Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
As an administrator, you can have your organization’s Google Drive inventory exported to BigQuery. The inventory includes metadata associated with each file, such as size, applied labels, and who it’s shared with, but not the content of the files. You can review this information to assess if access to sensitive files meets your organization’s regulatory, compliance, and data security goals.
When your Drive inventory is in BigQuery, you can create custom reporting and dashboards using analytics tools like Looker Studio and third-party visualization partners.
Note:
- You do some of the steps on this page in the Google Cloud console because Google BigQuery is a Google Cloud product.
- You must set up billing for your Google Cloud project because there is a cost to export your Drive inventory to BigQuery. For details, go to Data ingestion pricing and review your billing account’s pricing details for BigQuery. You can estimate your costs with the Google Cloud Pricing Calculator.
- Your Drive inventory is exported at least every 2 weeks. The export overwrites the previous export. To preserve previous exports, one approach is to use the BigQuery Data Transfer Service to automatically copy the dataset.
- There’s a small chance that a Drive inventory export will be missing file metadata for some files. In rare cases, some files might not be included.
Step 1. Set up a BigQuery project & data set for your Drive inventory
- In the Google Cloud console, create or open an active BigQuery project.
For details, go to Creating and managing projects. - Enable billing for the project if it isn’t already.
- Go to the IAM page for the project.
- Give Google Workspace accounts access to the export for data processing and viewing. Learn more about BigQuery IAM roles and permissions and how to control access to resources. For any Google Workspace accounts you want to give access to the export:
- At the top of the list of principals, click Grant Access.
- In Add principals, enter the Google Workspace account's email address.
- Click the role you want them to have. Tip: Click Filter and enter BigQuery to find BigQuery-specific roles.
- Click Save.
- Find or create a BigQuery dataset to store your Drive inventory exports.
- Click Navigation menu > BigQuery.
- In the Explorer panel at the left, expand your project to list existing datasets.
- If there’s a dataset you want to use, make a note of the ID to use in the next step.
- If you want to use a new dataset, go to Creating datasets. Make a note of the dataset name to use in the next step.
Step 2. Turn on and set up Drive inventory exports
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu
Reporting
Data integrations.
- Click Drive Inventory Exports.
- Check the box to enable Drive inventory exports.
- Under BigQuery project ID, select the project where you want to store the Drive inventory export. If you don’t see the project, you need to set it up in BigQuery. For details, go to Quickstart using the Google Cloud console.
- Under Existing dataset within the project, enter the name of the dataset to use for storing the Drive inventory in the project. If you don’t have a dataset already, go to Creating datasets for steps.
- Click Save.
After enabling the exports, you should see the first export appear in 1–2 weeks. After that, the export is updated at least every 2 weeks.
Step 3. (Optional) Update the data expiration time
The default expiration for data exports is 60 days, after which the data is deleted from Google Cloud.
To change the expiration time, go to Updating default table expiration times.
Troubleshoot missing exports in BigQuery
If you don’t see Drive inventory exports in BigQuery, review the following issues and how to resolve them.
| Possible issue | How to fix |
|---|---|
| Your Google Workspace subscription no longer supports Drive inventory exports |
If you downgraded your subscription, it may no longer support Drive inventory exports. In your Admin console, go to Menu > Billing > Subscriptions and confirm your subscription is one of the following: Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition After you switch to an edition that supports Drive inventory exports, it can take up to 2 weeks for reports to be exported. |
| The BigQuery project or dataset has been deleted |
Make a note of the BigQuery project ID and dataset ID that you set in the Admin console. Then open Google Cloud console and confirm that both the project and dataset exist. If either doesn’t exist, create or identify replacements. Then in the Admin console, update the Drive Inventory Export settings to use an existing project and dataset. |
| The Drive inventory export service account's permissions on the BigQuery dataset or project were removed |
In Google Cloud console, confirm that the service account has Editor access on the dataset and BigQuery.jobUser access on the project. If it doesn’t, disable and re-enable the feature in the Admin console. |
FAQ
Expand all | Collapse all & go to top
Is there a cost to export the Drive inventory to BigQuery?Yes. For details, go to Data ingestion pricing and review your billing account’s pricing details for BigQuery. You can estimate your costs with the Google Cloud Pricing Calculator.
