Create an event handler that receives and processes a Cloud Audit Log event with IAM data

Creates an event handler that receives an incoming Cloud Audit Log event within an HTTP POST request as a CloudEvent.

Code sample

Go

To authenticate to Eventarc, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 


// Processes CloudEvents containing Cloud Audit Logs for IAM
package main

import (
	"fmt"
	"log"
	"net/http"
	"os"

	cloudevent "github.com/cloudevents/sdk-go/v2"
	"github.com/googleapis/google-cloudevents-go/cloud/auditdata"
	"google.golang.org/protobuf/encoding/protojson"
)

func HandleCloudEvent(w http.ResponseWriter, r *http.Request) {
	// Transform the HTTP request into a CloudEvent
	event, err := cloudevent.NewEventFromHTTPRequest(r)
	if err != nil {
		w.WriteHeader(http.StatusBadRequest)
		fmt.Fprintln(w, "Failed to create CloudEvent from request.")
		log.Fatal("cloudevent.NewEventFromHTTPRequest:", err)
	}

	// Extract the LogEntryData from the CloudEvent
	var logentry auditdata.LogEntryData
	// AuditLog objects include a `@type` annotation, which errors when using
	// `protojson.Unmarshal`. UnmarshalOptions prevents this error.
	umo := &protojson.UnmarshalOptions{DiscardUnknown: true}
	err = umo.Unmarshal(event.Data(), &logentry)
	if err != nil {
		w.WriteHeader(http.StatusBadRequest)
		fmt.Fprintln(w, "Failed to parse Audit Log")
		log.Fatal("protojson.Unmarshal:", err)
	}

	// Extract relevant fields from the audit log entry.
	// Identify the user that requested key creation
	actor := logentry.ProtoPayload.AuthenticationInfo.PrincipalEmail

	// Extract the resource name from the CreateServiceAccountKey request
	// For details of this type, see https://cloud.google.com/iam/docs/reference/rpc/google.iam.admin.v1#createserviceaccountkeyrequest
	principal := logentry.ProtoPayload.GetRequest().AsMap()["name"]

	// The response is of type google.iam.admin.v1.ServiceAccountKey,
	// which is described at https://cloud.google.com/iam/docs/reference/rpc/google.iam.admin.v1#google.iam.admin.v1.ServiceAccountKey
	// This key path can be used with gcloud to disable/delete the key:
	// e.g. gcloud iam service-accounts keys disable ${keypath}
	keypath := logentry.ProtoPayload.GetResponse().AsMap()["name"]

	s := fmt.Sprintf("New Service Account Key created for %s by %s: %v", principal, actor, keypath)
	log.Printf(s)
	fmt.Fprintln(w, s)
}

Python

To authenticate to Eventarc, set up Application Default Credentials. For more information, see Set up authentication for a local development environment. 

@app.route("/", methods=["POST"])
def index():
    # Transform the HTTP request into a CloudEvent
    event = from_http(request.headers, request.get_data())

    # Extract the LogEntryData from the CloudEvent
    # The LogEntryData type is described at https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry
    # re-serialize to json, to convert the json-style 'lowerCamelCase' names to the protobuf-style 'snake_case' equivalents.
    # ignore_unknown_fields is needed to skip the '@type' fields.
    log_entry = LogEntryData.from_json(
        json.dumps(event.get_data()), ignore_unknown_fields=True
    )

    # Ensure that this event is for service accout key creation, and succeeded.
    if log_entry.proto_payload.service_name != "iam.googleapis.com":
        return ("Received event was not from IAM.", 400)
    if log_entry.proto_payload.status.code != 0:
        return ("Key creation failed, not reporting.", 204)

    # Extract relevant fields from the audit log entry.
    # Identify the user that requested key creation
    user = log_entry.proto_payload.authentication_info.principal_email

    # Extract the resource name from the CreateServiceAccountKey request
    # For details of this type, see https://cloud.google.com/iam/docs/reference/rpc/google.iam.admin.v1#createserviceaccountkeyrequest
    service_account = log_entry.proto_payload.request["name"]

    # The response is of type google.iam.admin.v1.ServiceAccountKey,
    # which is described at https://cloud.google.com/iam/docs/reference/rpc/google.iam.admin.v1#google.iam.admin.v1.ServiceAccountKey
    # This key path can be used with gcloud to disable/delete the key:
    # e.g. gcloud iam service-accounts keys disable ${keypath}
    keypath = log_entry.proto_payload.response["name"]

    print(f"New Service Account Key created for {service_account} by {user}: {keypath}")
    return (
        f"New Service Account Key created for {service_account} by {user}: {keypath}",
        200,
    )

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.