@@ -15,11 +15,15 @@ the user running the resource counting script:
1515 - ` roles/owner `
1616 - ` roles/cloudasset.owner `
1717 - ` roles/cloudasset.viewer `
18- - [ Security Command Center] [ 2 ] (faster, but not free). The user running the
19- script must have one of these roles at the organization-level:
20- - ` roles/resourcemanager.organizationAdmin `
21- - ` roles/securitycenter.admin `
22- - ` roles/securitycenter.adminViewer `
18+ - This method has been deprecated. As outlined in
19+ [ Listing assets using the Security Command Center API] [ 4 ] ,
20+ this functionality has been deprecated on ` June 20, 2023 ` and will reach its
21+ EOL on ` June 20, 2024 ` .
22+ ~~ [ Security Command Center] [ 2 ] (faster, but not free). The user running the
23+ script must have one of these roles at the organization-level:~~
24+ - ~~ ` roles/resourcemanager.organizationAdmin ` ~~
25+ - ~~ ` roles/securitycenter.admin ` ~~
26+ - ~~ ` roles/securitycenter.adminViewer ` ~~
23273 . Install [ jq] [ 3 ]
24284 . Retrieve the GCP organization ID by running the following command and
2529looking for the ID of the organization to count:
@@ -46,26 +50,22 @@ from the previous step:
4650{
4751 " appengine.googleapis.com/Application"
4852 " cloudfunctions.googleapis.com/CloudFunction"
49- " compute.googleapis.com/Image"
5053 " compute.googleapis.com/Instance"
54+ " compute.googleapis.com/K8RelatedInstance"
5155 " sqladmin.googleapis.com/Instance"
52- " storage.googleapis.com/Bucket"
56+ " storage.googleapis.com/Bucket"
57+ " k8s.io/Node"
5358}
5459```
5560
56- ## How to run using security command center (gcloud_scc_inventory.sh)
61+ ### Note about output
5762
58- ``` bash
59- λ organizationID=123456789012 ./gcloud_scc_inventory.sh
60- {
61- " appengine.googleapis.com/Application"
62- " cloudfunctions.googleapis.com/CloudFunction"
63- " compute.googleapis.com/Image"
64- " compute.googleapis.com/Instance"
65- " sqladmin.googleapis.com/Instance"
66- " storage.googleapis.com/Bucket"
67- }
68- ```
63+ ` compute.googleapis.com/K8RelatedInstance ` is not an actual asset that
64+ listed in [ Supported asset types] [ 5 ] . The number generated for this
65+ custom asset is from filtering all compute instances that have a
66+ ` goog-gke-node ` label. This label is used because it's a protected
67+ and automatically applied label to compute instances that were created
68+ by a GKE cluster.
6969
7070## Troubleshooting
7171
7979Verify IAM for user running asset inventory script has one of the
8080[ roles required] ( #requirements ) and has access to the organization.
8181
82- ### Running security command center returns error
83-
84- <!-- markdownlint-disable MD013 -->
85- ``` bash
86- ERROR: (gcloud.scc.assets.group) User [your-user-id@your-organization] does not
87- have permission to access organizations instance [123456789012] (or it may not
88- exist): Permission ' securitycenter.assets.group'
89- ' //cloudresourcemanager.googleapis.com/organizations/123456789012'
90- not exist)
91- ```
92- <!-- markdownlint-enable MD013 -->
93-
94- [ Verify security command center is enabled] ( 4 ) for the organization. Also verify
95- IAM for user running security command center script has one of the
96- [ roles required] ( #requirements ) and has access to the organization.
97-
9882[ 0 ] : https://cloud.google.com/sdk/docs/install-sdk
9983[ 1 ] : https://cloud.google.com/asset-inventory/docs/listing-assets
10084[ 2 ] : https://cloud.google.com/security-command-center/docs/set-up
10185[ 3 ] : https://stedolan.github.io/jq/download/
102- [ 4 ] : https://console.cloud.google.com/security/command-center/overview
86+ [ 4 ] : https://cloud.google.com/security-command-center/docs/how-to-api-list-assets
87+ [ 5 ] : https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types
0 commit comments