Troubleshooting

The following are common issues that can occur when interacting with the Cloud Asset API and how to handle them.

Request has invalid authentication credentials

If you haven't set up the OAuth header properly, making a call will return the following error:

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected
               OAuth 2 access token, login cookie or other valid
               authentication credential. See
               https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.DebugInfo",
        "detail": "Authentication error: 2"
      }
    ]
  }
}

To address this issue, repeat the steps to verify your initial setup.

The caller does not have permission

An error is returned if you don't have permission to export assets or get the history on an organization, project, or folder.

For example, if you don't have permission, running the following command:

gcurl -d '{"outputConfig":{"gcsDestination": \
{"uri":gs://YOUR_BUCKET/NEW_FILE}}}' \
https://cloudasset.googleapis.com/v1/projects/PROJECT_NUMBER:exportAssets

Will return the following error:

{
 "error": {
  "code": 403,
  "message": "The caller does not have permission",
  "status": "PERMISSION_DENIED",
  "details": [
   {
    "@type": "type.googleapis.com/google.rpc.DebugInfo",
    "detail": "[ORIGINAL ERROR] generic::permission_denied: Request
    denied by Cloud IAM."
   }
  ]
 }
}

To address this issue, request access from your project, folder, or organization admin. Depending on the assets you are trying to export or get history for, you'll need one of the following permissions:

  • cloudasset.viewer
  • project.owner

For more information on roles and permissions, see Understanding roles.

Fail to write to Cloud Storage file

If the Cloud Storage bucket you use to store exported data isn't in the Cloud Asset API-enabled project you're running the export from, performing the request will result in the following permission denied error:

    {
     "error": {
      "code": 7,
      "message": "Failed to write to: YOUR_BUCKET/FILE",
     }
    }
    

To address this issue, either use a Cloud Storage bucket that belongs to the Cloud Asset API-enabled project you're running the export from, or grant the service-PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com service account the roles/storage.admin role, where PROJECT_NUMBER is the project number of the Cloud Asset API-enabled project you're running the export from.

The Cloud Asset API result is stale

Data freshness in the Cloud Asset API is on a best-effort basis. While almost all asset updates will be available to clients in minutes, in rare cases it's possible the result of the ExportAssets or BatchGetAssetsHistory methods won't include the most recent asset updates.

To pick up the most recent asset updates, adjust the timestamp in Cloud Asset API calls to be two minutes older than the current timestamp.

ExportAssets outputs temporary files

The ExportAssets operation might create temporary files in the output folder. Don't remove these temporary files while the operation is in progress. Once the operation is complete, the temporary files are removed automatically.

If the temporary files remain, you can safely remove them after the ExportAssets operation is complete.

Request URL too long for BatchGetAssetsHistory

The BatchGetAssetsHistory method is an HTTP GET action that sends all request data in a length limited URL. As a result, an error will occur if the request is too long.

To bypass this, the client code should use HTTP POST to send request with the Content-Type set to application/x-www-form-urlencoded along with an X-HTTP-Method-Override: GET HTTP header. See Long Request URLs for more information.

The following is an example request for BatchGetAssetsHistory using HTTP POST:

curl -X POST -H "X-HTTP-Method-Override: GET" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Authorization: Bearer " \
     -d 'assetNames=&contentType=1&readTimeWindow.startTime=2018-09-01T09:00:00Z' \
     https://cloudasset.googleapis.com/v1/projects/:batchGetAssetsHistory
หน้านี้มีประโยชน์ไหม โปรดแสดงความคิดเห็น