Cloud Asset API

Name: Cloud Asset API API
Brand: Cloud Asset API
Availability: InStock

✓ Official Vendor SpecCloud InfrastructureComputeoauth220 EndpointsREST

For Agents

Search, export, and monitor Google Cloud resources, IAM policies, and org policies across an organization. Useful for inventory, compliance, and change-detection workflows on GCP.

Quickstart

Get started with Cloud Asset API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"list google cloud assets in my organization"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Cloud Asset API API.

Export point-in-time inventory snapshots of GCP assets to BigQuery or Cloud Storage

Search resources and IAM policies across an organization, folder, or project

Analyze IAM policy grants to determine who has access to a given resource

Subscribe to asset feeds that publish create, update, and delete events to Pub/Sub

GET STARTED

Start building with Cloud Asset API API

Explore with Jentic

View OpenAPI Document

Use Cases

Patterns agents use Cloud Asset API API for, with concrete tasks.

★ Cloud Inventory Export to BigQuery

Operations teams use Cloud Asset Inventory to take a structured snapshot of every resource in a Google Cloud organization and load it into BigQuery for analysis. The exportAssets endpoint writes asset metadata, resource configurations, IAM policies, and org policies as Avro or JSON, where it can be joined against billing data, security findings, or CMDB records. Initial setup runs in minutes; recurring exports can be triggered on any cadence.

Call POST /v1/{parent}:exportAssets with parent=organizations/123456 and contentType=RESOURCE to write a snapshot to a Cloud Storage bucket

IAM Access Analysis

Security teams use the analyzeIamPolicy operation to answer questions like who can access a given service account or which principals have storage.objects.delete permission. The API walks group memberships and resource-hierarchy inheritance, returning a flattened access map suitable for compliance evidence or least-privilege reviews.

Call analyzeIamPolicy on the organization scope with a query asking which principals have the role roles/owner

Real-Time Change Detection Feed

Platform teams subscribe asset feeds to Pub/Sub topics so that any create, update, or delete event on a configured asset type fires a notification within seconds. This drives drift detection, automated tagging enforcement, and rollback workflows without polling.

Create a feed via POST /v1/{parent}/feeds that watches assetTypes=storage.googleapis.com/Bucket and publishes to a Pub/Sub topic

AI Agent Compliance Reviewer via Jentic

An agent invoked by Jentic uses Cloud Asset queries to answer compliance questions on demand: which buckets are public, which service accounts have unused keys, which projects sit outside an approved folder. The agent runs queryAssets, formats the result as evidence, and either escalates to a human or opens a remediation ticket.

Search Jentic for 'list google cloud assets', execute the resulting Cloud Asset query operation with a SQL filter for public buckets, and report violations

Key Endpoints

20 endpoints — google cloud asset inventory exposes a unified history and metadata index for resources, iam policies, and org policies across a google cloud organization, folder, or project.

METHOD

PATH

DESCRIPTION

POST

/v1/{+parent}:exportAssets

Export an asset snapshot to BigQuery or Cloud Storage

GET

/v1/{+parent}/assets

List assets under a parent scope

POST

/v1/{+parent}:queryAssets

Run a SQL-style query against the asset inventory

POST

/v1/{+parent}/feeds

Create an asset change feed that publishes to Pub/Sub

GET

/v1/{+parent}/savedQueries

List saved asset queries

GET

/v1/{+parent}:batchGetAssetsHistory

Retrieve historical state of assets over a time window

GET

/v1/{+resource}:analyzeMove

Analyze the impact of moving a resource between parents

POST

/v1/{+parent}:exportAssets

Export an asset snapshot to BigQuery or Cloud Storage

GET

/v1/{+parent}/assets

List assets under a parent scope

POST

/v1/{+parent}:queryAssets

Run a SQL-style query against the asset inventory

POST

/v1/{+parent}/feeds

Create an asset change feed that publishes to Pub/Sub

GET

/v1/{+parent}/savedQueries

List saved asset queries

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google Cloud OAuth 2.0 credentials and service account keys are stored encrypted in the Jentic vault. Agents receive short-lived access tokens scoped to cloud-platform — raw service account JSON never enters the agent context.

Intent-based discovery

Agents search Jentic by intent (e.g. 'list google cloud assets' or 'analyze gcp iam policy') and Jentic returns the matching Cloud Asset operation with its parameter schema, so the agent can call the right endpoint without reading Discovery docs.

Time to first call

Direct Cloud Asset integration: 1-3 days for OAuth, scope selection, and long-running operation polling. Through Jentic: under an hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud Resource Manager API

Manages the project, folder, and organization hierarchy that Cloud Asset reports on

Use Resource Manager to create or move projects; use Cloud Asset to inventory and search across what already exists

Complementary

Identity and Access Management (IAM) API

Reads and writes the IAM policies that Cloud Asset analyses

Choose IAM API to grant or revoke a role; choose Cloud Asset analyzeIamPolicy to discover who already has access

Complementary

Cloud Logging API

Captures admin and audit logs that complement asset inventory snapshots

Pair with Cloud Asset when you need both the current state of a resource and the audit trail of who changed it

FAQs

Specific to using Cloud Asset API API through Jentic.

What authentication does the Cloud Asset API use?

The Cloud Asset API uses OAuth 2.0 with the cloud-platform scope. Tokens are issued for a Google service account or user identity. Through Jentic, the OAuth credential is held in the Jentic vault and the agent receives a scoped access token only — the underlying service account key never enters agent context.

Can I export a full GCP inventory snapshot with the Cloud Asset API?

Yes. POST to /v1/{parent}:exportAssets with parent set to your organization, folder, or project, choose contentType (RESOURCE, IAM_POLICY, ORG_POLICY, or ACCESS_POLICY), and supply a Cloud Storage or BigQuery destination. The export runs as a long-running operation and writes one record per asset.

What are the rate limits for the Cloud Asset API?

Cloud Asset API quotas are published per-method in the Google Cloud console under the Cloud Asset API quota page; typical limits are several hundred queries per minute per project for read operations and lower limits for analyzeIamPolicy. Exports run as long-running operations and are throttled separately.

How do I detect resource changes in real time with this API through Jentic?

Search Jentic for 'create google cloud asset feed' and execute the resulting operation against POST /v1/{parent}/feeds with the asset types you want to watch and a Pub/Sub topic name. The feed fires a message on every create, update, or delete and the agent can react without polling.

Does the Cloud Asset API support cross-project IAM analysis?

Yes. analyzeIamPolicy and analyzeIamPolicyLongrunning accept an organization or folder scope, so a single call can return who has a given permission across every project under that node. Use the long-running variant for organization-wide queries that exceed the synchronous timeout.

Is the Cloud Asset API free?

The Cloud Asset API itself has a free tier for metadata queries; exports to BigQuery or Cloud Storage incur the standard storage and query charges. analyzeIamPolicy calls and SearchAllResources beyond the free tier are billed per request as documented on the Google Cloud pricing page.