google-cloud-platformgoogle-cloud-asset-inventory

Cloud Asset API not enabled

Our project has enabled Cloud Asset Inventory API, I can view it from UI, but I get this permission error. I am the owner of the project.

➜ gcloud auth login
Your browser has been opened to visit:

    ---

You are now logged in as [myemail].

➜ gcloud asset export  --content-type resource --project xxx --output-path "gs://export-resources-t/resources_updated.yaml" --format=yaml
Export in progress for root asset [projects/xxx].
Use [gcloud asset operations describe projects/xxx/operations/ExportAssets/RESOURCE/530109afbb66bdaf2be325e11897c83c] to check the status of the operation.


➜ gcloud beta resource-config bulk-export --resource-format=terraform --path output --project xxx
Exporting resource configurations to [output]...done.
ERROR: (gcloud.beta.resource-config.bulk-export) Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled.
Solution

  • As per this case When the destination is in the same project, the user doesn't need to grant additional permission/role to the built-in service account, it is only needed when the destination is in a different project.

    If this is not your issue then try using this method. i.e.,

    For this service account you should add the role 'roles/cloudasset.serviceAgent' (which has all the required permissions).

    Run this:

    gcloud beta services identity create --service=cloudasset.googleapis.com --project=<project number>

    The above command will create the needed identity, then copy the name of the service account identity created and use it with the following command to grant the required role:

    gcloud beta projects add-iam-policy-binding <project_name> --member='serviceAccount:[Service_Account]' --role='roles/cloudasset.serviceAgent

    Please replace the [Service_Account] with the actual service account identity created in the first command.

    After performing the above steps, you will be able to run the following command.

    gcloud beta resource-config bulk-export --project=<project_name> --resource-format=terraform

    For more information follow this doc.

    To find the projectNumber.

    gcloud projects describe <project_name> --format="json"