Console
    Contact Us Start free

    Roles and permissions

    Cloud Asset Inventory uses Identity and Access Management (IAM) for access control. Every Cloud Asset Inventory API method requires the caller to have the necessary permissions.

    Roles

    To get the permissions that you need to work with asset metadata, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

    For more information about granting roles, see Manage access to projects, folders, and organizations .

    These predefined roles contain the permissions required to work with asset metadata. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    The following permissions are required to work with asset metadata:

    • To view asset metadata:
      • cloudasset.assets.*
      • recommender.cloudAssetInsights.get
      • recommender.cloudAssetInsights.list
      • serviceusage.services.use
    • To view asset metadata and work with feeds:
      • cloudasset.*
      • recommender.cloudAssetInsights.*
      • serviceusage.services.use

    You might also be able to get these permissions with custom roles or other predefined roles .

    Permissions

    The following table lists the permissions that the caller must have to call each API method in Cloud Asset Inventory, or to perform tasks using Google Cloud tools that use Cloud Asset Inventory such as the Google Cloud console or gcloud CLI.

    The Cloud Asset Viewer ( roles/cloudasset.viewer ) and Cloud Asset Owner ( roles/cloudasset.owner ) roles include many of these permissions. If the caller has been granted one of these roles and the Service Usage Consumer ( roles/serviceusage.serviceUsageConsumer ) role, they might already have the permissions they need to use Cloud Asset Inventory.

    RPC

    Method
    Required permissions
    All APIs
    All Cloud Asset Inventory calls

    All Cloud Asset Inventory calls require the serviceusage.services.use permission.

    Analysis APIs

    AnalyzeIamPolicy

    AnalyzeIamPolicyLongRunning

    BatchGetEffectiveIamPolicies

    All of the following permissions:

    • cloudasset. assets. analyzeIamPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources

    AnalyzeMove

    cloudasset. assets. analyzeMove

    AnalyzeOrgPolicies

    AnalyzeOrgPolicyGovernedContainers

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllResources

    AnalyzeOrgPolicyGovernedAssets

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    Inventory APIs

    BatchGetAssetsHistory

    ExportAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. exportAccessPolicy

      When using the ACCESS_POLICY content type.

    • cloudasset. assets. exportIamPolicy

      When using the IAM_POLICY content type.

    • cloudasset. assets. exportOrgPolicy

      When using the ORG_POLICY content type.

    • cloudasset. assets. exportOSInventories

      When using the OS_INVENTORY content type.

    • cloudasset. assets. exportResource

      When using the RELATIONSHIP or RESOURCE content types.

    When exporting metadata of an unspecified or RESOURCE content type, instead of granting the cloudasset. assets. exportResource permission to an account, you can use permissions for each resource type .

    ListAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. listAccessPolicy
    • cloudasset. assets. listIamPolicy
    • cloudasset. assets. listOrgPolicy
    • cloudasset. assets. listOSInventories
    • cloudasset. assets. listResource for the RELATIONSHIP and RESOURCE content types.

    QueryAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. queryAccessPolicy
    • cloudasset. assets. queryIamPolicy
    • cloudasset. assets. queryOSInventories
    • cloudasset. assets. queryResource for both the RELATIONSHIP and RESOURCE content types.
    Feed APIs

    CreateFeed

    cloudasset. feeds. create

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource

    DeleteFeed

    cloudasset. feeds. delete

    GetFeed

    cloudasset. feeds. get

    ListFeed

    cloudasset. feeds. list

    UpdateFeed

    cloudasset. feeds. update

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource
    Search APIs

    SearchAllIamPolicies

    cloudasset. assets. searchAllIamPolicies

    SearchAllResources

    cloudasset. assets. searchAllResources

    You also need cloudasset. assets. searchEnrichmentResourceOwners if searching for resource owner enrichment.

    REST

    Method
    Required permissions
    All APIs
    All Cloud Asset Inventory calls

    All Cloud Asset Inventory calls require the serviceusage.services.use permission.

    Analysis APIs

    analyzeIamPolicy

    analyzeIamPolicyLongRunning

    effectiveIamPolicies.batchGet

    All of the following permissions:

    • cloudasset. assets. analyzeIamPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources

    analyzeMove

    cloudasset. assets. analyzeMove

    analyzeOrgPolicies

    analyzeOrgPolicyGovernedContainers

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllResources

    analyzeOrgPolicyGovernedAssets

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    Inventory APIs

    batchGetAssetsHistory

    exportAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. exportAccessPolicy

      When using the ACCESS_POLICY content type.

