Export asset metadata to Cloud Storage (original) (raw)
This document shows you how to export the asset metadata of your organization, folder, or project to a Cloud Storage bucket.
gcloud
gcloud asset export
--SCOPE
--billing-project=BILLING_PROJECT_ID
--asset-types=ASSET_TYPE_1,ASSET_TYPE_2,...
--content-type=CONTENT_TYPE
--relationship-types=RELATIONSHIP_TYPE_1,RELATIONSHIP_TYPE_2,...
--snapshot-time="SNAPSHOT_TIME"
--OUTPUT_TYPE
Provide the following values:
SCOPE: Use one of the following values:project=PROJECT_ID, wherePROJECT_IDis the ID of the project that has the asset metadata you want to export.folder=FOLDER_ID, whereFOLDER_IDis the ID of the folder that has the asset metadata you want to export.
How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
1. Go to the Google Cloud console.
Go to the Google Cloud console
2. Click the switcher list box in the menu bar.
3. Select your organization from the list box.
4. Search for your folder name. The folder ID is shown next to the folder name.gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \
--organization=$(gcloud organizations describe ORGANIZATION_NAME \
--format="value(name.segment(1))") \
--filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
--format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the--formatflag to see more information about the found folders.
The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_IDorganization=ORGANIZATION_ID, whereORGANIZATION_IDis the ID of the organization that has the asset metadata you want to export.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
1. Go to the Google Cloud console.
Go to the Google Cloud console
2. Click the switcher list box in the menu bar.
3. Select your organization from the list box.
4. Click the All tab. The organization ID is shown next to the organization name.gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"BILLING_PROJECT_ID: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Read more about setting the billing project.ASSET_TYPE_#: Optional. A comma-separated list of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENTerror is returned. When--asset-typesisn't specified, all asset types are returned.CONTENT_TYPE: Optional. The content type of the metadata that you want to retrieve. When--content-typeisn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.RELATIONSHIP_TYPE_#: Optional. Requires access to the Security Command Center Premium or Enterprise tier. A comma-separated list ofasset relationship types that you want to retrieve. You must setCONTENT_TYPEtoRELATIONSHIPfor this to work.SNAPSHOT_TIME: Optional. The time at which you want to take a snapshot of your assets, in gcloud topic datetime format. The value must be no more than 35 days in the past. When--snapshot-timeisn't specified, a snapshot is taken at the current time.OUTPUT_TYPE: Use one of the following values:--output-path="gs://BUCKET_NAME/FILE_NAME"to write the output to a file, where:
*BUCKET_NAMEis the name of the Cloud Storage bucket to write to.
*FILE_NAMEis the file to write to in your Cloud Storage bucket.--output-path-prefix="gs://BUCKET_NAME/FOLDER_NAME"to write the output to a folder, where:
*BUCKET_NAMEis the name of the Cloud Storage bucket to write to.
*FOLDER_NAMEis the folder to write to in your Cloud Storage bucket. The output is split into subfolders named afterasset types. The subfolders must not already exist in the folder that you specify.
See the gcloud CLI reference for all options.
Example
Run the following command to export your resource metadata as it was on January 30, 2024 in the my-project project, to the file my-file.txt in the Cloud Storage bucket my-bucket.
gcloud asset export
--project=my-project
--billing-project=my-project
--content-type=resource
--snapshot-time="2024-01-30"
--output-path="gs://my-bucket/my-file.txt"
Example response
Export in progress for root asset [projects/my-project]. Use [gcloud asset operations describe projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000] to check the status of the operation.
REST
HTTP method and URL:
POST https://cloudasset.googleapis.com/v1/SCOPE_PATH:exportAssets
Headers:
X-Goog-User-Project: BILLING_PROJECT_ID
Request JSON body:
{ "assetTypes": [ "ASSET_TYPE_1", "ASSET_TYPE_2", "..." ], "contentType": "CONTENT_TYPE", "relationshipTypes": [ "RELATIONSHIP_TYPE_1", "RELATIONSHIP_TYPE_2", "..." ], "readTime": "SNAPSHOT_TIME", "outputConfig": { "gcsDestination": { OUTPUT_TYPE } } }
Provide the following values:
SCOPE_PATH: Use one of the following values:
The allowed values are:projects/PROJECT_ID, wherePROJECT_IDis the ID of the project that has the asset metadata you want to export.projects/PROJECT_NUMBER, wherePROJECT_NUMBERis the number of the project that has the asset metadata you want to export.
How to find a Google Cloud project number
Google Cloud console
To find a Google Cloud project number, complete the following steps:
1. Go to the Welcome page in the Google Cloud console.
Go to Welcome
2. Click the switcher list box in the menu bar.
3. Select your organization from the list box, and then search for your project name. The project name, project number, and project ID are shown near the Welcome heading.
Up to 4,000 resources are displayed. If you don't see the project you're looking for, go to theManage resources page and filter the list using the name of that project.gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"folders/FOLDER_ID, whereFOLDER_IDis the ID of the folder that has the asset metadata you want to export.
