Calling the Cloud Asset API with a local machine

This page explains how to call the Cloud Asset API from your local machine.

Before you begin

  1. Install oauth2l on your local machine for interacting with the Google OAuth system.
  2. Confirm that you have access to the Unix curl command.
  3. Ensure that your account has one of the following roles on your project, folder, or organization.
    • roles/owner
    • roles/cloudasset.viewer
  4. Set up a Cloud Storage bucket to store the exported snapshot.

Downloading the credentials file

A JSON credentials file is needed to call the Cloud Asset API. Download the file by following the process below.

  1. Go to the Credentials page.

  2. Open the Create Credentials dropdown and select OAuth client ID.

  3. If you are creating a Client ID for a new project, you must set up the OAuth consent screen. The consent screen is displayed any time an application using your Client ID requests access to private data. If prompted:

    1. Click Configure consent screen and enter in the required information for your consent screen.

    2. Save your changes to return to creating your Client ID.

  4. On the Create client ID page under Application type, select Other.

  5. Enter a name for the credential, then click Create. A confirmation dialog appears with a client ID and client secret.

  6. Close the confirmation dialog and click the download icon on the right to save your new Client ID JSON file.

  7. Name and move the downloaded JSON file so that the path is ~/credentials.json.

Preparing your environment

Prepare you environment for making calls to the Cloud Asset API by following the process below.

  1. Verify your initial setup with the following command.

    oauth2l header --json ~/credentials.json cloud-platform
    

    You should see an output similar to the following:

    Authorization: Bearer y29.xxxxxxx
    
  2. Define a shell alias to call Google REST APIs from with the following command.

    alias gcurl='curl -H "$(oauth2l header --json ~/credentials.json \
    cloud-platform)" -H "Content-Type: application/json" '
    

Exporting an asset snapshot

Select a command that supports the level of detail you want in your exported snapshot. The following commands will store the exported snapshot in a Cloud Storage bucket at gs://YOUR_BUCKET/NEW_FILE.

To export an asset snapshot for an organization, use the https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_NUMBER:exportAssets REST method in the following gcurl commands.

To export an asset snapshot for a folder, use the https://cloudasset.googleapis.com/v1/folders/FOLDER_NUMBER:exportAssets REST method.

Export all resource names without metadata in a project

gcurl -d '{"outputConfig":{"gcsDestination": \
          {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
           https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Export all resource metadata in a project

gcurl -d '{"contentType":"RESOURCE", "outputConfig":{"gcsDestination": \
          {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
           https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Export Cloud IAM policies in a project

gcurl -d '{"contentType":"IAM_POLICY", "outputConfig":{\
           "gcsDestination": {"uri":"gs://YOUR_BUCKET/NEW_FILE"}}}' \
           https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Viewing an asset snapshot

To see your exported assets, go to the Cloud Storage Browser page and open the new file. The export lists the assets and their resource names.

Checking the status of an export

Exporting assets is a long running process that for most projects, folders, and organizations takes seconds. This process can take longer for very large folders and organizations with many projects and resources. The operation number of an export is used to check the status the export request.

To check the status of an export:

  1. Get the operation number from the name field of the response.

    "name": "projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_NUMBER"
    

  2. Enter the operation number into the following command.

    gcurl https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_NUMBER

A response similar to the following is returned:

{
  "name": "projects/PROJECT_NUMBER/operations/ExportAssets/CONTENT_TYPE/OPERATION_NUMBER",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest",
    "parent": "projects/PROJECT_NUMBER",
    "outputConfig": {
      "gcsDestination": {
        "uri": "gs://YOUR_BUCKET/NEW_FILE"
      }
    }
  },
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsResponse",
    "readTime": [timestamp],
    "outputConfig": {
      "gcsDestination": {
        "uri": "gs://YOUR_BUCKET/NEW_FILE"
      }
    }
  }
}

You can also call ExportAssets for an entire folder or organization. See the Cloud Asset API reference for more info.

Getting the history of assets

To get the create, delete, and update history of specifed assets in a project within a given timeframe using the batchGetAssetsHistory method, follow the process below.

To get the history for an organization, use the https://cloudasset.googleapis.com/v1/organizations/ORGANIZATION_NUMBER:batchGetAssetsHistory REST method in the gcurl command.

  1. Ensure that you can call the Cloud Asset API by preparing your environment.
  2. Determine the full resource name of the asset you want to find the history of. The following example uses //compute.googleapis.com/projects/my_project_id/global/firewalls/default-firewall.
  3. Determine a start and end time for your timeframe that is in the RFC 3339 UTC format. Only a start time is required. See TimeWindow for more information.
  4. Select a command that supports the level of detail you want in the response:

Get the history of the specified assets in a project, including all resource metadata

gcurl -d '{"contentType":"RESOURCE", \
           "assetNames": \
             "//compute.googleapis.com/projects/my_project_id/global/firewalls/default-firewall", \
           "readTimeWindow": {"startTime": "2014-10-02T15:01:23.045123456Z"}}' \
      https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:batchGetAssetsHistory

Get the history of the specified assets in a project, without resource metadata

gcurl -d '{"assetNames": \
             "//compute.googleapis.com/projects/my_project_id/global/firewalls/default-firewall", \
           "readTimeWindow": {"startTime": "2014-10-02T15:01:23.045123456Z"}}' \
      https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:batchGetAssetsHistory

Get the history of all Cloud IAM policies of the specified assets in a project

gcurl -d '{"contentType":"IAM_POLICY", \
           "assetNames": \
             "//compute.googleapis.com/projects/my_project_id/global/firewalls/default-firewall", \
           "readTimeWindow": {"startTime": "2014-10-02T15:01:23.045123456Z"}}' \
      https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:batchGetAssetsHistory

The history will be returned in the following format:

{
  "assets": [
    {
      "window": {
        "startTime": 
Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

Resource Manager Documentation