Cloud Asset Inventory uses Identity and Access Management (IAM) for access control. Every Cloud Asset Inventory API method requires the caller to have the necessary permissions.
Roles
To get the permissions that you need to work with asset metadata, ask your administrator to grant you the following IAM roles on the organization, folder, or project:
- To view asset metadata:
- To view asset metadata and work with feeds:
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to work with asset metadata. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to work with asset metadata:
- To view asset metadata:
-
cloudasset.assets.* -
recommender.cloudAssetInsights.get -
recommender.cloudAssetInsights.list -
serviceusage.services.use
- To view asset metadata and work with feeds:
-
cloudasset.* -
recommender.cloudAssetInsights.* -
serviceusage.services.use
You might also be able to get these permissions with custom roles or other predefined roles.
Permissions
The following table lists the permissions that the caller must have to call each API method in Cloud Asset Inventory, or to perform tasks using Google Cloud tools that use Cloud Asset Inventory such as the Google Cloud console or gcloud CLI.
The Cloud Asset Viewer (roles/cloudasset.viewer) and Cloud Asset Owner (roles/cloudasset.owner) roles include many of these permissions. If the caller has been granted one of these roles and the Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) role, they might already have the permissions they need to use Cloud Asset Inventory.
RPC
| Method | Required permissions |
| All APIs |
| All Cloud Asset Inventory calls | All Cloud Asset Inventory calls require the serviceusage.services.use permission. |
| Analysis APIs |
AnalyzeIamPolicy
AnalyzeIamPolicyLongRunning
BatchGetEffectiveIamPolicies
| All of the following permissions: cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources -
iam.roles.get to analyze policies with custom roles Additional permissions are required for working with Google Workspace. |
AnalyzeMove
| cloudasset.assets.analyzeMove |
AnalyzeOrgPolicies
AnalyzeOrgPolicyGovernedContainers
| All of the following permissions: cloudasset.assets.analyzeOrgPolicy cloudasset.assets.searchAllResources |
AnalyzeOrgPolicyGovernedAssets
| All of the following permissions: cloudasset.assets.analyzeOrgPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources |
| Feed APIs |
CreateFeed
| cloudasset.feeds.create
You also need one of the following permissions, depending on the content type: cloudasset.assets.exportIamPolicy cloudasset.assets.exportResource |
DeleteFeed
| cloudasset.feeds.delete |
GetFeed
| cloudasset.feeds.get |
ListFeed
| cloudasset.feeds.list |
UpdateFeed
| cloudasset.feeds.update
You also need one of the following permissions, depending on the content type: cloudasset.assets.exportIamPolicy cloudasset.assets.exportResource |
| Inventory APIs |
BatchGetAssetsHistory
ExportAssets
| One of the following permissions, depending on the content type: -
cloudasset.assets.exportAccessPolicy
When using the ACCESS_POLICY content type. -
cloudasset.assets.exportIamPolicy
When using the IAM_POLICY content type. -
cloudasset.assets.exportOrgPolicy
When using the ORG_POLICY content type. -
cloudasset.assets.exportOSInventories
When using the OS_INVENTORY content type. -
cloudasset.assets.exportResource
When using the RELATIONSHIP or RESOURCE content types. Limiting resource access Granting the cloudasset.assets.exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.exportComputeDisks permission by itself to allow a user to only export the compute.googleapis.com/Disk resource type. These granular permissions only apply to RESOURCE and unspecified content types. View the list of granular cloudasset.assets.export* permissions. |
ListAssets
| One of the following permissions, depending on the content type: cloudasset.assets.listAccessPolicy cloudasset.assets.listIamPolicy cloudasset.assets.listOrgPolicy cloudasset.assets.listOSInventories -
cloudasset.assets.listResource
When using the RELATIONSHIP or RESOURCE content types. Limiting resource access Granting the cloudasset.assets.listResource permission to a user allows them to list all resource types. To restrict what resource types a user can list, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.listComputeDisks permission by itself to allow a user to only list the compute.googleapis.com/Disk resource type. These granular permissions only apply to RESOURCE and unspecified content types. View the list of granular cloudasset.assets.list* permissions. |
QueryAssets
| One of the following permissions, depending on the content type: |
| Search APIs |
SearchAllIamPolicies
| cloudasset.assets.searchAllIamPolicies |
SearchAllResources
| cloudasset.assets.searchAllResources
You also need cloudasset.assets.searchEnrichmentResourceOwners if searching for resource owner enrichment. |
REST
| Method | Required permissions |
| All APIs |
| All Cloud Asset Inventory calls | All Cloud Asset Inventory calls require the serviceusage.services.use permission. |
| Analysis APIs |
analyzeIamPolicy
analyzeIamPolicyLongRunning
effectiveIamPolicies.batchGet
| All of the following permissions: cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources -
iam.roles.get to analyze policies with custom roles Additional permissions are required for working with Google Workspace. |
analyzeMove
| cloudasset.assets.analyzeMove |
analyzeOrgPolicies
analyzeOrgPolicyGovernedContainers
| All of the following permissions: cloudasset.assets.analyzeOrgPolicy cloudasset.assets.searchAllResources |
analyzeOrgPolicyGovernedAssets
| All of the following permissions: cloudasset.assets.analyzeOrgPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources |
| Feed APIs |
feeds.create
| cloudasset.feeds.create
You also need one of the following permissions, depending on the content type: cloudasset.assets.exportIamPolicy cloudasset.assets.exportResource |
feeds.delete
| cloudasset.feeds.delete |
feeds.get
| cloudasset.feeds.get |
feeds.list
| cloudasset.feeds.list |
feeds.patch
| cloudasset.feeds.update
You also need one of the following permissions, depending on the content type: cloudasset.assets.exportIamPolicy cloudasset.assets.exportResource |
