Is there a way to invoke the Cloud Assets API with...

talonx · 11-20-2024 01:14 AM

I was looking for a Google Cloud API to fetch resources across all regions and zones in a given project. I am aware of individual APIs (e.g. compute https://cloud.google.com/compute/docs/reference/rest/v1) , but I need a single GCP-wide API that will allow me to get list a of all active resources (e.g. instances, GKE clusters, buckets, VPCs etc).

The Cloud Asset inventory API seems to fit the bill. However, it turns out that the Cloud Asset API requires the scope "https://www.googleapis.com/auth/cloud-platform" which is "See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account.".

I am not sure why the read only version of this scope "https://www.googleapis.com/auth/cloud-platform.read-only" does not work. My use case is to get permissions from my users to view their GCP projects' resources, and I cannot ask for a scope which would allow my app to theoretically delete their GCP data.

Source: https://developers.google.com/identity/protocols/oauth2/scopes#cloudasset

Are there any other options or am I missing something?

ChieKo

Hi @talonx,

You're right to be concerned about the broad permissions required by the https://www.googleapis.com/auth/cloud-platform scope. While the Cloud Asset Inventory API is powerful and provides a unified view, its reliance on this scope is not ideal for read-only access scenarios. Unfortunately, there isn't a single, unified GCP API that offers a truly comprehensive, read-only view across all services.

The reason https://www.googleapis.com/auth/cloud-platform.read-only doesn't work with Cloud Asset Inventory is likely due to the underlying architecture of the API. To provide a consolidated view, it needs access to internal metadata and control mechanisms that go beyond simple read-only access to individual resource APIs. The API's design inherently requires more privileges to assemble this comprehensive inventory.

However, you can achieve your goal of providing a view of resources across multiple services by making individual API calls. This requires more code, but significantly reduces the required permissions. Here's an approach:

Service-Specific APIs with Fine-Grained Permissions: This is the most secure but also the most complex approach. Each API will have its own specific read-only scope.

Compute Engine: https://www.googleapis.com/auth/compute.readonly
Cloud Storage: https://www.googleapis.com/auth/devstorage.read_only
Kubernetes Engine: https://www.googleapis.com/auth/cloud-platform.read-only (Note: GKE's read-only scope might still be broader than ideal; you'd need to check its specifics)

This requires your application to make multiple API calls to different services and aggregate the results. It's more code but grants only necessary permissions per service.

I hope the above information is helpful.

talonx

Has ChatGPT taken over this forum?

ChieKo

Hi @talonx,

This isn't an AI-generated response. Rest assured that the answer here is based on my research from certain Google Cloud documents. We made sure that the information provided here is authentic and validated thoroughly based on your inquiries to give you the most help.

By doing up individual APIs like I outlined, pulling from the Compute Engine, Cloud Storage, and GKE docs is the safer route, even if it's more work but you get much better control over what permissions you ask for. If my previous recommendations seem inapplicable or unclear, I’d be happy to help you further, or you could also reach out to Google Cloud Support for a more in-depth analysis. When contacting them, please provide details and include screenshots. This will help them better understand and address your issue.

Is there a way to invoke the Cloud Assets API without granting write permission scopes?