在没有任何组织级别权限的情况下获取 GCP 中给定项目的资产/资源列表

Question

An option I have been exploring is below.

On reading document https://cloud.google.com/security-command-center/docs/how-to-api-list-assets#listing_all_assets , it is found that we can get list of all assets using Security Command Center API.

Following is the code provided in the documentation.

static ImmutableList<ListAssetsResult> listAssets(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request for to search for all assets in an organization.
    // OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
    ListAssetsRequest.Builder request =
        ListAssetsRequest.newBuilder().setParent(organizationName.toString());

    // Call the API.
    ListAssetsPagedResponse response = client.listAssets(request.build());

    // This creates one list for all assets.  If your organization has a large number of assets
    // this can cause out of memory issues.  You can process them incrementally by returning
    // the Iterable returned response.iterateAll() directly.
    ImmutableList<ListAssetsResult> results = ImmutableList.copyOf(response.iterateAll());
    System.out.println("All assets:");
    System.out.println(results);
    return results;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Running the commands in security command center returns error "PERMISSION_DENIED: Permission 'securitycenter.assets.list' denied on resource 'organizations/{organization-id}' (or resource may not exist)" in response.

According to the following document https://cloud.google.com/security-command-center/docs/access-control , the permission 'securitycenter.assets.list' needs to be set at ORGANIZATION LEVEL which is problematic.

I'm looking for a an option to by pass the above issue where I do not need organizational level permission or any other API which would help me get this done.

Answer 1

To use the Security Command Center your project needs to be part of an organization. You also need permission at the Organization level. Your objective cannot be achieved at the Project Level.