| Inventory APIs |
batchGetAssetsHistory
exportAssets
| One of the following permissions, depending on the content type: -
cloudasset.assets.exportAccessPolicy
When using the ACCESS_POLICY content type. -
cloudasset.assets.exportIamPolicy
When using the IAM_POLICY content type. -
cloudasset.assets.exportOrgPolicy
When using the ORG_POLICY content type. -
cloudasset.assets.exportOSInventories
When using the OS_INVENTORY content type. -
cloudasset.assets.exportResource
When using the RELATIONSHIP or RESOURCE content types. Limiting resource access Granting the cloudasset.assets.exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.exportComputeDisks permission by itself to allow a user to only export the compute.googleapis.com/Disk resource type. These granular permissions only apply to RESOURCE and unspecified content types. View the list of granular cloudasset.assets.export* permissions. |
assets.list
| One of the following permissions, depending on the content type: cloudasset.assets.listAccessPolicy cloudasset.assets.listIamPolicy cloudasset.assets.listOrgPolicy cloudasset.assets.listOSInventories -
cloudasset.assets.listResource
When using the RELATIONSHIP or RESOURCE content types. Limiting resource access Granting the cloudasset.assets.listResource permission to a user allows them to list all resource types. To restrict what resource types a user can list, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.listComputeDisks permission by itself to allow a user to only list the compute.googleapis.com/Disk resource type. These granular permissions only apply to RESOURCE and unspecified content types. View the list of granular cloudasset.assets.list* permissions. |
queryAssets
| One of the following permissions, depending on the content type: |
| Search APIs |
searchAllIamPolicies
| cloudasset.assets.searchAllIamPolicies |
searchAllResources
| cloudasset.assets.searchAllResources
You also need cloudasset.assets.searchEnrichmentResourceOwners if searching for resource owner enrichment. |
gcloud
| Positional statement | Required permissions |
| All APIs |
| All Cloud Asset Inventory calls | All Cloud Asset Inventory calls require the serviceusage.services.use permission. |
| Analysis APIs |
analyze-iam-policy
analyze-iam-policy-longrunning
get-effective-iam-policy
| All of the following permissions: cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources -
iam.roles.get to analyze policies with custom roles Additional permissions are required for working with Google Workspace. |
analyze-move
| cloudasset.assets.analyzeMove |
analyze-org-policies
analyze-org-policy-governed-containers
| All of the following permissions: cloudasset.assets.analyzeOrgPolicy cloudasset.assets.searchAllResources |
analyze-org-policy-governed-assets
| All of the following permissions: cloudasset.assets.analyzeOrgPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources |
| Feed APIs |
feeds create
| cloudasset.feeds.create
You also need one of the following permissions, depending on the content type: cloudasset.assets.exportIamPolicy cloudasset.assets.exportResource |
feeds delete
| cloudasset.feeds.delete |
feeds describe
| cloudasset.feeds.get |
feeds list
| cloudasset.feeds.list |
feeds update
| cloudasset.feeds.update
You also need one of the following permissions, depending on the content type: cloudasset.assets.exportIamPolicy cloudasset.assets.exportResource |
| Inventory APIs |
export
get-history
| One of the following permissions, depending on the content type: -
cloudasset.assets.exportAccessPolicy
When using the ACCESS_POLICY content type. -
cloudasset.assets.exportIamPolicy
When using the IAM_POLICY content type. -
cloudasset.assets.exportOrgPolicy
When using the ORG_POLICY content type. -
cloudasset.assets.exportOSInventories
When using the OS_INVENTORY content type. -
cloudasset.assets.exportResource
When using the RELATIONSHIP or RESOURCE content types. Limiting resource access Granting the cloudasset.assets.exportResource permission to a user allows them to export all resource types. To restrict what resource types a user can export, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.exportComputeDisks permission by itself to allow a user to only export the compute.googleapis.com/Disk resource type. These granular permissions only apply to RESOURCE and unspecified content types. View the list of granular cloudasset.assets.export* permissions. |
list
| One of the following permissions, depending on the content type: cloudasset.assets.listAccessPolicy cloudasset.assets.listIamPolicy cloudasset.assets.listOrgPolicy cloudasset.assets.listOSInventories -
cloudasset.assets.listResource
When using the RELATIONSHIP or RESOURCE content types. Limiting resource access Granting the cloudasset.assets.listResource permission to a user allows them to list all resource types. To restrict what resource types a user can list, you can grant permissions for each resource type instead. For example, you can grant the cloudasset.assets.listComputeDisks permission by itself to allow a user to only list the compute.googleapis.com/Disk resource type. These granular permissions only apply to RESOURCE and unspecified content types. View the list of granular cloudasset.assets.list* permissions. |
query
| One of the following permissions, depending on the content type: |
| Search APIs |
search-all-iam-policies
| cloudasset.assets.searchAllIamPolicies |
search-all-resources
| cloudasset.assets.searchAllResources
You also need cloudasset.assets.searchEnrichmentResourceOwners if searching for resource owner enrichment. |
Console
The Google Cloud console uses the SearchAllResources API to request data. To use Cloud Asset Inventory in the Google Cloud console, grant the following permissions:
cloudasset.assets.searchAllResources serviceusage.services.use
## VPC Service Controls VPC Service Controls can be used with Cloud Asset Inventory to provide additional security for your assets. To learn more about VPC Service Controls, see the Overview of VPC Service Controls.
To learn about the limitations in using Cloud Asset Inventory with VPC Service Controls, see the supported products and limitations.
