May 16, 2022

Export your assets with this simple gcloud command

Manage Google Cloud environments is often a complex task. You need to take care of the resource provisioning and keep all services up and running, but also may need understand service usage and by proxy their costs, who is using your resources and what projects have certain APIs active. This escalates quickly as your company adopts more and more Cloud services, and you end up with a very high risk to have some shadow IT in the cloud too.

One of the tasks you may need to do is to visualize all your Cloud Assets and, eventually, answer some specific questions on them, like "which project has a specific API enabled?". An asset in this context is any resource you have created using any of the APIs, in any of your organization projects.

Cloud Asset Inventory is available from the IAM > Asset Inventory page. From there, you can see all your cloud resources at a glance using a pretty geographic visualization:


This visualization is great for quickly browsing and or searching for specific items using the UI filters. For instance, you can check all your Cloud Storage buckets filtering them on the left pane:


Doing this in the UI is cool and all but then you may need to run some more complex filtering and we may need to use a different approach. One of the cool things that I find on Google Cloud is that the almost all tasks you can do on the Cloud Console, usually can also be done both via REST APIs and via the gcloud  command line interface.

Let's say you need to export all the assets you have in Google Cloud for a spreadsheet to do a report to management. First, let's grab our Organization numeric identifier. This can be done using the Cloud Shell (a free VM Google gives you integrated in the Cloud Console!):

gcloud organizations list

This will print out some info, and we need to grab one of them for later use. Let's store it in an environment variable to use in the next commands:

export ORG_ID="$(gcloud organizations list --format='value(name)')"

Now, let's export all resources underneath our organization with the Asset Inventory sub-command:

gcloud asset list \
    --organization="$ORG_ID" \
    --content-type=resource \
    --format=json

This will print to the standard output of the terminal all your assets in JSON format. Now, you can already use the data for, say, do some shell-script foo like grep commands to find specific items. But let's go a bit further with the gcloud command options.

First, you may need to export specific types of assets. This can be done using the --asset-types parameter. You pass in a coma separated list of asset types, like compute.googleapis.com/Instance to export only VM Instances, or storage.googleapis.com/Buckets for Storage Buckets. Let's combine both to see all VMs and Buckets in our organization:

gcloud asset list \
    --organization="$ORG_ID" \
    --content-type=resource \
    --asset-types='compute.googleapis.com/Instance,storage.googleapis.com/Bucket' \
    --format=json

This filtered the items but still shows up all the JSON attributes. Let's trim it a bit by projecting only a few attributes. We will export:

  • The asset type
  • The resource API endpoint
  • The resource location
  • The last update time

gcloud asset list \
    --organization="$ORG_ID" \
    --content-type=resource \
    --asset-types='compute.googleapis.com/Instance,storage.googleapis.com/Bucket' \
    --format='csv(assetType, resource.data.selfLink, resource.data.location, updateTime)'

Here we used the --format=csv() to project the desired columns and print that into a convenient format to import somewhere else, like in a Google Sheet, for reporting purposes. Let's wrap it up directing the command output into a file:

gcloud asset list \
    --organization="$ORG_ID" \
    --content-type=resource \
    --asset-types='compute.googleapis.com/Instance,storage.googleapis.com/Bucket' \
    --format='csv(assetType, resource.location, updateTime, resource.data.selfLink)' \
    > assets.csv

Now, if you executed the command in Cloud Shell, you can use the Explorer to right click on the file and download it, then upload it to a spreadsheet:


What we discussed here for the Asset Inventory works also for other gcloud sub-commands. Check out this page to learn more about all the nice things you can do with it!

Happy Hacking!

No comments:

Post a Comment