assets
Creates, updates, deletes, gets or lists an assets resource.
Overview
| Name | assets |
| Type | Resource |
| Id | google.cloudasset.assets |
Fields
The following fields are returned by SELECT queries:
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1 See Resource names for more information. |
accessLevel | object | Also refer to the access level user guide. (id: GoogleIdentityAccesscontextmanagerV1AccessLevel) |
accessPolicy | object | Also refer to the access policy user guide. (id: GoogleIdentityAccesscontextmanagerV1AccessPolicy) |
ancestors | array | The ancestry path of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. If the asset is a project, folder, or organization, the ancestry path starts from the asset itself. Example: ["projects/123456789", "folders/5432", "organizations/1234"] |
assetExceptions | array | The exceptions of a resource. |
assetType | string | The type of the asset. Example: compute.googleapis.com/Disk See Supported asset types for more information. |
iamPolicy | object | A representation of the IAM policy set on a Google Cloud resource. There can be a maximum of one IAM policy set on any given resource. In addition, IAM policies inherit their granted access scope from any policies set on parent resources in the resource hierarchy. Therefore, the effectively policy is the union of both the policy set on this resource and each policy set on all of the resource's ancestry resource levels in the hierarchy. See this topic for more information. (id: Policy) |
orgPolicy | array | A representation of an organization policy. There can be more than one organization policy with different constraints set on a given resource. |
osInventory | object | A representation of runtime OS Inventory information. See this topic for more information. (id: Inventory) |
relatedAsset | object | An asset identifier in Google Cloud which contains its name, type and ancestors. An asset can be any resource in the Google Cloud resource hierarchy, a resource outside the Google Cloud resource hierarchy (such as Google Kubernetes Engine clusters and objects), or a policy (e.g. IAM policy). See Supported asset types for more information. (id: RelatedAsset) |
relatedAssets | object | DEPRECATED. This field only presents for the purpose of backward-compatibility. The server will never generate responses with this field. The related assets of the asset of one relationship type. One asset only represents one type of relationship. (id: RelatedAssets) |
resource | object | A representation of the resource. (id: Resource) |
servicePerimeter | object | Also refer to the service perimeter user guide. (id: GoogleIdentityAccesscontextmanagerV1ServicePerimeter) |
updateTime | string (google-datetime) | The last update timestamp of an asset. update_time is updated when create/update/delete operation is performed. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list | select | parentType, parent | readTime, assetTypes, contentType, pageSize, pageToken, relationshipTypes | Lists assets with time and resource types and returns paged results in response. |
query_assets | exec | parentType, parent | Issue a job that queries assets using a SQL statement compatible with BigQuery SQL. If the query execution finishes within timeout and there's no pagination, the full query results will be returned in the QueryAssetsResponse. Otherwise, full query results can be obtained by issuing extra requests with the job_reference from the a previous QueryAssets call. Note, the query result has approximately 10 GB limitation enforced by BigQuery. Queries return larger results will result in errors. | |
analyze_org_policy_governed_assets | exec | scope | constraint, filter, pageSize, pageToken | Analyzes organization policies governed assets (Google Cloud resources or policies) under a scope. This RPC supports custom constraints and the following canned constraints: * constraints/ainotebooks.accessMode * constraints/ainotebooks.disableFileDownloads * constraints/ainotebooks.disableRootAccess * constraints/ainotebooks.disableTerminal * constraints/ainotebooks.environmentOptions * constraints/ainotebooks.requireAutoUpgradeSchedule * constraints/ainotebooks.restrictVpcNetworks * constraints/compute.disableGuestAttributesAccess * constraints/compute.disableInstanceDataAccessApis * constraints/compute.disableNestedVirtualization * constraints/compute.disableSerialPortAccess * constraints/compute.disableSerialPortLogging * constraints/compute.disableVpcExternalIpv6 * constraints/compute.requireOsLogin * constraints/compute.requireShieldedVm * constraints/compute.restrictLoadBalancerCreationForTypes * constraints/compute.restrictProtocolForwardingCreationForTypes * constraints/compute.restrictXpnProjectLienRemoval * constraints/compute.setNewProjectDefaultToZonalDNSOnly * constraints/compute.skipDefaultNetworkCreation * constraints/compute.trustedImageProjects * constraints/compute.vmCanIpForward * constraints/compute.vmExternalIpAccess * constraints/gcp.detailedAuditLoggingMode * constraints/gcp.resourceLocations * constraints/iam.allowedPolicyMemberDomains * constraints/iam.automaticIamGrantsForDefaultServiceAccounts * constraints/iam.disableServiceAccountCreation * constraints/iam.disableServiceAccountKeyCreation * constraints/iam.disableServiceAccountKeyUpload * constraints/iam.restrictCrossProjectServiceAccountLienRemoval * constraints/iam.serviceAccountKeyExpiryHours * constraints/resourcemanager.accessBoundaries * constraints/resourcemanager.allowedExportDestinations * constraints/sql.restrictAuthorizedNetworks * constraints/sql.restrictNoncompliantDiagnosticDataAccess * constraints/sql.restrictNoncompliantResourceCreation * constraints/sql.restrictPublicIp * constraints/storage.publicAccessPrevention * constraints/storage.restrictAuthTypes * constraints/storage.uniformBucketLevelAccess This RPC only returns either resources of types supported by search APIs or IAM policies. |
analyze_move | exec | resource | destinationParent, view | Analyze moving a resource to a specified destination without kicking off the actual move. The analysis is best effort depending on the user's permissions of viewing different hierarchical policies and configurations. The policies and configuration are subject to change before the actual resource migration takes place. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
parent | string | |
parentType | string | |
resource | string | |
scope | string | |
assetTypes | string | |
constraint | string | |
contentType | string | |
destinationParent | string | |
filter | string | |
pageSize | integer (int32) | |
pageToken | string | |
readTime | string (google-datetime) | |
relationshipTypes | string | |
view | string |
SELECT examples
- list
Lists assets with time and resource types and returns paged results in response.
