Cloud Asset Inventory overview

Cloud Asset Inventory is a global metadata inventory service that lets you view, search,export, monitor, and analyze your Google Cloud asset metadata, with up to 35days of create, update, and delete history. Assets that haven't changed in thepast 35 days report their latest status.

Asset metadata can come from the following places:

  • Google Cloud resources, such as Compute Engine VM instances,Cloud Storage buckets, and App Engine instances.

  • Policies set on Google Cloud resources, such as IAMpolicies, organization policies, and Access Context Manager policies.

  • Runtime information fromOS inventory management.

Here's how you can work with your assets:

Asset types, asset names, and content types

Cloud Asset Inventory offers multiple methods to interact with your assets. Depending onthe method you use and the response detail you want, you might need to specifyasset types, asset names, and content types in your requests.

Asset types

Some Cloud Asset Inventory methods return results based on asset types. Asset typesinclude Google Cloud resources, policies, OS inventory runtimeinformation, and relationships. The available asset types and the Cloud Asset Inventorymethods that support them are detailed inAsset types.

Asset names

Some Cloud Asset Inventory methods return results based on asset names. When specifyingan asset name, you must use its full resource name. SeeAsset names for a list of full resourcenames.

Content types

You can request additional metadata on a resource by specifying a metadatacontent type. If you don't specify a content type, then only a basic responseis returned, containing information such as the asset name, the last time itwas updated, and what projects, folders, and organizations it belongs to.

Content type names differ depending on how you interact with Cloud Asset Inventory.The RPC and REST API names are the same. However, the gcloud CLIcontent type names follow a different pattern. For consistency and ease ofexplanation, the rest of this documentation refers to content types by theirRPC and REST names.

The following table details the content types and their descriptions:

Content typeDescription
RPC and REST namegcloud CLI name 
ACCESS_POLICYaccess-policyThe Access Context Manager policy set on an asset.
IAM_POLICYiam-policyThe IAM policy metadata binding to the resource.
ORG_POLICYorg-policy The organization policy metadata set on an asset. This content type outputs legacy organization policy v1. For organization policy v2, try theresource content type and a resource type oforgpolicy.googleapis.com/Policy.
OS_INVENTORYos-inventory The runtime OS inventory information. To enable OS inventory, complete the relevant steps inSet up VM Manager.
RELATIONSHIPrelationship

Requires access to the Security Command Center Premium or Enterprise tier, or Gemini Cloud Assist.

Many Google Cloud assets are connected to each other by relationships. For example, aCompute instance group can contain aCompute instance, or a GKE cluster can contain a node.

Relationship data is available from May 30th, 2022. A relationship might have its own update timestamp, because it might be inferred at a different time than the source asset updates.

See Relationship types for a list of the supported relationships.

RESOURCEresourceThe resource's metadata.
Note: Theancestors field in the response to some requests can be inconsistentacross content types. This is because there are different data ingestionschedules for each content type, and their update times might not align. Checktheupdate_time field to ensure that the asset has the most up-to-dateinformation.Contact Cloud Customer Care if theinconsistency lasts for more than 24 hours.

How responses change with content type

The following examples show how responses change when listing VM instances in aproject through Cloud Asset Inventory with different content types.

No content type

If you specify no content type when listing VM instances, you receive only theinstance names, the last time they were updated, and what projects, folders,and organizations they belong to.

Expand for response example

---ancestors:- projects/PROJECT_NUMBER- folders/FOLDER_NUMBER- organizations/ORGANIZATION_IDassetType: compute.googleapis.com/Instancename: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAMEupdateTime: '2023-11-15T12:28:30.087825Z'

IAM_POLICY content type

If you specify theIAM_POLICY content type, you also receive theIAM bindings on the VM, if there are any.

Expand for response example

---ancestors:- projects/PROJECT_NUMBER- folders/FOLDER_NUMBER- organizations/ORGANIZATION_IDassetType: compute.googleapis.com/InstanceiamPolicy:  bindings:  - members:    - user:USER_EMAIL_ADDRESS    role: roles/compute.securityAdmin  etag:ETAGname: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAMEupdateTime: '2023-12-19T23:35:42.673842Z'

RESOURCE content type

If you specify theRESOURCE content type, you also receive all the metadataassociated with the VM.

