Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
As an administrator, you can have your organization’s Google Drive inventory exported to BigQuery. The inventory includes metadata associated with each file, such as size, applied labels, and who it’s shared with, but not the content of the files. You can review this information to assess if access to sensitive files meets your organization’s regulatory, compliance, and data security goals.
When your Drive inventory is in BigQuery, you can create custom reporting and dashboards using analytics tools like Looker Studio and third-party visualization partners.
Note:
- You do some of the steps on this page in the Google Cloud console because Google BigQuery is a Google Cloud product.
- You must set up billing for your Google Cloud project because there is a cost to query and store your Drive inventory exports in BigQuery. For details, review your billing account’s pricing details for BigQuery . You can estimate your storage costs with the Google Cloud Pricing Calculator . The metadata for 1 million files uses about 1.5 GB physical storage in BigQuery.
- You need to have a supported license to set up Drive inventory report exports, but the report includes data for all your users.
- Your Drive inventory is exported weekly. The export overwrites the previous export. To preserve previous exports, one approach is to use the BigQuery Data Transfer Service to automatically copy the dataset .
- There’s a small chance that a Drive inventory export might be missing file metadata for some files. In rare cases, some files might not be included.
Step 1. Set up a BigQuery project & data set for your Drive inventory
- In the Google Cloud console
, create or open an active BigQuery project.
For details, go to Creating and managing projects . - Enable billing for the project if it isn’t already.
- Go to the IAM page for the project.
- Give Google Workspace administrator accounts access to the export for data processing and viewing. Learn more about BigQuery IAM roles and permissions
and how to control access to resources
. For any Google Workspace accounts you want to give access to the export:
- At the top of the list of principals, click Grant Access.
- In Add principals, enter the Google Workspace account's email address.
- Click the the BigQuery Editor(bigquery.dataEditor) role. Tip: Click Filterand enter BigQueryto find other BigQuery-specific roles.
- Click Save.
- Give yourself and any other administrator who will manage Drive inventory exports the IAM administrator permission on the project:
- On the same IAM page, click an existing principal or start a new principal as in the previous step.
- Click the Resource Managerrole and select Project IAM Admin.
- Click Save.
- Find or create a BigQuery dataset to store your Drive inventory exports.
- Click Navigation menu BigQuery.
- In the Explorerpanel at the left, expand your project to list existing datasets.
- If there’s a dataset you want to use, make a note of the ID to use in the next step.
- If you want to use a new dataset, go to Creating datasets . Make a note of the dataset name to use in the next step.
Step 2. Turn on and set up Drive inventory exports
- Sign in to your Google Admin console .
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu Reporting Data integrations .
Education administrators go to Menu Reporting BigQuery export, which opens the Data integrationspage.
- Click Drive Inventory Exports.
- Check the box to enable Drive inventory exports.
- Under BigQuery project ID, select the project where you want to store the Drive inventory export. If you don’t see the project, you need to set it up in BigQuery. For details, go to Quickstart using the Google Cloud console .
- Under Existing dataset within the project, enter the name of the dataset to use for storing the Drive inventory in the project. If you don’t have a dataset already, go to Creating datasets for steps.
- Click Save. If you get an error that you can’t save, check for the following issues in Google Cloud Console:
- Go to the IAM page for your project and make sure your account has the Project IAM Adminrole (resourcemanager.projects.setIamPolicy). If not, grant that role for your account.
- Go to the Policy Troubleshooter and check if any deny policies are blocking your access to the project. For details, go to Troubleshoot policies .
After enabling the exports, you should see the first export appear in BigQuery in 1–2 weeks. After that, the export is updated weekly.
Step 3. (Optional) Update the data expiration time
The default expiration for data exports is 60 days, after which the data is deleted from Google Cloud.
To change the expiration time, go to Updating default table expiration times .
Step 4. Monitor exports and set up alerts for failures
Drive inventory export events are included in Admin log events . In the security investigation tool , you can search for the Drive inventory export-related events and set up alerts.
