Skip to main content

Exploring the Google Cloud Asset API

· 7 min read

The Cloud Asset API has recently gone GA, this is an exceptionally useful service which stores the history and inventory of cloud resources in your GCP org. Using the Cloud Asset API via StackQL you can enumerate all of the services and resources in your GCP org, including billable resources such as Cloud Storage buckets or Compute Engine instances, as well as other objects such as billing accounts, folders, projects, firewalls, service accounts and much more. All of this can be done using SQL!

Let’s start by exploring the available fields in this service:

Explore the API

Use the DESCRIBE or DESCRIBE EXTENDED to see the fields available in the google.cloudasset.assets resource as shown here:

DESCRIBE EXTENDED google.cloudasset.assets;

As you can see there is some very interesting stuff here, including where the asset fits in the organization hierarchy as well as whether the asset is included in a service perimeter.

Run some queries!

To start querying you just need to supply a root node from which you want to start enumerating assets, this can be at an org level, folder level or project level.

A simple query to group and count all of the different types of assets in a GCP project is shown here:

SELECT assetType, COUNT(*)
FROM google.cloudasset.assets
WHERE parent = 'projects/123123123123'
GROUP BY assetType;

or to see the most recent assets to be deployed or modified you could run:

SELECT name, updateTime
FROM google.cloudasset.assets
WHERE parent = 'organizations/12312312312'
ORDER BY updateTime DESC

You can go nuts from here with other reports or drill into detail as to anomalies or stray assets, have fun!