IAMAuditConfig

IAMAuditConfig configures Data Access audit logging for a given service. Read more about Data Access audit logs at Configuring Data Access audit logs.

Property Value
Google Cloud Service Name Cloud IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name v1.iamPolicies
Google Cloud REST Resource Documentation /iam/reference/rest/v1/iamPolicies
Config Connector Resource Short Names gcpiamauditconfig
gcpiamauditconfigs
iamauditconfig
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iamauditconfigs.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Supported Resources

You can use IAMAuditConfig to configure Data Access audit logging for the following resources.

Kind External Reference Formats
Folder

folders/{{folder_id}}

Project

projects/{{project_id}}

Custom Resource Definition Properties

Spec

Schema

  auditLogConfigs:
  - exemptedMembers:
    - string
    logType: string
  resourceRef:
    apiVersion: string
    external: string
    kind: string
    name: string
    namespace: string
  service: string
Fields

auditLogConfigs

Required*

list (object)

Required. The configuration for logging of each type of permission.

auditLogConfigs.[]

Required*

object

auditLogConfigs.[].exemptedMembers

Optional

list (string)

Identities that do not cause logging for this type of permission. The format is the same as that for 'members' in IAMPolicy/IAMPolicyMember.

auditLogConfigs.[].exemptedMembers.[]

Optional

string

auditLogConfigs.[].logType

Required*

string

Permission type for which logging is to be configured. Must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'.

resourceRef

Required*

object

Immutable. Required. The GCP resource to set the IAMAuditConfig on (e.g. project).

resourceRef.apiVersion

Optional

string

resourceRef.external

Optional

string

resourceRef.kind

Required*

string

resourceRef.name

Optional

string

resourceRef.namespace

Optional

string

service

Required*

string

Immutable. Required. The service for which to enable Data Access audit logs. The special value 'allServices' covers all services. Note that if there are audit configs covering both 'allServices' and a specific service, then the union of the two audit configs is used for that service: the 'logTypes' specified in each 'auditLogConfig' are enabled, and the 'exemptedMembers' in each 'auditLogConfg' are exempted.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
Fields
conditions

list (object)

Conditions represents the latest available observations of the IAMAuditConfig's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

Sample YAML(s)

Typical Use Case

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} below with your desired project ID.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMAuditConfig
  metadata:
    name: iamauditconfig-sample
  spec:
    service: allServices
    auditLogConfigs:
      - logType: DATA_WRITE
      - logType: DATA_READ
        exemptedMembers:
          - serviceAccount:iamauditconfig-dep@${PROJECT_ID?}.iam.gserviceaccount.com
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Project
      external: projects/${PROJECT_ID?}
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iamauditconfig-dep