Expand for response example

---ancestors:- projects/PROJECT_NUMBER- folders/FOLDER_NUMBER- organizations/ORGANIZATION_IDassetType: compute.googleapis.com/Instancename: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAMEresource:  data:    allocationAffinity:      consumeAllocationType: ANY_ALLOCATION    canIpForward: false    confidentialInstanceConfig:      enableConfidentialCompute: true    cpuPlatform: AMD Rome    creationTimestamp: '2023-11-14T14:35:37.059-08:00'    deletionProtection: false    description: ''    disks:    - architecture: X86_64      autoDelete: true      boot: true      deviceName:INSTANCE_NAME      diskSizeGb: '10'      guestOsFeatures:      - type: VIRTIO_SCSI_MULTIQUEUE      - type: SEV_CAPABLE      - type: SEV_SNP_CAPABLE      - type: SEV_LIVE_MIGRATABLE      - type: UEFI_COMPATIBLE      - type: GVNIC      index: 0      interface: NVME      licenses:      - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-2004-lts      mode: READ_WRITE      shieldedInstanceInitialState:        dbx:        - content:DATA          fileType: BIN        dbxs:        - content:DATA          fileType: BIN      source: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME      type: PERSISTENT    displayDevice:      enableDisplay: false    fingerprint:FINGERPRINT    id: 'ID'    keyRevocationActionType: NONE_ON_KEY_REVOCATION    labelFingerprint:LABEL_FINGERPRINT    lastStartTimestamp: '2023-11-15T04:28:30.005-08:00'    machineType: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/machineTypes/n2d-standard-2    name:INSTANCE_NAME    networkInterfaces:    - accessConfigs:      - name: External NAT        natIP: 34.27.105.222        networkTier: PREMIUM        type: ONE_TO_ONE_NAT      fingerprint: jKU51FdTluk=      name: nic0      network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default      networkIP: 10.128.15.212      nicType: GVNIC      stackType: IPV4_ONLY      subnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/default    reservationAffinity:      consumeReservationType: ANY_ALLOCATION    resourceStatus: {}    scheduling:      automaticRestart: true      onHostMaintenance: TERMINATE      preemptible: false      provisioningModel: STANDARD    selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME    serviceAccounts:    - email:PROJECT_NUMBER-compute@developer.gserviceaccount.com      scopes:      - https://www.googleapis.com/auth/devstorage.read_only      - https://www.googleapis.com/auth/logging.write      - https://www.googleapis.com/auth/monitoring.write      - https://www.googleapis.com/auth/servicecontrol      - https://www.googleapis.com/auth/service.management.readonly      - https://www.googleapis.com/auth/trace.append    shieldedInstanceConfig:      enableIntegrityMonitoring: true      enableSecureBoot: false      enableVtpm: true    shieldedInstanceIntegrityPolicy:      updateAutoLearnPolicy: true    startRestricted: false    status: RUNNING    tags:      fingerprint:FINGERPRINT    zone: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE  discoveryDocumentUri: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest  discoveryName: Instance  location:ZONE  parent: //cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER  version: v1updateTime: '2023-11-15T12:28:30.087825Z'

RELATIONSHIP content type

Relationships require access to theSecurity Command Center Premium or Enterprise tier,orGemini Cloud Assist.

If you specify theRELATIONSHIP content type, you also receive metadataassociated with the VM instance's related assets.

Expand for response example

---ancestors:- projects/PROJECT_NUMBER- folders/FOLDER_NUMBER- organizations/ORGANIZATION_IDassetType: compute.googleapis.com/Instancename: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAMErelatedAsset:  ancestors:  - projects/PROJECT_NUMBER  - folders/FOLDER_NUMBER  - organizations/ORGANIZATION_ID  asset: //compute.googleapis.com/projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME  assetType: compute.googleapis.com/Disk  relationshipType: COMPUTE_INSTANCE_USE_DISKupdateTime: '2023-12-19T23:35:42.673842Z'

When using theRELATIONSHIP content type, instead of requesting allrelationships, you can request specificrelationship types.

Data freshness

Cloud Asset Inventory provides eventual consistency on current data and best-effortconsistency on historical data. While rare, it's possible that Cloud Asset Inventory canmiss some data updates.

Unless noted in theresource typestable, almost all asset updates are available in minutes.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.