Google Cloud Resource Management Java Api Projects List

0
votes

I'm finding a way to programatically list Google Cloud projects inside an organization. I'm trying to use a service account exported json credential to achieve such purpose in this way:

    // More info on the endpoint here:
    // https://cloud.google.com/resource-manager/reference/rest/v1/projects/list
    final CloudResourceManager cloudResourceManagerService = createCloudResourceManagerService();
    final CloudResourceManager.Projects.List listRequest = cloudResourceManagerService
        .projects()
        .list()
        .setFilter("labels.it-restoring:false name:IT-TEST-*");

    final ListProjectsResponse listResponse = listRequest.execute();

    if (listResponse.isEmpty()) {
      throw new RuntimeException("The API did not get any response"); // I never get past here
    }

    log.info("Listing projects returned: {}", listResponse);

The problem I find is that I always get an empty response. Even though I assigned the service account the role of owner. According to docs, I could use roles/ resourcemanager.organizationAdmin which I also set but with no luck. I create the CloudResourceManagement api object using getApplicationDefault.

However if I do gcloud beta auth application-default login which triggers an auth flow in the browser and authenticate with the user which is the owner of the organization this works and lists all the projects that I have.

Can anybody explain to me what I should do to store a proper credential which would emulate he user owner? I already set the service account with the Owner role which in theory gives virtually access to all resources and still no luck.

2
javagoogle-cloud-platformgcloudgoogle-cloud-resource-manager
A good debugging tool is APIs Explorer. In this case, you'd need to be an owner too for it to use your credentials but... it's a good way to prove the underlying API. Alternatively you can use gcloud projects list ---log-http. First step would be, if you can, to try APIs Explorer with that filter to confirm you do get results - DazWilkin
When you run the code locally and wish to use a service account, you will need to set GOOGLE_APPLICATION_CREDENTIALS=/path/to/jwt.json - DazWilkin

2 Answers

0
votes

In order to list the projects on your organization, you need the permission resourcemanager.projects.get. Please find more information in this link The service account might have the owner role of 1 project, and not enought to list them all.

0
votes

An alternative solution is to grant the account the cloudasset.assets.searchAllResources permission at org level by using one of the following roles:

  • roles/cloudasset.viewer
  • roles/cloudasset.owner
  • roles/viewer
  • roles/editor
  • roles/owner

With this permission, you can list all the projects within an organization 456:

gcloud asset search-all-resources \
--asset-types="cloudresourcemanager.googleapis.com/Project"
--scope=organizations/456

Documentation: https://cloud.google.com/asset-inventory/docs/searching-resources

Related post: How to find, list, or search resources across services (APIs) and projects in Google Cloud Platform?