View audit logs for Cloud Run events

This guide shows you how to view Binary Authorization for Cloud Run in Cloud Audit Logs.

Blocked deployment events in Cloud Logging

Logs Explorer

To view bocked deployment events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Cloud Audit Logs Logs Explorer page:

    Go to Logs Explorer.

  2. In the Project Selector at the top of the page, select the Google Cloud project ID of the project in which you run Cloud Run.

  3. Enter the following query in the search-query box:

    resource.type="cloud_run_revision"
    logName:"cloudaudit.googleapis.com%2Fsystem_event"
    protoPayload.response.status.conditions.reason="ContainerImageUnauthorized"
    
  4. Select the time range in the time-range selector.

To search within the log entries, click Expand nested fields.

gcloud

To view policy violation events from the past week in Cloud Logging using the Google Cloud CLI, do the following:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="cloud_run_revision" AND
   logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
   protoPayload.response.status.conditions.reason="ContainerImageUnauthorized"'

Breakglass events in Cloud Logging

Breakglass enables you to override Binary Authorization policy enforcement and deploy a container image that violates the policy.

Query Cloud Logging for revisions with breakglass specified

Logs Explorer

To view breakglass events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Cloud Audit Logs Logs Explorer page:

    Go to Logs Explorer.

  2. In the Project Selector at the top of the page, select the project ID of the project in which you run Cloud Run.

  3. Enter the following in the search-query box:

    resource.type="cloud_run_revision"
    logName:"cloudaudit.googleapis.com%2Fsystem_event"
    "breakglass"
    

    To further refine your search, add the following lines:

    resource.labels.service_name = SERVICE_NAME
    resource.labels.location = LOCATION
    

    View breakglass deployments in Cloud Logging

  4. Select the time range in the time-range selector.

To search within the log entries, click Expand nested fields.

gcloud

To view breakglass events from the past week in Cloud Logging using the gcloud CLI, do the following:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="cloud_run_revision" AND
   logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
   "breakglass"'

Query Cloud Logging fail open events

Logs Explorer

To view fail open events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Cloud Audit Logs Logs Explorer page:

    Go to Logs Explorer.

  2. In the Project Selector at the top of the page, select the project ID of the project in which you run Cloud Run.

  3. Enter the following in the search-query box:

     resource.type="cloud_run_revision"
     logName:"cloudaudit.googleapis.com%2Fsystem_event"
     "encountered an error"
    
  4. Select the time range in the time-range selector.

To search within the log entries, click Expand nested fields.

gcloud

To view fail open events from the past week in Cloud Logging using the gcloud CLI, do the following:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="cloud_run_revision" AND
    logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
    "encountered an error"'

Query Cloud Logging for dry run events

Logs Explorer

To view dry run events in the Cloud Logging Logs Explorer, do the following:

  1. Go to the Cloud Audit Logs Logs Explorer page:

    Go to Logs Explorer.

  2. In the Project Selector at the top of the page, select the project ID of the project in which you run Cloud Run.

  3. Enter the following in the search-query box:

    resource.type="cloud_run_revision"
    logName:"cloudaudit.googleapis.com%2Fsystem_event"
    "dry run"
    
  4. Select the time range in the time-range selector.

To search within the log entries, click Expand nested fields.

gcloud

To view dry run deployment events from the past week in Cloud Logging using the gcloud CLI, do the following:

gcloud logging read --order="desc" --freshness=7d \
  'resource.type="cloud_run_revision" AND
   logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
   "dry run"'

What's next