    • cloudasset. assets. exportIamPolicy

      When using the IAM_POLICY content type.

    • cloudasset. assets. exportOrgPolicy

      When using the ORG_POLICY content type.

    • cloudasset. assets. exportOSInventories

      When using the OS_INVENTORY content type.

    • cloudasset. assets. exportResource

      When using the RELATIONSHIP or RESOURCE content types.

    When exporting metadata of an unspecified or RESOURCE content type, instead of granting the cloudasset. assets. exportResource permission to an account, you can use permissions for each resource type .

    assets.list

    One of the following permissions, depending on the content type :

    • cloudasset. assets. listAccessPolicy
    • cloudasset. assets. listIamPolicy
    • cloudasset. assets. listOrgPolicy
    • cloudasset. assets. listOSInventories
    • cloudasset. assets. listResource for the RELATIONSHIP and RESOURCE content types.

    queryAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. queryAccessPolicy
    • cloudasset. assets. queryIamPolicy
    • cloudasset. assets. queryOSInventories
    • cloudasset. assets. queryResource for both the RELATIONSHIP and RESOURCE content types.
    Feed APIs

    feeds.create

    cloudasset. feeds. create

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource

    feeds.delete

    cloudasset. feeds. delete

    feeds.get

    cloudasset. feeds. get

    feeds.list

    cloudasset. feeds. list

    feeds.patch

    cloudasset. feeds. update

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource
    Search APIs

    searchAllIamPolicies

    cloudasset. assets. searchAllIamPolicies

    searchAllResources

    cloudasset. assets. searchAllResources

    You also need cloudasset. assets. searchEnrichmentResourceOwners if searching for resource owner enrichment.

    gcloud

    Positional statement
    Required permissions
    All APIs
    All Cloud Asset Inventory calls

    All Cloud Asset Inventory calls require the serviceusage.services.use permission.

    Analysis APIs

    analyze-iam-policy

    analyze-iam-policy-longrunning

    get-effective-iam-policy

    All of the following permissions:

    • cloudasset. assets. analyzeIamPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources

    analyze-move

    cloudasset. assets. analyzeMove

    analyze-org-policies

    analyze-org-policy-governed-containers

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllResources

    analyze-org-policy-governed-assets

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    Inventory APIs

    get-history

    export

    One of the following permissions, depending on the content type :

    • cloudasset. assets. exportAccessPolicy

      When using the ACCESS_POLICY content type.

    • cloudasset. assets. exportIamPolicy

      When using the IAM_POLICY content type.

    • cloudasset. assets. exportOrgPolicy

      When using the ORG_POLICY content type.

    • cloudasset. assets. exportOSInventories

      When using the OS_INVENTORY content type.

    • cloudasset. assets. exportResource

      When using the RELATIONSHIP or RESOURCE content types.

    When exporting metadata of an unspecified or RESOURCE content type, instead of granting the cloudasset. assets. exportResource permission to an account, you can use permissions for each resource type .

    list

    One of the following permissions, depending on the content type :

    • cloudasset. assets. listAccessPolicy
    • cloudasset. assets. listIamPolicy
    • cloudasset. assets. listOrgPolicy
    • cloudasset. assets. listOSInventories
    • cloudasset. assets. listResource for the RELATIONSHIP and RESOURCE content types.

    query

    One of the following permissions, depending on the content type :

    • cloudasset. assets. queryAccessPolicy
    • cloudasset. assets. queryIamPolicy
    • cloudasset. assets. queryOSInventories
    • cloudasset. assets. queryResource for both the RELATIONSHIP and RESOURCE content types.
    Feed APIs

    feeds create

    cloudasset. feeds. create

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource

    feeds delete

    cloudasset. feeds. delete

    feeds describe

    cloudasset. feeds. get

    feeds list

    cloudasset. feeds. list

    feeds update

    cloudasset. feeds. update

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource
    Search APIs

    search-all-iam-policies

    cloudasset. assets. searchAllIamPolicies

    search-all-resources

    cloudasset. assets. searchAllResources

    You also need cloudasset. assets. searchEnrichmentResourceOwners if searching for resource owner enrichment.

    Export permissions for each resource type

    Granting the cloudasset.assets.exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead.

    For example, granting a user cloudasset.assets.exportComputeDisks means they can't export anything except the resource type compute.googleapis.com/Disk .

    Resource export permissions only apply to RESOURCE and unspecified content types .

    Service
    Resource type
    Resource export permission
    App Engine
    appengine. googleapis. com/ Application
    cloudasset. assets. exportAppengineApplications
    appengine. googleapis. com/ Service
    cloudasset. assets. exportAppengineServices
    appengine. googleapis. com/ Version
    cloudasset. assets. exportAppengineVersions
    BigQuery
    bigquery. googleapis. com/ Dataset
    cloudasset. assets. exportBigqueryDatasets
    bigquery. googleapis. com/ Table
    cloudasset. assets. exportBigqueryTables
    Bigtable
    bigtableadmin. googleapis. com/ Cluster
    cloudasset. assets. exportBigtableCluster
    bigtableadmin. googleapis. com/ Instance
    cloudasset. assets. exportBigtableInstance
    bigtableadmin. googleapis. com/ Table
    cloudasset. assets. exportBigtableTable
    Cloud Billing
    cloudbilling. googleapis. com/ BillingAccount
    cloudasset. assets. exportCloudbillingBillingAccounts
    Cloud DNS
    dns. googleapis. com/ ManagedZone
    cloudasset. assets. exportDnsManagedZones
    dns. googleapis. com/ Policy
    cloudasset. assets. exportDnsPolicies
    Cloud Key Management Service
    cloudkms. googleapis. com/ CryptoKey
    cloudasset. assets. exportCloudkmsCryptoKeys
    cloudkms. googleapis. com/ CryptoKeyVersion
    cloudasset. assets. exportCloudkmsCryptoKeyVersions
    cloudkms. googleapis. com/ ImportJob
    cloudasset. assets. exportCloudkmsImportJobs
    cloudkms. googleapis. com/ KeyRing
    cloudasset. assets. exportCloudkmsKeyRings
    Cloud OS Config
    osconfig. googleapis. com/ PatchDeployment
    cloudasset. assets. exportPatchDeployments
    Spanner
    spanner. googleapis. com/ Backup
    cloudasset. assets. exportSpannerBackups
    spanner. googleapis. com/ Database
    cloudasset. assets. exportSpannerDatabases
    spanner. googleapis. com/ Instance
    cloudasset. assets. exportSpannerInstances
    Cloud SQL
    sqladmin. googleapis. com/ Instance
    cloudasset. assets. exportSqladminInstances
    Cloud Storage
    storage. googleapis. com/ Bucket
    cloudasset. assets. exportStorageBuckets
    Compute Engine
    compute. googleapis. com/ Address
    cloudasset. assets. exportComputeAddress
    compute. googleapis. com/ Autoscaler
    cloudasset. assets. exportComputeAutoscalers
    compute. googleapis. com/ BackendBucket
    cloudasset. assets. exportComputeBackendBuckets
    compute. googleapis. com/ BackendService
    cloudasset. assets. exportComputeBackendServices
    compute. googleapis. com/ Disk
    cloudasset. assets. exportComputeDisks
    compute. googleapis. com/ Firewall
    cloudasset. assets. exportComputeFirewalls
    compute. googleapis. com/ ForwardingRule
    cloudasset. assets. exportComputeForwardingRules
    compute. googleapis. com/ GlobalAddress
    cloudasset. assets. exportComputeGlobalAddress
    compute. googleapis. com/ HealthCheck
    cloudasset. assets. exportComputeHealthChecks
    compute. googleapis. com/ HttpHealthCheck
    cloudasset. assets. exportComputeHttpHealthChecks
    compute. googleapis. com/ HttpsHealthCheck
    cloudasset. assets. exportComputeHttpsHealthChecks
    compute. googleapis. com/ Image
    cloudasset. assets. exportComputeImages
    compute. googleapis. com/ Instance
    cloudasset. assets. exportComputeInstances
    compute. googleapis. com/ InstanceGroup
    cloudasset. assets. exportComputeInstanceGroups
    compute. googleapis. com/ InstanceGroupManager
    cloudasset. assets. exportComputeInstanceGroupManagers
    compute. googleapis. com/ InstanceTemplate
    cloudasset. assets. exportComputeInstanceTemplates
    compute. googleapis. com/ Interconnect
    cloudasset. assets. exportComputeInterconnect
    compute. googleapis. com/ InterconnectAttachment
    cloudasset. assets. exportComputeInterconnectAttachment
    compute. googleapis. com/ License
    cloudasset. assets. exportComputeLicenses
    compute. googleapis. com/ Network
    cloudasset. assets. exportComputeNetworks
    compute. googleapis. com/ Project
    cloudasset. assets. exportComputeProjects
    compute. googleapis. com/ RegionDisk
    cloudasset. assets. exportComputeRegionDisk
    compute. googleapis. com/ Route
    cloudasset. assets. exportComputeRoutes
    compute. googleapis. com/ Router
    cloudasset. assets. exportComputeRouters
    compute. googleapis. com/ Snapshot
    cloudasset. assets. exportComputeSnapshots
    compute. googleapis. com/ SslCertificate
    cloudasset. assets. exportComputeSslCertificates
    compute. googleapis. com/ Subnetwork
    cloudasset. assets. exportComputeSubnetworks
    compute. googleapis. com/ TargetHttpProxy
    cloudasset. assets. exportComputeTargetHttpProxies
    compute. googleapis. com/ TargetHttpsProxy
    cloudasset. assets. exportComputeTargetHttpsProxies
    compute. googleapis. com/ TargetInstance
    cloudasset. assets. exportComputeTargetInstances
    compute. googleapis. com/ TargetPool
    cloudasset. assets. exportComputeTargetPools
    compute. googleapis. com/ TargetTcpProxy
    cloudasset. assets. exportComputeTargetTcpProxies
    compute. googleapis. com/ TargetSslProxy
    cloudasset. assets. exportComputeTargetSslProxies
    compute. googleapis. com/ TargetVpnGateway
    cloudasset. assets. exportComputeTargetVpnGateways
    compute. googleapis. com/ UrlMap
    cloudasset. assets. exportComputeUrlMaps
    compute. googleapis. com/ VpnTunnel
    cloudasset. assets. exportComputeVpnTunnels
    Dataproc
    dataproc. googleapis. com/ Cluster
    cloudasset. assets. exportDataprocClusters
    dataproc. googleapis. com/ Job
    cloudasset. assets. exportDataprocJobs
    Google Kubernetes Engine
    container. googleapis. com/ Cluster
    cloudasset. assets. exportContainerClusters
    container. googleapis. com/ NodePool
    cloudasset. assets. exportContainerNodepool
    k8s. io/ Namespace
    cloudasset. assets. exportContainerNamespace
    k8s. io/ Node
    cloudasset. assets. exportContainerNode
    k8s. io/ Pod
    cloudasset. assets. exportContainerPod
    rbac. authorization. k8s. io/ ClusterRole
    cloudasset. assets. exportContainerClusterrole
    rbac. authorization. k8s. io/ ClusterRoleBinding
    cloudasset. assets. exportContainerClusterrolebinding
    rbac. authorization. k8s. io/ Role
    cloudasset. assets. exportContainerRole
    rbac. authorization. k8s. io/ RoleBinding
    cloudasset. assets. exportContainerRolebinding
    IAM
    iam. googleapis. com/ Role
    cloudasset. assets. exportIamRoles
    iam. googleapis. com/ ServiceAccount
    cloudasset. assets. exportIamServiceAccounts
    Pub/Sub
    pubsub. googleapis. com/ Subscription
    cloudasset. assets. exportPubsubSubscriptions
    pubsub. googleapis. com/ Topic
    cloudasset. assets. exportPubsubTopics
    Resource Manager
    cloudresourcemanager. googleapis. com/ Folder
    cloudasset. assets. exportCloudresourcemanagerFolders
    cloudresourcemanager. googleapis. com/ Organization
    cloudasset. assets. exportCloudresourcemanagerOrganizations
    cloudresourcemanager. googleapis. com/ Project
    cloudasset. assets. exportCloudresourcemanagerProjects

    VPC Service Controls

    VPC Service Controls can be used with Cloud Asset Inventory to provide additional security for your assets. To learn more about VPC Service Controls, see the Overview of VPC Service Controls .

    To learn about the limitations in using Cloud Asset Inventory with VPC Service Controls, see the supported products and limitations .
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: