Console
    Contact Us Start free

    Roles and permissions

    Cloud Asset Inventory uses Identity and Access Management (IAM) for access control. Every Cloud Asset Inventory API method requires the caller to have the necessary permissions.

    Roles

    To get the permissions that you need to work with asset metadata, ask your administrator to grant you the following IAM roles on the organization, folder, or project:

    For more information about granting roles, see Manage access to projects, folders, and organizations .

    These predefined roles contain the permissions required to work with asset metadata. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    The following permissions are required to work with asset metadata:

    • To view asset metadata:
      • cloudasset.assets.*
      • recommender.cloudAssetInsights.get
      • recommender.cloudAssetInsights.list
      • serviceusage.services.use
    • To view asset metadata and work with feeds:
      • cloudasset.*
      • recommender.cloudAssetInsights.*
      • serviceusage.services.use

    You might also be able to get these permissions with custom roles or other predefined roles .

    Permissions

    The following table lists the permissions that the caller must have to call each API method in Cloud Asset Inventory, or to perform tasks using Google Cloud tools that use Cloud Asset Inventory such as the Google Cloud console or gcloud CLI.

    The Cloud Asset Viewer ( roles/cloudasset.viewer ) and Cloud Asset Owner ( roles/cloudasset.owner ) roles include many of these permissions. If the caller has been granted one of these roles and the Service Usage Consumer ( roles/serviceusage.serviceUsageConsumer ) role, they might already have the permissions they need to use Cloud Asset Inventory.

    RPC

    Method
    Required permissions
    All APIs
    All Cloud Asset Inventory calls

    All Cloud Asset Inventory calls require the serviceusage.services.use permission.

    Analysis APIs

    AnalyzeIamPolicy

    AnalyzeIamPolicyLongRunning

    BatchGetEffectiveIamPolicies

    All of the following permissions:

    • cloudasset. assets. analyzeIamPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    • iam. roles. get to analyze policies with custom roles

    Additional permissions are required for working with Google Workspace .

    AnalyzeMove

    cloudasset. assets. analyzeMove

    AnalyzeOrgPolicies

    AnalyzeOrgPolicyGovernedContainers

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllResources

    AnalyzeOrgPolicyGovernedAssets

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    Feed APIs

    CreateFeed

    cloudasset. feeds. create

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource

    DeleteFeed

    cloudasset. feeds. delete

    GetFeed

    cloudasset. feeds. get

    ListFeed

    cloudasset. feeds. list

    UpdateFeed

    cloudasset. feeds. update

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource
    Inventory APIs

    BatchGetAssetsHistory

    ExportAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. exportAccessPolicy

      When using the ACCESS_POLICY content type.

    • cloudasset. assets. exportIamPolicy

      When using the IAM_POLICY content type.

    • cloudasset. assets. exportOrgPolicy

      When using the ORG_POLICY content type.

    • cloudasset. assets. exportOSInventories

      When using the OS_INVENTORY content type.

    • cloudasset. assets. exportResource

      When using the RELATIONSHIP or RESOURCE content types.

      Limiting resource access

      Granting the cloudasset. assets. exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.exportComputeDisks permission by itself to allow a user to only export the compute.googleapis.com/Disk resource type.

      These granular permissions only apply to RESOURCE and unspecified content types .

      View the list of granular cloudasset.assets.export* permissions .

    ListAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. listAccessPolicy
    • cloudasset. assets. listIamPolicy
    • cloudasset. assets. listOrgPolicy
    • cloudasset. assets. listOSInventories

    • cloudasset. assets. listResource

      When using the RELATIONSHIP and RESOURCE content types.

      Limiting resource access

      Granting the cloudasset. assets. listResource permission to a user allows them to list all resource types. To restrict what resource types a user can list, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.listComputeDisks permission by itself to allow a user to only list the compute.googleapis.com/Disk resource type.

      These granular permissions only apply to RESOURCE and unspecified content types .

      View the list of granular cloudasset.assets.list* permissions .

    QueryAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. queryAccessPolicy
    • cloudasset. assets. queryIamPolicy
    • cloudasset. assets. queryOSInventories
    • cloudasset. assets. queryResource for both the RELATIONSHIP and RESOURCE content types.
    Search APIs

    SearchAllIamPolicies

    cloudasset. assets. searchAllIamPolicies

    SearchAllResources

    cloudasset. assets. searchAllResources

    You also need cloudasset. assets. searchEnrichmentResourceOwners if searching for resource owner enrichment.

    REST

    Method
    Required permissions
    All APIs
    All Cloud Asset Inventory calls

    All Cloud Asset Inventory calls require the serviceusage.services.use permission.

    Analysis APIs

    analyzeIamPolicy

    analyzeIamPolicyLongRunning

    effectiveIamPolicies.batchGet

    All of the following permissions:

    • cloudasset. assets. analyzeIamPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    • iam. roles. get to analyze policies with custom roles

    Additional permissions are required for working with Google Workspace .

    analyzeMove

    cloudasset. assets. analyzeMove

    analyzeOrgPolicies

    analyzeOrgPolicyGovernedContainers

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllResources

    analyzeOrgPolicyGovernedAssets

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    Feed APIs

    feeds.create

    cloudasset. feeds. create

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource

    feeds.delete

    cloudasset. feeds. delete

    feeds.get

    cloudasset. feeds. get

    feeds.list

    cloudasset. feeds. list

    feeds.patch

    cloudasset. feeds. update

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource
    Inventory APIs

    batchGetAssetsHistory

    exportAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. exportAccessPolicy

      When using the ACCESS_POLICY content type.

    • cloudasset. assets. exportIamPolicy

      When using the IAM_POLICY content type.

