This topic shows you how to configure Cloud Asset Inventory and VM Manager's OS inventory so that you can view the runtime information of your VMs.
Before you begin
Before you begin, complete the following steps.
Enable the Cloud Asset Inventory API on the project where you'll be running the API commands.
Configure the permissions that are required to call the Cloud Asset Inventory API using either the gcloud CLI or the API.
Complete the following steps to set up your environment.
gcloud CLI
To set up your environment to use the gcloud CLI to call the Cloud Asset Inventory API, install the Google Cloud CLI on your local client.
REST
To set up your environment to call the Cloud Asset Inventory API with the
curl
command, complete the following steps.Confirm that you have access to the
curl
command.Ensure that you grant your account one of the following roles on your project, folder, or organization.
Cloud Asset Viewer role (
roles/cloudasset.viewer
)Owner basic role (
roles/owner
)
Enabling OS inventory
To enable OS inventory, which is part of the VM Manager suite, complete the relevant steps in Set up VM Manager.
Setting permissions
Ensure that your account has the cloudasset.assets.exportOSInventories
permission on the root resource that contains the assets you want export. You
can grant this permission individually, or you can grant one of the following
roles on the root resource.
Cloud Asset Viewer (
roles/cloudasset.viewer
) roleCloud Asset Owner (
roles/cloudasset.owner
) role
Learn more about configuring permissions and Cloud Asset Inventory IAM roles.
Exporting VM Manager data to BigQuery
To export OS inventory snapshot at a given timestamp, use the following command.
gcloud
Projects
gcloud asset export \
--project=PROJECT_ID \
--billing-project=BILLING_PROJECT_ID \
--content-type=os-inventory \
--snapshot-time="SNAPSHOT_TIME" \
--bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
--output-bigquery-force
Provide the following values:
PROJECT_ID
: The ID of the project whose metadata is being exported.BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.SNAPSHOT_TIME
: Optional. The time at which you want to take a snapshot of your assets. The value must be the current time or a time in the past. By default, a snapshot is taken at the current time. For information on time formats, see gcloud topic datetimes.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.
Other flags:
--output-bigquery-force
: Overwrites the destination table if it exists.
Folders
gcloud asset export \
--folder=FOLDER_ID \
--billing-project=BILLING_PROJECT_ID \
--content-type=os-inventory \
--snapshot-time="SNAPSHOT_TIME" \
--bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
--output-bigquery-force
Provide the following values:
FOLDER_ID
: The ID of the folder whose metadata is being exported.How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.SNAPSHOT_TIME
: Optional. The time at which you want to take a snapshot of your assets. The value must be the current time or a time in the past. By default, a snapshot is taken at the current time. For information on time formats, see gcloud topic datetimes.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.
Other flags:
--output-bigquery-force
: Overwrites the destination table if it exists.
Organizations
gcloud asset export \
--organization=ORGANIZATION_ID \
--billing-project=BILLING_PROJECT_ID \
--content-type=os-inventory \
--snapshot-time="SNAPSHOT_TIME" \
--bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
--output-bigquery-force
Provide the following values:
ORGANIZATION_ID
: The ID of the organization whose metadata is being exported.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.SNAPSHOT_TIME
: Optional. The time at which you want to take a snapshot of your assets. The value must be the current time or a time in the past. By default, a snapshot is taken at the current time. For information on time formats, see gcloud topic datetimes.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.
Other flags:
--output-bigquery-force
: Overwrites the destination table if it exists.
