Management Tools

Gain insights about your GCP resources with asset inventory

If you’re responsible for managing your organization’s cloud resources, you have lots of questions. Questions like, “How many total Compute Engine VMs is my company using?” “What are all the IAM policies in my organization?” What were our network configurations a week ago?” and “What changes have there been to my firewalls since yesterday?”

In the past getting answers to these questions was non-trivial. You had to write scripts to enumerate through hundreds of projects, thousands of VMs or comb through your audit logs. Today we are happy to announce asset inventory in beta. With asset inventory, you get an org-wide snapshot of your inventory for a wide variety of GCP resources and policies with a single API call. The snapshot can then be used by automation tools for monitoring or policy enforcement, or be archived for compliance auditing. If you want to analyze changes to the assets, asset inventory also supports exporting metadata history.

In this release, asset inventory supports the following GCP assets, with more on the way:

  • Cloud Resource Manager organizations, folders, and  projects

  • App Engine applications, services, versions

  • GCP billing accounts

  • Cloud Storage buckets

  • Compute Engine instances/instance groups/instance templates,

  • Networks / subnetworks, firewalls

  • Other Compute Engine resources: disks, UrlMaps, autoscalers, BackendBuckets, BackendServices, HealthChecks, Images, Licenses, Snapshots, SslCertificates, Target Http/Https Proxies, Target Instances / Pools, Target Tcp/SSL Proxies, Target VPN Gateways

  • Cloud DNS Managed Zones, Cloud DNS Policies

  • And the IAM policies associated with these resources

This information is invaluable for organizations with large and complex GCP deployments. French transnational corporation Veolia, for example, is an early adopter of asset inventory, and sees a lot of potential in how it will help them track and manage their deployments.

Asset inventory provides deep and detailed information on resource metadata that will enable us to better analyze our GCP assets and automate operations Antoine Castex
Cloud Developer & Product Manager, Veolia

Getting started with asset inventory

The asset inventory API is built on HTTP and JSON, so any standard HTTP client can send requests to it and parse the responses. Here are some quick examples of how to use asset inventory to derive resource insights (see how to page for full instructions).

First, let’s check out what all resources under my organization. All you need is a single command, and no customized scripts. The command below exports all resources into a newline-delimited JSON file, in which each line corresponds to asset metadata.

  curl -H "[your-authentication-token]" -H "Content-Type: application/json"
     -d '{"outputConfig":{"gcsDestination":{"uri":"gs://[your-gcs-file]"}}}' https://cloudasset.googleapis.com/v1beta1/organizations/[your-organization-number]:exportAssets

Here’s how to see the IAM policies on a Cloud Storage bucket:

  curl -H "[your-authentication-token]" -H "Content-Type: application/json"
     -d '{"contentTypes":"IAM_POLICY", “assetTypes”:[“google.storage.Bucket”],
"outputConfig":{"gcsDestination":{"uri":"gs://[your-gcs-file]"}}}' https://cloudasset.googleapis.com/v1beta1/organizations/[your-organization-number]:exportAssets

Now, let’s see the IAM policy change history for a Cloud Storage bucket since yesterday. Use the following command:

  curl -H "[your-authentication-token]" -H "Content-Type: application/json"
     -d '{"contentTypes":"IAM_POLICY", “assetNames”:[“//storage.googleapis.com/[your-bucket-name]”], “readTimeWindow”:{“startTime”: [yesterday-timestamp]}' https://cloudasset.googleapis.com/v1beta1/organizations/[your-organization-number]:batchGetAssetHistory

These are just some examples of the things that you can do with asset inventory. For more information, check out the getting started page.

Third-party tools like the open-source Forseti Security also benefit from the asset inventory APIs, for which it recently added support. Forseti Security’s integration with asset inventory will enable much faster inventory of resources and policies and reduce latency on the scans, which has been a top feature request from many customers and partners.

Like they say, you can’t manage what you can’t measure. The new asset inventory API gives you a simple way to account for and measure your assets across a variety of GCP services. To learn more about asset inventory, check out the product page. And stay tuned as we add support for more asset types.