SELECT
name,
accessLevel,
accessPolicy,
ancestors,
assetExceptions,
assetType,
iamPolicy,
orgPolicy,
osInventory,
relatedAsset,
relatedAssets,
resource,
servicePerimeter,
updateTime
FROM google.cloudasset.assets
WHERE parentType = '{{ parentType }}' -- required
AND parent = '{{ parent }}' -- required
AND readTime = '{{ readTime }}'
AND assetTypes = '{{ assetTypes }}'
AND contentType = '{{ contentType }}'
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND relationshipTypes = '{{ relationshipTypes }}';
Lifecycle Methods
- query_assets
- analyze_org_policy_governed_assets
- analyze_move
Issue a job that queries assets using a SQL statement compatible with BigQuery SQL. If the query execution finishes within timeout and there's no pagination, the full query results will be returned in the QueryAssetsResponse. Otherwise, full query results can be obtained by issuing extra requests with the job_reference from the a previous QueryAssets call. Note, the query result has approximately 10 GB limitation enforced by BigQuery. Queries return larger results will result in errors.
EXEC google.cloudasset.assets.query_assets
@parentType='{{ parentType }}' --required,
@parent='{{ parent }}' --required
@@json=
'{
"statement": "{{ statement }}",
"jobReference": "{{ jobReference }}",
"pageSize": {{ pageSize }},
"pageToken": "{{ pageToken }}",
"timeout": "{{ timeout }}",
"readTimeWindow": "{{ readTimeWindow }}",
"readTime": "{{ readTime }}",
"outputConfig": "{{ outputConfig }}"
}';
Analyzes organization policies governed assets (Google Cloud resources or policies) under a scope. This RPC supports custom constraints and the following canned constraints: * constraints/ainotebooks.accessMode * constraints/ainotebooks.disableFileDownloads * constraints/ainotebooks.disableRootAccess * constraints/ainotebooks.disableTerminal * constraints/ainotebooks.environmentOptions * constraints/ainotebooks.requireAutoUpgradeSchedule * constraints/ainotebooks.restrictVpcNetworks * constraints/compute.disableGuestAttributesAccess * constraints/compute.disableInstanceDataAccessApis * constraints/compute.disableNestedVirtualization * constraints/compute.disableSerialPortAccess * constraints/compute.disableSerialPortLogging * constraints/compute.disableVpcExternalIpv6 * constraints/compute.requireOsLogin * constraints/compute.requireShieldedVm * constraints/compute.restrictLoadBalancerCreationForTypes * constraints/compute.restrictProtocolForwardingCreationForTypes * constraints/compute.restrictXpnProjectLienRemoval * constraints/compute.setNewProjectDefaultToZonalDNSOnly * constraints/compute.skipDefaultNetworkCreation * constraints/compute.trustedImageProjects * constraints/compute.vmCanIpForward * constraints/compute.vmExternalIpAccess * constraints/gcp.detailedAuditLoggingMode * constraints/gcp.resourceLocations * constraints/iam.allowedPolicyMemberDomains * constraints/iam.automaticIamGrantsForDefaultServiceAccounts * constraints/iam.disableServiceAccountCreation * constraints/iam.disableServiceAccountKeyCreation * constraints/iam.disableServiceAccountKeyUpload * constraints/iam.restrictCrossProjectServiceAccountLienRemoval * constraints/iam.serviceAccountKeyExpiryHours * constraints/resourcemanager.accessBoundaries * constraints/resourcemanager.allowedExportDestinations * constraints/sql.restrictAuthorizedNetworks * constraints/sql.restrictNoncompliantDiagnosticDataAccess * constraints/sql.restrictNoncompliantResourceCreation * constraints/sql.restrictPublicIp * constraints/storage.publicAccessPrevention * constraints/storage.restrictAuthTypes * constraints/storage.uniformBucketLevelAccess This RPC only returns either resources of types supported by search APIs or IAM policies.
EXEC google.cloudasset.assets.analyze_org_policy_governed_assets
@scope='{{ scope }}' --required,
@constraint='{{ constraint }}',
@filter='{{ filter }}',
@pageSize='{{ pageSize }}',
@pageToken='{{ pageToken }}';
Analyze moving a resource to a specified destination without kicking off the actual move. The analysis is best effort depending on the user's permissions of viewing different hierarchical policies and configurations. The policies and configuration are subject to change before the actual resource migration takes place.
EXEC google.cloudasset.assets.analyze_move
@resource='{{ resource }}' --required,
@destinationParent='{{ destinationParent }}',
@view='{{ view }}';