    • cloudasset. assets. exportOrgPolicy

      When using the ORG_POLICY content type.

    • cloudasset. assets. exportOSInventories

      When using the OS_INVENTORY content type.

    • cloudasset. assets. exportResource

      When using the RELATIONSHIP or RESOURCE content types.

      Limiting resource access

      Granting the cloudasset. assets. exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.exportComputeDisks permission by itself to allow a user to only export the compute.googleapis.com/Disk resource type.

      These granular permissions only apply to RESOURCE and unspecified content types .

      View the list of granular cloudasset.assets.export* permissions .

    assets.list

    One of the following permissions, depending on the content type :

    • cloudasset. assets. listAccessPolicy
    • cloudasset. assets. listIamPolicy
    • cloudasset. assets. listOrgPolicy
    • cloudasset. assets. listOSInventories

    • cloudasset. assets. listResource

      When using the RELATIONSHIP and RESOURCE content types.

      Limiting resource access

      Granting the cloudasset. assets. listResource permission to a user allows them to list all resource types. To restrict what resource types a user can list, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.listComputeDisks permission by itself to allow a user to only list the compute.googleapis.com/Disk resource type.

      These granular permissions only apply to RESOURCE and unspecified content types .

      View the list of granular cloudasset.assets.list* permissions .

    queryAssets

    One of the following permissions, depending on the content type :

    • cloudasset. assets. queryAccessPolicy
    • cloudasset. assets. queryIamPolicy
    • cloudasset. assets. queryOSInventories
    • cloudasset. assets. queryResource for both the RELATIONSHIP and RESOURCE content types.
    Search APIs

    searchAllIamPolicies

    cloudasset. assets. searchAllIamPolicies

    searchAllResources

    cloudasset. assets. searchAllResources

    You also need cloudasset. assets. searchEnrichmentResourceOwners if searching for resource owner enrichment.

    gcloud

    Positional statement
    Required permissions
    All APIs
    All Cloud Asset Inventory calls

    All Cloud Asset Inventory calls require the serviceusage.services.use permission.

    Analysis APIs

    analyze-iam-policy

    analyze-iam-policy-longrunning

    get-effective-iam-policy

    All of the following permissions:

    • cloudasset. assets. analyzeIamPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    • iam. roles. get to analyze policies with custom roles

    Additional permissions are required for working with Google Workspace .

    analyze-move

    cloudasset. assets. analyzeMove

    analyze-org-policies

    analyze-org-policy-governed-containers

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllResources

    analyze-org-policy-governed-assets

    All of the following permissions:

    • cloudasset. assets. analyzeOrgPolicy
    • cloudasset. assets. searchAllIamPolicies
    • cloudasset. assets. searchAllResources
    Feed APIs

    feeds create

    cloudasset. feeds. create

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource

    feeds delete

    cloudasset. feeds. delete

    feeds describe

    cloudasset. feeds. get

    feeds list

    cloudasset. feeds. list

    feeds update

    cloudasset. feeds. update

    You also need one of the following permissions, depending on the content type :

    • cloudasset. assets. exportIamPolicy
    • cloudasset. assets. exportResource
    Inventory APIs

    export

    get-history

    One of the following permissions, depending on the content type :

    • cloudasset. assets. exportAccessPolicy

      When using the ACCESS_POLICY content type.

    • cloudasset. assets. exportIamPolicy

      When using the IAM_POLICY content type.

    • cloudasset. assets. exportOrgPolicy

      When using the ORG_POLICY content type.

    • cloudasset. assets. exportOSInventories

      When using the OS_INVENTORY content type.

    • cloudasset. assets. exportResource

      When using the RELATIONSHIP or RESOURCE content types.

      Limiting resource access

      Granting the cloudasset. assets. exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.exportComputeDisks permission by itself to allow a user to only export the compute.googleapis.com/Disk resource type.

      These granular permissions only apply to RESOURCE and unspecified content types .

      View the list of granular cloudasset.assets.export* permissions .

    list

    One of the following permissions, depending on the content type :

    • cloudasset. assets. listAccessPolicy
    • cloudasset. assets. listIamPolicy
    • cloudasset. assets. listOrgPolicy
    • cloudasset. assets. listOSInventories

    • cloudasset. assets. listResource

      When using the RELATIONSHIP and RESOURCE content types.

      Limiting resource access

      Granting the cloudasset. assets. listResource permission to a user allows them to list all resource types. To restrict what resource types a user can list, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.listComputeDisks permission by itself to allow a user to only list the compute.googleapis.com/Disk resource type.

      These granular permissions only apply to RESOURCE and unspecified content types .

      View the list of granular cloudasset.assets.list* permissions .

    query

    One of the following permissions, depending on the content type :

    • cloudasset. assets. queryAccessPolicy
    • cloudasset. assets. queryIamPolicy
    • cloudasset. assets. queryOSInventories
    • cloudasset. assets. queryResource for both the RELATIONSHIP and RESOURCE content types.
    Search APIs

    search-all-iam-policies

    cloudasset. assets. searchAllIamPolicies

    search-all-resources

    cloudasset. assets. searchAllResources

    You also need cloudasset. assets. searchEnrichmentResourceOwners if searching for resource owner enrichment.

    Console

    The Google Cloud console uses the SearchAllResources API to request data. To use Cloud Asset Inventory in the Google Cloud console, grant the following permissions:

    • cloudasset. assets. searchAllResources
    • serviceusage. services. use

    VPC Service Controls

    VPC Service Controls can be used with Cloud Asset Inventory to provide additional security for your assets. To learn more about VPC Service Controls, see the Overview of VPC Service Controls .

    To learn about the limitations in using Cloud Asset Inventory with VPC Service Controls, see the supported products and limitations .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: