Auditing policy tags

This document describes how to use Cloud Logging to audit activities related to policy tags. For example, you can determine:

  • The email address for the principal that grants or removes access on a policy tag

  • The email address for whom the access was granted or removed

  • The policy tag whose access was changed

Policy tags are Data Catalog resources.

Access to logs

For information about the permission you need to view logs, see the Cloud Logging access control guide.

Viewing logs for policy tag events

  1. Go to the Logs Viewer page in the Cloud Console.

    Go to Logs Viewer

  2. In the resources drop-down list, click Audited Resource, click Audited Resources again, and then click datacatalog.googleapis.com. You will see recent audit log entries of Data Catalog resources.

    Logs viewer for Cloud Datalog.

  3. To view the log entries, select the Data Catalog SetIamPolicy method.

    Logs viewer for SetIamPolicy.

  4. Click the log entry to see details about the call to the SetIamPolicy method.

    Logs viewer SetIamPolicy detail.

  5. Click the log entry fields to see details for the SetIamPolicy entry.

    • Click protoPayload, then click authenticationInfo to see the principalEmail for the entity that set the IAM policy.

      `principalEmail`.

    • Click protoPayload, click request, click policy, and then click bindings to see the bindings, including members and roles, that were changed.

      Bindings.

What's next

Learn about best practices for policy tags.