-names=//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME \
    --content-type=os-inventory \
    --start-time="START_TIME" \
    --end-time="END_TIME"

Provide the following values:

  • PROJECT_ID: The ID of the project where the VM instance is located.

  • ZONE: The zone your VM instance is in. For example, us-central1-a.

  • VM_INSTANCE_NAME: The name of your VM instance.

  • START_TIME: Optional. The beginning of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.

  • END_TIME: Optional. The finishing point of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.

To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:

gcloud asset get-history \
    --project=PROJECT_ID \
    --asset-names=//osconfig.googleapis.com/projects/PROJECT_NUMBER/locations/ZONE/instances/VM_INSTANCE_ID/vulnerabilityReport \
    --content-type=resource \
    --start-time="START_TIME" \
    --end-time="END_TIME"

Folders

gcloud asset get-history \
    --folder=FOLDER_ID \
    --asset-names=//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME \
    --content-type=os-inventory \
    --start-time="START_TIME" \
    --end-time="END_TIME"

Provide the following values:

  • FOLDER_ID: The ID of the folder where the VM instance is located.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
        --organization=$(gcloud organizations describe ORGANIZATION_NAME \
          --format="value(name.segment(1))") \
        --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
        --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • ZONE: The zone your VM instance is in. For example, us-central1-a.

  • VM_INSTANCE_NAME: The name of your VM instance.

  • START_TIME: Optional. The beginning of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.

  • END_TIME: Optional. The finishing point of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.

To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:

gcloud asset get-history \
    --folder=FOLDER_ID \
    --asset-names=//osconfig.googleapis.com/projects/PROJECT_NUMBER/locations/ZONE/instances/VM_INSTANCE_ID/vulnerabilityReport \
    --content-type=resource \
    --start-time="START_TIME" \
    --end-time="END_TIME"

Organizations

gcloud asset get-history \
    --organization=ORGANIZATION_ID \
    --asset-names=//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME \
    --content-type=os-inventory \
    --start-time="START_TIME" \
    --end-time="END_TIME"

Provide the following values:

  • ORGANIZATION_ID: The ID of the organization where the VM instance is located.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • ZONE: The zone your VM instance is in. For example, us-central1-a.

  • VM_INSTANCE_NAME: The name of your VM instance.

  • START_TIME: Optional. The beginning of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.

  • END_TIME: Optional. The finishing point of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.

To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:

gcloud asset get-history \
    --organization=ORGANIZATION_ID \
    --asset-names=//osconfig.googleapis.com/projects/PROJECT_NUMBER/locations/ZONE/instances/VM_INSTANCE_ID/vulnerabilityReport \
    --content-type=resource \
    --start-time="START_TIME" \
    --end-time="END_TIME"

REST

To get the history of all OS inventory assets for a specified VM instance in a project, run the following command:

curl -X POST \
     -H "X-HTTP-Method-Override: GET" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "assetNames": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
          "contentType": "OS_INVENTORY",
          "readTimeWindow": {
            "startTime": "START_TIME",
            "endTime": "END_TIME"
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:batchGetAssetsHistory

Provide the following values:

  • PROJECT_ID: The ID of the project where the VM instance is located.

  • ZONE: The zone your VM instance is in. For example, us-central1-a.

  • VM_INSTANCE_NAME: The name of your VM instance.

  • START_TIME: Optional. The beginning of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.

  • END_TIME: Optional. The finishing point of the time range. The maximum time range is 7 days. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:

curl -X POST \
     -H "X-HTTP-Method-Override: GET" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "assetNames": "//osconfig.googleapis.com/projects/PROJECT_ID/locations/ZONE/instances/VM_INSTANCE_NAME/vulnerabilityReport",
          "contentType": "RESOURCE",
          "readTimeWindow": {
            "startTime": "START_TIME",
            "endTime": "END_TIME"
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE:batchGetAssetsHistory

Monitoring VM Manager data changes with Pub/Sub

After creating a Pub/Sub topic, run the following commands to monitor VM Manager changes.

gcloud

Projects

To create a feed for monitoring VMs with Windows OS installed, run the following command:

gcloud asset feeds create FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=compute.googleapis.com/Instance \
    --content-type=os-inventory \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --condition-title="CONDITION_TITLE" \
    --condition-description="CONDITION_DESCRIPTION" \
    --condition-expression="temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project whose metadata is being sent to the feed.

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

To create a feed for monitoring the VM vulnerability data in a project, run the following command:

gcloud asset feeds create FEED_ID \
    --project=PROJECT_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID"

Folders

To create a feed for monitoring VMs with Windows OS installed, run the following command:

gcloud asset feeds create FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=compute.googleapis.com/Instance \
    --content-type=os-inventory \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --condition-title="CONDITION_TITLE" \
    --condition-description="CONDITION_DESCRIPTION" \
    --condition-expression="temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • FOLDER_ID: The ID of the folder whose metadata is being sent to the feed.