REST
curl -X POST \
-H "X-Goog-User-Project: BILLING_PROJECT_ID" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"contentType": "OS_INVENTORY",
"readTime": "SNAPSHOT_TIME",
"outputConfig": {
"bigqueryDestination": {
"dataset": "projects/PROJECT_ID/datasets/DATASET_ID",
"table": "TABLE_NAME",
"force": true
}
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE:exportAssets
Provide the following values:
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.SNAPSHOT_TIME
: Optional. The time at which you want to take a snapshot of your assets, in RFC 3339 format. The value must be the current time or a time no more than 35 days in the past. When not provided, a snapshot is taken at the current time.PROJECT_ID
: The ID of the project that the BigQuery table is in.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
To export VM Manager vulnerability reports from a project to BigQuery, use the following command.
gcloud
Projects
gcloud asset export \
--project=PROJECT_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
--output-bigquery-force
Provide the following values:
PROJECT_ID
: The ID of the project whose metadata is being exported.BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.
Other flags:
--output-bigquery-force
: Overwrites the destination table if it exists.
Folders
gcloud asset export \
--folder=FOLDER_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
--output-bigquery-force
Provide the following values:
FOLDER_ID
: The ID of the folder whose metadata is being exported.How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.
Other flags:
--output-bigquery-force
: Overwrites the destination table if it exists.
Organizations
gcloud asset export \
--organization=ORGANIZATION_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--bigquery-table=projects/PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
--output-bigquery-force
Provide the following values:
ORGANIZATION_ID
: The ID of the organization whose metadata is being exported.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.
Other flags:
--output-bigquery-force
: Overwrites the destination table if it exists.
REST
curl -X POST \
-H "X-Goog-User-Project: BILLING_PROJECT_ID" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": ["osconfig.googleapis.com/VulnerabilityReport"],
"contentType": "RESOURCE",
"outputConfig": {
"bigqueryDestination": {
"dataset": "projects/PROJECT_ID/datasets/DATASET_ID",
"table": "TABLE_NAME",
"force": true
}
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE:exportAssets
Provide the following values:
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your BigQuery datasets and tables. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.PROJECT_ID
: The ID of the project that the BigQuery table is in.DATASET_ID
: The ID of the BigQuery dataset.TABLE_NAME
: The table to which you're exporting your metadata.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
Other parameters:
"force": true
: Overwrites the destination table if it exists.
Existing tables
Appending the export output to an existing table is not supported. The
destination table must be empty or you must overwrite it. To overwrite it, use
the --output-bigquery-force
flag with the gcloud CLI, or use
force
with the REST API.
If the output table is in use when you try to write to it, a 400
response is
returned with the message Request contains an invalid argument
.
Exporting VM Manager data to Cloud Storage
To export the VM Manager inventory data for all VM instances in a project, use the following gcloud CLI command or the Cloud Asset Inventory API.
gcloud
Projects
gcloud asset export \
--project=PROJECT_ID \
--billing-project=BILLING_PROJECT_ID \
--content-type=os-inventory \
--output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
PROJECT_ID
: The ID of the project whose metadata is being exported.BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.
Folders
gcloud asset export \
--folder=FOLDER_ID \
--billing-project=BILLING_PROJECT_ID \
--content-type=os-inventory \
--output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
FOLDER_ID
: The ID of the folder whose metadata is being exported.How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.
Organizations
gcloud asset export \
--organization=ORGANIZATION_ID \
--billing-project=BILLING_PROJECT_ID \
--content-type=os-inventory \
--output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
ORGANIZATION_ID
: The ID of the organization whose metadata is being exported.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.
REST
curl -X POST \
-H "X-Goog-User-Project: BILLING_PROJECT_ID" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"contentType": "OS_INVENTORY",
"outputConfig": {
"gcsDestination": {
"uri": "gs://BUCKET_NAME/FILENAME"
}
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE:exportAssets
Provide the following values:
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
To export VM Manager vulnerability reports from a project to Cloud Storage, use the following gcloud CLI command or the Cloud Asset Inventory API.
gcloud
Projects
gcloud asset export \
--project=PROJECT_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
PROJECT_ID
: The ID of the project whose metadata is being exported.BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.
Folders
gcloud asset export \
--folder=FOLDER_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
FOLDER_ID
: The ID of the folder whose metadata is being exported.How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.
