Introduction

This article describes a missing item from the articles and documentation on Google Cloud Asset Inventory. The item is the header X-Goog-User-Project. I am writing this article to show how I figured this out, so you have another method to figure out missing or incorrect documentation.

Google’s description of Cloud Asset Inventory (link):

Cloud Asset Inventory provides inventory services based on a time series database. This database keeps a five-week history of Google Cloud Platform (GCP) asset metadata. The Cloud Asset Inventory export service allows you to export all asset metadata at a certain timestamp or export event change history during a timeframe.

Google Cloud released Cloud Asset Inventory as GA on April 3, 2019. If your job is security, auditing or compliance (to name a few), then this service is important and can make your job easier. Google Cloud has 100+ services and trying to figure out what is running and where is challenging. Cloud Asset Inventory is a new tool that helps you manage cloud resources.

The Problem

In following along with this article and studying this documentation, I could not get the curl examples to work. The CLI commands worked.

My system is Windows 10. The commands are almost identical for Linux:

  • Change the line continuation character from ^ to \
  • Change variables from %TOKEN% to $TOKEN

I used this command to generate the OAuth token for the curl commands:

For Linux use:

Example curl command:

No matter what I tried I received this error:

This error had me trying over and over. I double check the path; I double check my auth token; I experimented. Then I remembered the command-line option --log-http. Let’s see what the CLI does.

The Research

The curl examples did not work, but the CLI examples worked. This means that the Asset Inventory service works, there is just an issue with the curl commands. The CLI has a command-line option --log-http that logs all HTTP server requests and responses to stderr. You can also set the config option core/log_http.

Example Command:

This resulted in the following output (truncated):

In studying the output, I noticed this line:

I then did a Google search and the only place I could find this header mentioned is here. The description for this header: “A request header that specifies a user project to bill for access charges associated with the request”. A first review of this description made little sense to me. Then I remembered that Google Cloud supports organizations and multiple billing accounts. Maybe this header is required for billing. Hmm, let’s try this header.

The Solution:

I then added this header to the curl command:

This resulted in the following output:

Success.

This command runs asynchronously. In a few minutes, the asset inventory is written to Cloud Storage. The file format is Newline Delimited JSON. The output looks like this (truncated):

Summary

Cloud Asset Inventory looks to be a great product for Google Cloud. I intend to spend a lot more time digging into its features and options.

Whenever you are trying to figure out an API, use the CLI to prototype. Use the --log-http command-line option to create output that can help you figure out what the API really requires by referencing a real-world example.

Reverse Engineering is both an art and a skill. For those of us that worked in the days of MS-DOS and Microsoft Windows, we would spend hours/days/months figuring out undocumented features so we could design competitive products. These skills result from thousands of hours of digging into a product/service/technology repeatedly.

More Information

Credits

I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Pixabay at Pexels.