    How to find a Google Cloud folder ID

    Console

    To find a Google Cloud folder ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Search for your folder name. The folder ID is shown next to the folder name.

    gcloud CLI

    You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

    gcloud resource-manager folders list \
        --organization=$(gcloud organizations describe ORGANIZATION_NAME \
          --format="value(name.segment(1))") \
        --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
        --format="value(ID)"

    Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

    To get the ID of a folder within another folder, list the subfolders:

    gcloud resource-manager folders list --folder=FOLDER_ID

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

To create a feed for monitoring the VM vulnerability data in a project, run the following command:

gcloud asset feeds create FEED_ID \
    --folder=FOLDER_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID"

Organizations

To create a feed for monitoring VMs with Windows OS installed, run the following command:

gcloud asset feeds create FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=compute.googleapis.com/Instance \
    --content-type=os-inventory \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
    --condition-title="CONDITION_TITLE" \
    --condition-description="CONDITION_DESCRIPTION" \
    --condition-expression="temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""

Provide the following values:

  • FEED_ID: A unique asset feed identifier.

  • ORGANIZATION_ID: The ID of the organization whose metadata is being sent to the feed.

    How to find a Google Cloud organization ID

    Console

    To find a Google Cloud organization ID, complete the following steps:

    1. Go to the Google Cloud console.

      Go to the Google Cloud console

    2. Click the switcher box in the menu bar.
    3. Click the Select from box, and then select your organization.
    4. Click the All tab. The organization ID is shown next to the organization name.

    gcloud CLI

    You can retrieve a Google Cloud organization ID with the following command:

    gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

To create a feed for monitoring the VM vulnerability data in a project, run the following command:

gcloud asset feeds create FEED_ID \
    --organization=ORGANIZATION_ID \
    --billing-project=BILLING_PROJECT_ID \
    --asset-types=osconfig.googleapis.com/VulnerabilityReport \
    --content-type=resource \
    --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID"

REST

To create a feed for monitoring VMs with Windows OS installed, run the following command:

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "feedId": "FEED_ID",
          "feed": {
            "assetTypes": ["compute.googleapis.com/Instance"],
            "contentType": "OS_INVENTORY",
            "feedOutputConfig": {
              "pubsubDestination": {
                "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
              }
            },
            "condition": {
              "title": "CONDITION_TITLE",
              "description": "CONDITION_DESCRIPTION",
              "expression": "temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds

Provide the following values:

  • BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.

  • FEED_ID: A unique asset feed identifier.

  • PROJECT_ID: The ID of the project where the Pub/Sub topic is located.

  • TOPIC_ID: The ID of the Pub/Sub topic to publish notifications to.

  • CONDITION_TITLE: Optional. The title of the condition to apply to the feed.

  • CONDITION_DESCRIPTION: Optional. The description of the condition to apply to the feed.

  • SCOPE: A scope can be a project, a folder, or an organization.

    The allowed values are:

    • projects/PROJECT_ID

    • projects/PROJECT_NUMBER

      How to find a Google Cloud project number

      Console

      To find a Google Cloud project number, complete the following steps:

      1. Go to the Dashboard page in the Google Cloud console.

        Go to Dashboard

      2. Click the switcher box in the menu bar.
      3. Select your organization from the Select from box, and then search for your project name.
      4. Click the project name to switch to that project. The project number is shown in the Project info card.

      gcloud CLI

      You can retrieve a Google Cloud project number with the following command:

      gcloud projects describe PROJECT_ID --format="value(projectNumber)"

    • folders/FOLDER_ID

      How to find a Google Cloud folder ID

      Console

      To find a Google Cloud folder ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Search for your folder name. The folder ID is shown next to the folder name.

      gcloud CLI

      You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:

      gcloud resource-manager folders list \
          --organization=$(gcloud organizations describe ORGANIZATION_NAME \
            --format="value(name.segment(1))") \
          --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
          --format="value(ID)"

      Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the --format option to see further information about the found folders.

      To get the ID of a folder within another folder, list the subfolders:

      gcloud resource-manager folders list --folder=FOLDER_ID

    • organizations/ORGANIZATION_ID

      How to find a Google Cloud organization ID

      Console

      To find a Google Cloud organization ID, complete the following steps:

      1. Go to the Google Cloud console.

        Go to the Google Cloud console

      2. Click the switcher box in the menu bar.
      3. Click the Select from box, and then select your organization.
      4. Click the All tab. The organization ID is shown next to the organization name.

      gcloud CLI

      You can retrieve a Google Cloud organization ID with the following command:

      gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"

To create a feed for monitoring the VM vulnerability data, run the following command:

curl -X POST \
     -H "X-Goog-User-Project: BILLING_PROJECT_ID" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     -d '{
          "feedId": "FEED_ID",
          "feed": {
            "assetTypes": ["osconfig.googleapis.com/VulnerabilityReport"],
            "contentType": "RESOURCE",
            "feedOutputConfig": {
              "pubsubDestination": {
                "topic": "projects/PROJECT_ID/topics/TOPIC_ID"
              }
            }
          }
         }' \
     https://cloudasset.googleapis.com/v1/SCOPE/feeds

See Monitoring asset changes for more details.