Organizations
gcloud asset export \
--organization=ORGANIZATION_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--output-path="gs://BUCKET_NAME/FILENAME"
Provide the following values:
ORGANIZATION_ID
: The ID of the organization whose metadata is being exported.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.
REST
curl -X POST \
-H "X-Goog-User-Project: BILLING_PROJECT_ID" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetTypes": ["osconfig.googleapis.com/VulnerabilityReport"],
"contentType": "RESOURCE",
"outputConfig": {
"gcsDestination": {
"uri": "gs://BUCKET_NAME/FILENAME"
}
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE:exportAssets
Provide the following values:
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permission to write to your Cloud Storage bucket. Not required if you've already switched to the billing project withgcloud config set project
. Read more about billing projects.BUCKET_NAME
: The name of the Cloud Storage bucket to write to.FILENAME
: The file in your Cloud Storage bucket to write to.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
Existing files
If the output file is in use when you try to write to a storage bucket, a 400
response is returned with the message Request contains an invalid argument
.
Getting VM Manager data history
To get the history of all OS inventory assets for a specified VM instance in a project, folder, or organization, run the following commands.
gcloud
Projects
gcloud asset get-history \
--project=PROJECT_ID \
--asset-names=//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME \
--content-type=os-inventory \
--start-time="START_TIME" \
--end-time="END_TIME"
Provide the following values:
PROJECT_ID
: The ID of the project where the VM instance is located.ZONE
: The zone your VM instance is in. For example,us-central1-a
.VM_INSTANCE_NAME
: The name of your VM instance.START_TIME
: Optional. The beginning of the time range. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.END_TIME
: Optional. The finishing point of the time range. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.
To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:
gcloud asset get-history \
--project=PROJECT_ID \
--asset-names=//osconfig.googleapis.com/projects/PROJECT_NUMBER/locations/ZONE/instances/VM_INSTANCE_ID/vulnerabilityReport \
--content-type=resource \
--start-time="START_TIME" \
--end-time="END_TIME"
Folders
gcloud asset get-history \
--folder=FOLDER_ID \
--asset-names=//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME \
--content-type=os-inventory \
--start-time="START_TIME" \
--end-time="END_TIME"
Provide the following values:
FOLDER_ID
: The ID of the folder where the VM instance is located.How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
ZONE
: The zone your VM instance is in. For example,us-central1-a
.VM_INSTANCE_NAME
: The name of your VM instance.START_TIME
: Optional. The beginning of the time range. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.END_TIME
: Optional. The finishing point of the time range. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.
To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:
gcloud asset get-history \
--folder=FOLDER_ID \
--asset-names=//osconfig.googleapis.com/projects/PROJECT_NUMBER/locations/ZONE/instances/VM_INSTANCE_ID/vulnerabilityReport \
--content-type=resource \
--start-time="START_TIME" \
--end-time="END_TIME"
Organizations
gcloud asset get-history \
--organization=ORGANIZATION_ID \
--asset-names=//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME \
--content-type=os-inventory \
--start-time="START_TIME" \
--end-time="END_TIME"
Provide the following values:
ORGANIZATION_ID
: The ID of the organization where the VM instance is located.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
ZONE
: The zone your VM instance is in. For example,us-central1-a
.VM_INSTANCE_NAME
: The name of your VM instance.START_TIME
: Optional. The beginning of the time range. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.END_TIME
: Optional. The finishing point of the time range. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.
To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:
gcloud asset get-history \
--organization=ORGANIZATION_ID \
--asset-names=//osconfig.googleapis.com/projects/PROJECT_NUMBER/locations/ZONE/instances/VM_INSTANCE_ID/vulnerabilityReport \
--content-type=resource \
--start-time="START_TIME" \
--end-time="END_TIME"
REST
To get the history of all OS inventory assets for a specified VM instance in a project, run the following command:
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetNames": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/VM_INSTANCE_NAME",
"contentType": "OS_INVENTORY",
"readTimeWindow": {
"startTime": "START_TIME",
"endTime": "END_TIME"
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE:batchGetAssetsHistory
Provide the following values:
PROJECT_ID
: The ID of the project where the VM instance is located.ZONE
: The zone your VM instance is in. For example,us-central1-a
.VM_INSTANCE_NAME
: The name of your VM instance.START_TIME
: Optional. The beginning of the time range. The value must be the current time or a time no more than 35 days in the past. For information on time formats, see gcloud topic datetimes.END_TIME
: Optional. The finishing point of the time range. The value must be the current time or a time no more than 35 days in the past. When not provided, the end time is assumed to be the current time. For information on time formats, see gcloud topic datetimes.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
To get the history of VM Manager vulnerability data for a specific VM in a project, run the following command:
curl -X POST \
-H "X-HTTP-Method-Override: GET" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"assetNames": "//osconfig.googleapis.com/projects/PROJECT_ID/locations/ZONE/instances/VM_INSTANCE_NAME/vulnerabilityReport",
"contentType": "RESOURCE",
"readTimeWindow": {
"startTime": "START_TIME",
"endTime": "END_TIME"
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE:batchGetAssetsHistory
Monitoring VM Manager data changes with Pub/Sub
After creating a Pub/Sub topic, run the following commands to monitor VM Manager changes.
gcloud
Projects
To create a feed for monitoring VMs with Windows OS installed, run the following command:
gcloud asset feeds create FEED_ID \
--project=PROJECT_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=compute.googleapis.com/Instance \
--content-type=os-inventory \
--pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
--condition-title="CONDITION_TITLE" \
--condition-description="CONDITION_DESCRIPTION" \
--condition-expression="temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""
Provide the following values:
FEED_ID
: A unique asset feed identifier.PROJECT_ID
: The ID of the project whose metadata is being sent to the feed.BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to.CONDITION_TITLE
: Optional. The title of the condition to apply to the feed.CONDITION_DESCRIPTION
: Optional. The description of the condition to apply to the feed.
To create a feed for monitoring the VM vulnerability data in a project, run the following command:
gcloud asset feeds create FEED_ID \
--project=PROJECT_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID"
Folders
To create a feed for monitoring VMs with Windows OS installed, run the following command:
gcloud asset feeds create FEED_ID \
--folder=FOLDER_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=compute.googleapis.com/Instance \
--content-type=os-inventory \
--pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
--condition-title="CONDITION_TITLE" \
--condition-description="CONDITION_DESCRIPTION" \
--condition-expression="temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""
Provide the following values:
FEED_ID
: A unique asset feed identifier.FOLDER_ID
: The ID of the folder whose metadata is being sent to the feed.How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to.CONDITION_TITLE
: Optional. The title of the condition to apply to the feed.CONDITION_DESCRIPTION
: Optional. The description of the condition to apply to the feed.
To create a feed for monitoring the VM vulnerability data in a project, run the following command:
gcloud asset feeds create FEED_ID \
--folder=FOLDER_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID"
Organizations
To create a feed for monitoring VMs with Windows OS installed, run the following command:
gcloud asset feeds create FEED_ID \
--organization=ORGANIZATION_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=compute.googleapis.com/Instance \
--content-type=os-inventory \
--pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID" \
--condition-title="CONDITION_TITLE" \
--condition-description="CONDITION_DESCRIPTION" \
--condition-expression="temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""
Provide the following values:
FEED_ID
: A unique asset feed identifier.ORGANIZATION_ID
: The ID of the organization whose metadata is being sent to the feed.How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to.CONDITION_TITLE
: Optional. The title of the condition to apply to the feed.CONDITION_DESCRIPTION
: Optional. The description of the condition to apply to the feed.
To create a feed for monitoring the VM vulnerability data in a project, run the following command:
gcloud asset feeds create FEED_ID \
--organization=ORGANIZATION_ID \
--billing-project=BILLING_PROJECT_ID \
--asset-types=osconfig.googleapis.com/VulnerabilityReport \
--content-type=resource \
--pubsub-topic="projects/PROJECT_ID/topics/TOPIC_ID"
REST
To create a feed for monitoring VMs with Windows OS installed, run the following command:
curl -X POST \
-H "X-Goog-User-Project: BILLING_PROJECT_ID" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"feedId": "FEED_ID",
"feed": {
"assetTypes": ["compute.googleapis.com/Instance"],
"contentType": "OS_INVENTORY",
"feedOutputConfig": {
"pubsubDestination": {
"topic": "projects/PROJECT_ID/topics/TOPIC_ID"
}
},
"condition": {
"title": "CONDITION_TITLE",
"description": "CONDITION_DESCRIPTION",
"expression": "temporal_asset.asset.os_inventory.os_info.short_name == \"windows\""
}
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE/feeds
Provide the following values:
BILLING_PROJECT_ID
: Optional. The project ID that the default Cloud Asset Inventory service agent is in that has permissions to manage your Pub/Sub topic. Read more about billing projects.FEED_ID
: A unique asset feed identifier.PROJECT_ID
: The ID of the project where the Pub/Sub topic is located.TOPIC_ID
: The ID of the Pub/Sub topic to publish notifications to.CONDITION_TITLE
: Optional. The title of the condition to apply to the feed.CONDITION_DESCRIPTION
: Optional. The description of the condition to apply to the feed.SCOPE
: A scope can be a project, a folder, or an organization.The allowed values are:
projects/PROJECT_ID
projects/PROJECT_NUMBER
How to find a Google Cloud project number
Console
To find a Google Cloud project number, complete the following steps:
-
Go to the Dashboard page in the Google Cloud console.
- Click the switcher box in the menu bar.
- Select your organization from the Select from box, and then search for your project name.
- Click the project name to switch to that project. The project number is shown in the Project info card.
gcloud CLI
You can retrieve a Google Cloud project number with the following command:
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
-
folders/FOLDER_ID
How to find a Google Cloud folder ID
Console
To find a Google Cloud folder ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Search for your folder name. The folder ID is shown next to the folder name.
gcloud CLI
You can retrieve a Google Cloud folder ID that's located at the organization level with the following command:
gcloud resource-manager folders list \ --organization=$(gcloud organizations describe ORGANIZATION_NAME \ --format="value(name.segment(1))") \ --filter='"DISPLAY_NAME":"TOP_LEVEL_FOLDER_NAME"' \ --format="value(ID)"
Where TOP_LEVEL_FOLDER_NAME can be a full or partial string match. Remove the
--format
option to see further information about the found folders.To get the ID of a folder within another folder, list the subfolders:
gcloud resource-manager folders list --folder=FOLDER_ID
-
organizations/ORGANIZATION_ID
How to find a Google Cloud organization ID
Console
To find a Google Cloud organization ID, complete the following steps:
-
Go to the Google Cloud console.
- Click the switcher box in the menu bar.
- Click the Select from box, and then select your organization.
- Click the All tab. The organization ID is shown next to the organization name.
gcloud CLI
You can retrieve a Google Cloud organization ID with the following command:
gcloud organizations describe ORGANIZATION_NAME --format="value(name.segment(1))"
-
To create a feed for monitoring the VM vulnerability data, run the following command:
curl -X POST \
-H "X-Goog-User-Project: BILLING_PROJECT_ID" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{
"feedId": "FEED_ID",
"feed": {
"assetTypes": ["osconfig.googleapis.com/VulnerabilityReport"],
"contentType": "RESOURCE",
"feedOutputConfig": {
"pubsubDestination": {
"topic": "projects/PROJECT_ID/topics/TOPIC_ID"
}
}
}
}' \
https://cloudasset.googleapis.com/v1/SCOPE/feeds
See Monitoring asset changes for more details.