This page describes the audit logs created for Cloud Deploy activity.
Audit logging summary
Google Cloud services write audit logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud projects and organizations.
For Cloud Deploy, only admin activity is logged for auditing purposes. This audit information is provided by default. Admin activity consists of operations that modify the configuration or metadata of a Cloud Deploy resource. Any API call that creates, updates, or deletes a Cloud Deploy resource is not included in admin logging.
For more information, see Cloud Audit Logs.
Audited operations
The following is a list of the Cloud Deploy operations that are logged for auditing:
projects.locations.customTargetTypes.createprojects.locations.customTargetTypes.deleteprojects.locations.customTargetTypes.updateprojects.locations.deliveryPipelines.createprojects.locations.deliveryPipelines.deleteprojects.locations.deliveryPipelines.setIamPolicyprojects.locations.deliveryPipelines.updateprojects.locations.deliveryPipelines.automation.createprojects.locations.deliveryPipelines.automation.deleteprojects.locations.deliveryPipelines.automation.setIamPolicyprojects.locations.deliveryPipelines.automation.updateprojects.locations.deliveryPipelines.automationRuns.cancelprojects.locations.deliveryPipelines.releases.createprojects.locations.deliveryPipelines.releases.rollouts.advanceprojects.locations.deliveryPipelines.releases.rollouts.approveprojects.locations.deliveryPipelines.releases.rollouts.cancelprojects.locations.deliveryPipelines.releases.rollouts.createprojects.locations.deliveryPipelines.releases.rollouts.ignoreJobprojects.locations.deliveryPipelines.releases.rollouts.jobRuns.terminateprojects.locations.deliveryPipelines.releases.rollouts.retryJobprojects.locations.targets.createprojects.locations.targets.deleteprojects.locations.targets.setIamPolicyprojects.locations.targets.update
Unlike audit logs for other services, Cloud Deploy only has ADMIN_READ
and ADMIN_WRITE data access logs and does not offer DATA_READ and DATA_WRITE
logs. DATA_READ and DATA_WRITE logs are only used for services that store and manage user data, and Cloud Deploy considers its resources to be
administrative configuration information.
Permissions for accessing the logs
The following users can view admin activity logs:
- Project owners, editors, and viewers.
- Users with the Logs Viewer IAM role.
- Users with the
logging.logEntries.listIAM permission.
See IAM roles and permissions for more information.
Audit log format
Audit log entries have the following structure:
- An object of type
LogEntrythat contains the entire log entry. - An object of type
AuditLogthat is held in theprotoPayloadfield of theLogEntryobject.
Knowing what information is held in these objects helps you understand and retrieve your audit log entries using the Logs Explorer and the Cloud Logging API.
All audit log entries contain the name of an audit log, a resource, and a service:
logName: This field indicates whether the log is an Admin Activity or Data Access audit log. For Cloud Deploy, these are admin activity only. For example:
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com/activity organizations/[ORGANIZATION_ID]/logs/cloudaudit.googleapis.com/activityWithin a project or organization, these log names are suffixed with the abbreviated
activity.serviceName: For Cloud Deploy, the field contains
clouddeploy.googleapis.com.Resource types belong to a single service, but a service can have several resource types. For a list of services and resources, see Mapping services to resources.
For more details, see Audit Log Datatypes.
Enabling logs
Admin activity logs are enabled and logged by default. These logs do not count toward your log ingestion quota. By default, data access logs are not recorded, but you can configure them to be recorded.
Quotas and limits
For information about limitations on Logging, see Quotas and Limits.
Viewing logs
To view a summary of your Admin Activity:
Open Google Cloud Activity:
To select and filter your logs and view them in detail:
Open the Logs Explorer page:
In the Logs Explorer, select the Resource whose audit logs you want to see.
In the Log name drop-down, select the name of the log you want to see.
Select Activity for Admin Activity audit logs, and data_access for Data Access audit logs (if the logs are available).
The audit logs are shown in the Logs Explorer.
You can also use the Logs Explorer advanced filter interface to specify the resource type and log name. For more information, see Retrieving audit logs.
Exporting your audit logs
You can export copies of some or all of your logs to other applications, other repositories, or third parties. To export your logs, see Exporting logs.
An organization can create an aggregated sink that can export log entries from all the projects, folders, and billing accounts of the organization. Like any sink, your aggregated sink contains a filter that selects individual log entries. To aggregate and export your audit logs, see Aggregated sinks.
To read your log entries through the API, see entries.list. To read your log entries using the SDK, see Reading log entries.
What's next
- Read the Logs Explorer page for instructions on filtering logs.
- Read Configure and manage sinks page for instructions on exporting logs.