No. Drive inventory export is covered by the Google Cloud Platform Terms of Service or your agreement governing your use of Google Cloud Platform.
The Drive inventory export is added to the BigQuery dataset with the following schema:
| Name | Schema field | Description |
|---|---|---|
| Item ID | id |
The unique Drive item identifier of the item |
| Version | version |
The latest version number of the file. The file version is a monotonically increasing number. This reflects every change made to the file on the server, even those not visible to the user. |
| Owner | owner.user or owner.shared_drive |
For items owned by a user, the email and user ID of the file owner. For items in a shared drive, the shared drive ID. |
| Creator | creator |
The email and user ID of the item's creator. This field isn't populated if the creator no longer has access to the item. |
| Snapshot timestamps | snapshot_start_time_micros and snapshot_end_time_micros |
The timestamps of when the report generation started and ended |
| Title | title |
The user-specified file title |
| Description | description |
A short description of the item |
| Trashed Status | is_trashed |
Whether or not the item was moved to the trash but not yet deleted |
| Mime Type | mime_type |
The MIME type of the item. See Google Workspace and Google Drive supported MIME types. |
| File Extension | file_extension |
The final component of the full file extension, which is extracted from the name field. This is only available for items with binary content in Google Drive |
| Creation Time | create_time |
The timestamp of when the item was created |
| Last Modified Time | last_modified_time_micros |
The timestamp of the last time the item was modified by anyone |
| File Size | file_size_bytes |
The size in bytes of blobs and Docs Editors files. Not reported for items that have no size, like shortcuts and folders. |
| Consumed Quota | consumed_quota_bytes |
The number of storage quota bytes used by the item. This includes the head revision as well as previous revisions that have been kept. |
| Shared Drive ID | shared_drive_id |
For items in a shared drive, the shared drive ID. |
| Applied Labels* | applied_labels.id |
The ID of the label applied to the item |
applied_labels.title |
The resource name of the label applied to the item | |
applied_labels.field_values.id |
The ID of a field, unique within a label or library. |
|
|
|
The type of field. Can be one of the following: |
|
|
|
The text to show in the UI that identifies the field | |
| Permissions | access.permissions.permission_id |
The ID of this permission. This is a unique identifier for the grantee. Note: The permission ID is not the same as the user ID. |
access.permissions.name |
The "pretty" name of the value of the permission. The following is a list of examples for each type of permission:
|
|
access.permissions.type |
The type of the permission. Valid values are:
|
|
access.permissions.role |
The role granted by this permission. Valid values are:
Note: See roles and permission for details on the type |
|
access.permissions.view |
If the permission belongs to a view, the value is published |
|
|
|
Whether the permission allows the file to be searchable. Only reported for permissions of type domain or anyone. |
|
access.permissions.email |
The email address of the user or group to which this permission refers | |
access.permissions.domain |
The domain name of the entity this permission refers to. This is present when the permission type is user, group or domain. |
|
access.permissions.user_id |
The user ID associated with email on the permissions |
* Refers to labels applied to items in Drive. For details about the applied_labels.field_values schema fields, go to Resource: Label
You can. Just remember your new exports and the last export before the change will be in different locations.
Yes. If you also set up service log exports to BigQuery, you can use the same project ID. Your Drive inventory will go to a different dataset in the project.
Yes. If you no longer want to export your Drive inventory to BigQuery, you can delete the Drive Inventory configuration in your Admin console.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu
- Click Drive Inventory.
- Click BigQuery project ID and select the project.
- Click Delete.
- To confirm, click Delete again.
Your Drive inventory will no longer export. The dataset remains in the project with existing data, but data will be deleted as it expires.
To restart Drive inventory exports, add a project ID.
You may see a service account named id@gcp-sa-statefulreporting.iam.gserviceaccount.com and another service account named drive-inventory-reporting@system.gserviceaccount.com on the permissions list for your BigQuery project and dataset. During Beta, one service account is used to read metadata from Drive and the other is used to write your Drive inventory to BigQuery. If an organizational policy prevents these service accounts from joining the permissions list, the accounts’ domains must be allowlisted. These service accounts may be combined during Beta.
During Beta, data regionalization isn’t supported.
