Reputation: 71
Get list of assets/resource for a given project in GCP without any organization level permissions
An option I have been exploring is below.
On reading document https://cloud.google.com/security-command-center/docs/how-to-api-list-assets#listing_all_assets, it is found that we can get list of all assets using Security Command Center API.
Following is the code provided in the documentation.
static ImmutableList<ListAssetsResult> listAssets(OrganizationName organizationName) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// Start setting up a request for to search for all assets in an organization.
// OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
ListAssetsRequest.Builder request =
ListAssetsRequest.newBuilder().setParent(organizationName.toString());
// Call the API.
ListAssetsPagedResponse response = client.listAssets(request.build());
// This creates one list for all assets. If your organization has a large number of assets
// this can cause out of memory issues. You can process them incrementally by returning
// the Iterable returned response.iterateAll() directly.
ImmutableList<ListAssetsResult> results = ImmutableList.copyOf(response.iterateAll());
System.out.println("All assets:");
System.out.println(results);
return results;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}
Running the commands in security command center returns error "PERMISSION_DENIED: Permission 'securitycenter.assets.list' denied on resource 'organizations/{organization-id}' (or resource may not exist)" in response.
According to the following document https://cloud.google.com/security-command-center/docs/access-control, the permission 'securitycenter.assets.list' needs to be set at ORGANIZATION LEVEL which is problematic.
I'm looking for a an option to by pass the above issue where I do not need organizational level permission or any other API which would help me get this done.
Upvotes: 0
Views: 851
Answers (1)
Reputation: 81464
To use the Security Command Center your project needs to be part of an organization. You also need permission at the Organization level. Your objective cannot be achieved at the Project Level.
Upvotes: 2
Related Questions
- How to list all projects in GCP that belongs to a specific organization
- How to list all projects inside GCP organization using Resource Manager API?
- How to get all roles/permissions that a service account have for a project and organization in GCP through API
- In GCP, how to list all the resources running under project?
- How to list/get the 'creator' of all GCP resource in a project?
- How to Identify the current roles/permissions used in GCP projects?
- How can i list all resources across my whole GCP estate that have a specific role?
- Query project permissions by service account without manual preparation
- Is it possible to view a list of all resources with a specific permission?
- GCP: List grantable roles per resource