How to find the ID of a Google Cloud folder
Google Cloud console
To find the ID of a Google Cloud folder, complete the following steps:
1. Go to the Google Cloud console.
Go to the Google Cloud console
2. Click the switcher list box in the menu bar.
3. Select your organization from the list box.
4. Search for your folder name. The folder ID is shown next to the folder name.gcloud CLI
You can retrieve the ID of a Google Cloud folder that's located at the organization level with the following command:
gcloud resource-manager folders list \
--organization=$(gcloud organizations describe ORGANIZATION_NAME \
--format="value(name.segment(1))") \
--filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \
--format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME is a partial or full string match for the folder's name. Remove the--formatflag to see more information about the found folders.
The previous command doesn't return the IDs of subfolders within folders. To do so, run the following command using a top level folder's ID:
gcloud resource-manager folders list --folder=FOLDER_IDorganizations/ORGANIZATION_ID, whereORGANIZATION_IDis the ID of the organization that has the asset metadata you want to export.
How to find the ID of a Google Cloud organization
Google Cloud console
To find the ID of a Google Cloud organization, complete the following steps:
1. Go to the Google Cloud console.
Go to the Google Cloud console
2. Click the switcher list box in the menu bar.
3. Select your organization from the list box.
4. Click the All tab. The organization ID is shown next to the organization name.gcloud CLI
You can retrieve the ID of a Google Cloud organization with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"BILLING_PROJECT_ID: The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Read more about setting the billing project.ASSET_TYPE_#: Optional. An array of searchable asset types. RE2-compatible regular expressions are supported. If the regular expression doesn't match any supported asset type, anINVALID_ARGUMENTerror is returned. WhenassetTypesisn't specified, all asset types are returned.CONTENT_TYPE: Optional. The content type of the metadata that you want to retrieve. WhencontentTypeisn't specified, only basic information is returned, such as asset names, the last time the assets were updated, and what projects, folders, and organizations they belong to.RELATIONSHIP_TYPE_#: Optional. Requires access to the Security Command Center Premium or Enterprise tier. A comma-separated list ofasset relationship types that you want to retrieve. You must setCONTENT_TYPEtoRELATIONSHIPfor this to work.SNAPSHOT_TIME: Optional. The time at which you want to take a snapshot of your assets, in RFC 3339 format. The value must be no more than 35 days in the past. WhenreadTimeisn't specified, a snapshot is taken at the current time.OUTPUT_TYPE: Use one of the following values:"uri": "gs://BUCKET_NAME/FILE_NAME"to write the output to a file, where:
*BUCKET_NAMEis the name of the Cloud Storage bucket to write to.
*FILE_NAMEis the file to write to in your Cloud Storage bucket."uriPrefix": "gs://BUCKET_NAME/FOLDER_NAME"to write the output to a folder, where:
*BUCKET_NAMEis the name of the Cloud Storage bucket to write to.
*FOLDER_NAMEis the folder to write to in your Cloud Storage bucket. The output is split into subfolders named afterasset types. The subfolders must not already exist in the folder that you specify.
See the REST reference for all options.
Command examples
Run one of the following commands to export your resource metadata as it was on January 30, 2024 in the my-project project, to the file my-file.txt in the Cloud Storage bucket my-bucket.
curl (Linux, macOS, or Cloud Shell)
curl -X POST
-H "X-Goog-User-Project: BILLING_PROJECT_ID"
-H "Authorization: Bearer $(gcloud auth print-access-token)"
-H "Content-Type: application/json; charset=utf-8"
-d '{
"contentType": "RESOURCE",
"readTime": "2024-01-30T00:00:00Z",
"outputConfig": {
"gcsDestination": {
"uri": "gs://my-bucket/my-file"
}
}
}'
https://cloudasset.googleapis.com/v1/projects/**my-project**:exportAssets
PowerShell (Windows)
$cred = gcloud auth print-access-token
$headers = @{ "X-Goog-User-Project" = "BILLING_PROJECT_ID"; "Authorization" = "Bearer $cred" }
$body = @" { "contentType": "RESOURCE", "readTime": "2024-01-30T00:00:00Z", "outputConfig": { "gcsDestination": { "uri": "gs://my-bucket/my-file" } } } "@
Invoke-WebRequest -Method POST
-Headers $headers -ContentType: "application/json; charset=utf-8"
-Body $body `
-Uri "https://cloudasset.googleapis.com/v1/projects/**my-project**:exportAssets" | Select-Object -Expand Content
Example response
{ "name": "projects/000000000000/operations/ExportAssets/RESOURCE/00000000000000000000000000000000", "metadata": { "@type": "type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest", "parent": "projects/000000000000", "readTime": "2024-01-30T00:00:00Z", "contentType": "RESOURCE", "outputConfig": { "gcsDestination": { "uri": "gs://my-bucket/export.txt" } } } }
C#
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
Go
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
Java
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
PHP
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
Python
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Cloud Asset Inventory, seeCloud Asset Inventory client libraries.
To authenticate to Cloud Asset Inventory, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.
Exports take time to complete. To check if an export is done, you can query the operation using its operation ID.
Be aware that even if your export is done, someone might have made another export request to the same destination as a different operation. New export requests to the same destination can be made after a previous request has finished, or if more than 15 minutes has elapsed. Export requests made outside of these conditions are rejected by Cloud Asset Inventory.