Drive inventory export-related eventsEvent name | Details |
---|---|
Drive Inventory Reporting Export Completed | Logged when an export completes. |
Drive Inventory Reporting Export Failed | Logged when an export fails. You can configure an alert to be notified when an export fails. To fix, on this page see Troubleshoot missing exports . |
Drive Inventory Export Config Created | Logged when a Drive inventory export is set up by an administrator. |
Drive Inventory Export Config Updated | Logged when the project or dataset is updated. |
Drive Inventory Export Config Deletion Initiated | Logged when an administrator deletes a Drive inventory export configuration in the Admin console. There can be a delay between when an admin starts the deletion and when the configuration is actually deleted. |
Step 5. Analyze Drive inventory datasets
You can analyze your data directly in BigQuery. For an overview, go to Overview of BigQuery analytics | Google Cloud . For details, go to Schema and example queries for Drive inventory exports in BigQuery .
Troubleshoot missing exports in BigQuery
If you don’t see Drive inventory exports in BigQuery after you save your configuration in the Admin console, review the following issues and how to resolve them.
Possible issue | How to fix |
---|---|
Your Google Workspace subscription no longer supports Drive inventory exports | If you downgraded your subscription, it may no longer support Drive inventory exports. In your Admin console, go to Menu > Billing > Subscriptionsand confirm your subscription is one of the following: Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition After you switch to an edition that supports Drive inventory exports, it can take up to 2 weeks for reports to be exported. |
The BigQuery project or dataset has been deleted | Make a note of the BigQuery project ID and dataset ID that you set in the Admin console. Then open Google Cloud console and confirm that both the project and dataset exist. If either doesn’t exist, create or identify replacements. Then in the Admin console, update the Drive Inventory Exportsettings to use an existing project and dataset. |
The Drive inventory export service account's permissions on the BigQuery dataset or project were removed | In Google Cloud console, confirm that the service account has Editoraccess on the dataset and BigQuery.jobUseraccess on the project. If it doesn’t, disable and re-enable the feature in the Admin console. |
Known limitations
- Drive inventory exports may not include unclaimed Jamboard files or videos created with Google Vids.
FAQ
Expand all | Collapse all & go to top
Is there a cost to export the Drive inventory to BigQuery?Yes. Storage costs are billed to the BigQuery project. For details, review your billing account’s pricing details for BigQuery . You can estimate your storage costs with the Google Cloud Pricing Calculator . The metadata for 1 million files uses about 1.5 GB physical storage in BigQuery.
No. Drive inventory export is covered by the Google Cloud Platform Terms of Service or your agreement governing your use of Google Cloud Platform.
For details review the dataset schema .
You can. Just remember your new exports and the last export before the change will be in different locations.
Yes. If you also set up service log exports to BigQuery , you can use the same project ID. Your Drive inventory will go to a different dataset in the project.
Yes. If you no longer want to export your Drive inventory to BigQuery, you can delete the Drive Inventory configuration in your Admin console.
- Sign in to your Google Admin console .
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu Reporting Data integrations .
Education administrators go to Menu Reporting BigQuery export, which opens the Data integrationspage.
- Click Drive Inventory.
- Click BigQuery project IDand select the project.
- Click Delete.
- To confirm, click Deleteagain.
Your Drive inventory will no longer export. The dataset remains in the project with existing data, but data will be deleted as it expires.
To restart Drive inventory exports, add a project ID.
You may see a service account named id
@gcp-sa-statefulreporting.iam.gserviceaccount.com
and another service account named drive-inventory-reporting@system.gserviceaccount.com
on the permissions list for your BigQuery project and dataset. During Beta, one service account is used to read metadata from Drive and the other is used to write your Drive inventory to BigQuery.
If an organizational policy
prevents the service accounts, id
@gcp-sa-statefulreporting.iam.gserviceaccount.com
and drive-inventory-reporting@system.gserviceaccount.com
, from joining the permissions list, the accounts’ domains must be allowlisted.
You must have view permissions on the project to set up Drive inventory exports. In Google Cloud Console, go to the IAM page
and assign the Resource Manager Project I AM Admin( resourcemanager.projects.getIamPolicy
) role to your Google Workspace administrator account.
Yes. If you set up a data region policy in your Admin console, your BigQuery exports are written to the specified region.