Cloud Asset Inventory

Google Cloud Asset Inventory is a powerful input component that enables the collection and ingestion of asset data from Google Cloud Platform environments. It provides comprehensive visibility into cloud resources across organizations, folders, and projects. The component supports scanning various asset types and can be configured to run on a scheduled basis. It is compatible with both organization and project-level scanning, making it suitable for both enterprise-wide and project-specific asset inventory needs.

Sync Type: Full Synchronisation

Requirements

Required Permissions

Cloud Asset Viewer role (roles/cloudasset.viewer)
Security Reviewer role (roles/iam.securityReviewer)
Organization Viewer role (optional, for org hierarchy information)

IAM permissions

Setting up IAM permissions in GCP can be complicated. However, we can greatly simplify the setup of a service account by using the gcloud cli tool, which is also available in the web console.

# Set your variables
#projectID is the full name of your project, including the numerical value if applicable
export PROJECT_ID="your-project-id"
export SERVICE_ACCOUNT_NAME="asset-inventory-scanner"
export SERVICE_ACCOUNT_DISPLAY_NAME="Cloud Asset Inventory Scanner"
export ORGANIZATION_ID="your-org-id"

# Create the service account
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME \
    --project=$PROJECT_ID \
    --display-name="$SERVICE_ACCOUNT_DISPLAY_NAME" \
    --description="Service account for Cloud Asset Inventory scanning"

# Get the service account email
export SERVICE_ACCOUNT_EMAIL="${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

# Grant required roles
gcloud organizations add-iam-policy-binding ${ORGANIZATION_ID} \
    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
    --role="roles/cloudasset.viewer"

gcloud organizations add-iam-policy-binding ${ORGANIZATION_ID} \
    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
    --role="roles/iam.securityReviewer"

gcloud organizations add-iam-policy-binding ${ORGANIZATION_ID} \
    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
    --role="roles/resourcemanager.organizationViewer"

# Create and download the key
gcloud iam service-accounts keys create asset-inventory-key.json \
    --project=$PROJECT_ID \
    --iam-account=${SERVICE_ACCOUNT_EMAIL}

Configuration Options

Settings

Setting	Type	Required	Description
resource_names	[]string	Yes	The names of the resources to scan (organizations, projects or folders). resource names must be in the follow format "organizations/[organization-number]" (such as "organizations/123"), "projects/[project-id]" (such as "projects/my-project-id"), "projects/[project-number]" (such as "projects/12345"), or "folders/[folder-number]" (such as "folders/12345")
asset_types	[]string	No	The type of assets to scan for. If empty, scans all assets. For a list of all asset types please see [https://cloud.google.com/asset-inventory/docs/asset-types]
cron	string	Yes	Cron expression for scheduling the input

Secrets

Secret	Type	Required	Description
credentials_json	string (base64)	Yes	JSON credentials to authenticate with Google Cloud

Example Configuration

{
  "settings": {
    "resource_names": ["organizations/123456789"],
    "asset_types": ["compute.googleapis.com/Instance"],
    "cron": "0 */6 * * *"
  },
  "secrets": {
    "credentials_json": "<base64-encoded-credentials>"
  }
}

Functionality

The component operates by:

Authenticating with Google Cloud using provided credentials
Iterating through specified resource names (organizations/folders/projects)
Querying the Cloud Asset Inventory API for specified asset types
Processing and enriching asset data with additional metadata
Streaming results through the data channel

Best Practices

Use organization-level scanning when possible for comprehensive visibility
Implement appropriate RBAC for service accounts
Schedule scans during off-peak hours
Filter asset types to reduce unnecessary data collection

Limitations

API quotas and rate limits apply
Some asset types may not be available at project level
Historical asset data limited by GCP retention policies

Troubleshooting

Common Issues

Insufficient IAM permissions
Invalid resource names
API quotas exceeded

Resolution Steps

Verify service account permissions
Validate resource name format
Check API quotas in Cloud Console

API Reference

This component uses the Cloud Asset API v1

Endpoint: https://cloudasset.googleapis.com/v1

API Example

# List assets using curl
curl -X GET \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://cloudasset.googleapis.com/v1/organizations/{organization-id}/assets"

Sample Record

{
  "asset": {
    "AccessContextPolicy": null,
    "ancestors": [
      "projects/7035106112392"
    ],
    "asset_type": "storage.googleapis.com/Bucket",
    "name": "//storage.googleapis.com/test-cloud-assets-bucket",
    "resource": {
      "data": {
        "acl": [],
        "autoclass": {},
        "billing": {},
        "cors": [],
        "customPlacementConfig": {},
        "defaultObjectAcl": [],
        "encryption": {},
        "etag": "CAE=",
        "iamConfiguration": {
          "bucketPolicyOnly": {
            "enabled": true,
            "lockedTime": "2025-08-11T23:46:37Z"
          },
          "publicAccessPrevention": "enforced",
          "uniformBucketLevelAccess": {
            "enabled": true,
            "lockedTime": "2025-08-11T23:46:37Z"
          }
        },
        "id": "test-cloud-assets-bucket",
        "kind": "storage#bucket",
        "labels": {},
        "lifecycle": {
          "rule": []
        },
        "location": "US",
        "locationType": "multi-region",
        "logging": {},
        "metageneration": 1,
        "name": "test-cloud-assets-bucket",
        "objectRetention": {},
        "owner": {},
        "projectNumber": "7035130411248",
        "retentionPolicy": {},
        "selfLink": "https://www.googleapis.com/storage/v1/b/test-cloud-assets-bucket",
        "softDeletePolicy": {
          "effectiveTime": "2025-08-11T23:46:37Z",
          "retentionDurationSeconds": 604800
        },
        "storageClass": "STANDARD",
        "timeCreated": "2025-08-11T23:46:37Z",
        "updated": "2025-08-11T23:46:37Z",
        "versioning": {},
        "website": {}
      },
      "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/storage/v1/rest",
      "discovery_name": "Bucket",
      "location": "us",
      "parent": "//cloudresourcemanager.googleapis.com/projects/70351061948",
      "version": "v1"
    },
    "update_time": {
      "nanos": 45429000,
      "seconds": 1737155946
    }
  },
  "resource_name": "projects/7035106112392"
}

Requirements​

Required Permissions​

IAM permissions​

Configuration Options​

Settings​

Secrets​

Example Configuration​

Functionality​

Best Practices​

Limitations​

Troubleshooting​

Common Issues​

Resolution Steps​

API Reference​

API Example​

Related Resources​

Sample Record​