Stay organized with collections Save and categorize content based on your preferences.

Trigger Workflows using Cloud Audit Logs (gcloud CLI)

This quickstart shows you how to execute a workflow using an Eventarc trigger that receives events from BigQuery using Cloud Audit Logs. BigQuery hosts public datasets for you to access and integrate into your applications. The trigger executes the workflow by listening for completed BigQuery jobs and passes the event as runtime arguments to a destination workflow.

You can complete this quickstart using the Google Cloud CLI.

  1. Use Workflows to create and deploy a workflow that extracts and returns the email of the user who ran the query and the query.
  2. Create an Eventarc trigger that connects a BigQuery job to a Workflows event receiver.
  3. Generate an event by running a BigQuery job using the bq command-line tool. This event is passed as a runtime argument to the destination workflow.
  4. View the email of the user who ran the query and the query run.

Before you begin

Some of the steps in this document might not work correctly if your organization applies constraints to your Google Cloud environment. In that case, you might not be able to complete tasks like creating public IP addresses or service account keys. If you make a request that returns an error about constraints, see how to Develop applications in a constrained Google Cloud environment.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.
  3. To initialize the gcloud CLI, run the following command:

    gcloud init
  4. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  5. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  6. Install the Google Cloud CLI.
  7. To initialize the gcloud CLI, run the following command:

    gcloud init
  8. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  9. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  10. Update gcloud components:
    gcloud components update
  11. Log in using your account:
    gcloud auth login
    
  12. Enable the Eventarc, Pub/Sub, and Eventarc APIs.

    gcloud services enable eventarc.googleapis.com pubsub.googleapis.com workflows.googleapis.com workflowexecutions.googleapis.com
  13. Set the configuration variables used in this quickstart:

    export WORKFLOW_LOCATION=us-central1
    export TRIGGER_LOCATION=us-central1
    export PROJECT_ID=PROJECT_ID
    gcloud config set project ${PROJECT_ID}
    gcloud config set workflows/location ${WORKFLOW_LOCATION}
    gcloud config set eventarc/location ${TRIGGER_LOCATION}
    

  14. Create a service account and give it a name; for example, my-service-account.
    export MY_SERVICE_ACCOUNT=my-service-account
    gcloud iam service-accounts create ${MY_SERVICE_ACCOUNT}
  15. Grant the roles/workflows.invoker role to the service account:

    gcloud projects add-iam-policy-binding ${PROJECT_ID} \
      --member="serviceAccount:${MY_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
      --role='roles/workflows.invoker'

  16. Grant the eventarc.eventReceiver role to the service account:

    gcloud projects add-iam-policy-binding ${PROJECT_ID} \
      --member=serviceAccount:${MY_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com \
      --role='roles/eventarc.eventReceiver'
    

  17. If you enabled the Pub/Sub service account on or before April 8, 2021, grant the iam.serviceAccountTokenCreator role to the Pub/Sub service account:

    gcloud projects add-iam-policy-binding ${PROJECT_ID} \
      --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com"\
      --role='roles/iam.serviceAccountTokenCreator'
    

    Replace PROJECT_NUMBER with your Google Cloud project number.

Create and deploy a workflow

Create and deploy a workflow that is executed when a BigQuery job completion triggers a workflow with an HTTP request.

  1. Open a terminal or Cloud Shell.

  2. In your home directory, create a new file called myFirstWorkflow.yaml or myFirstWorkflow.json.

  3. Copy and paste the following into the new file and save it:

    YAML

      main:
        params: [event]
        steps:
            - log_event:
                call: sys.log
                args:
                    text: ${event}
                    severity: INFO
            - extract_data:
                assign:
                - user: ${event.data.protoPayload.authenticationInfo.principalEmail}
                - query: ${event.data.protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.query.query}
            - return_data:
                    return:
                        user: ${user}
                        query: ${query}
      

    JSON

    {
    "main": {
    "params": [
      "event"
    ],
    "steps": [
      {
        "log_event": {
          "call": "sys.log",
          "args": {
            "text": "${event}",
            "severity": "INFO"
          }
        }
      },
      {
        "extract_data": {
          "assign": [
            {
              "user": "${event.data.protoPayload.authenticationInfo.principalEmail}"
            },
            {
              "query": "${event.data.protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.query.query}"
            }
          ]
        }
      },
      {
        "return_data": {
          "return": {
            "user": "${user}",
            "query": "${query}"
          }
        }
      }
    ]
    }
    }
  4. Deploy the workflow:

    export MY_WORKFLOW=myFirstWorkflow
    gcloud workflows deploy ${MY_WORKFLOW} --source=myFirstWorkflow.yaml
    
    Replace .yaml with .json if you copied the JSON version of the example workflow.

Create an Eventarc trigger

The Eventarc trigger sends events from BigQuery to the Workflows destination.

  1. Create a trigger that filters BigQuery events:

    gcloud eventarc triggers create events-cal-trigger \
      --destination-workflow=${MY_WORKFLOW} \
      --destination-workflow-location=${WORKFLOW_LOCATION} \
      --event-filters="type=google.cloud.audit.log.v1.written" \
      --event-filters="serviceName=bigquery.googleapis.com" \
      --event-filters="methodName=jobservice.jobcompleted" \
      --service-account="${MY_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com"
    

    This creates a trigger called events-cal-trigger.

  2. To confirm events-cal-trigger was successfully created, run:

    gcloud eventarc triggers describe events-cal-trigger --location=${TRIGGER_LOCATION}

    The output should be similar to the following listing the time of creation and trigger location:

    createTime: '2021-10-14T15:15:43.872360951Z'
    [...]
    name: projects/PROJECT_ID/locations/us-central1/triggers/events-cal-trigger
    updateTime: '2021-10-14T15:15:52.543525284Z'
    

Generate and view an event

Run a BigQuery job using bq command-line tool to generate an event and trigger the workflow. The generated event is passed as a runtime argument of the workflow which returns the user email and query as a result of the workflow execution.

  1. To trigger a workflow, run a BigQuery job that accesses a public dataset and retrieves information from it:

    bq query \
      --nouse_legacy_sql \
      --nouse_cache \
      'SELECT * FROM `bigquery-samples`.reddit.full LIMIT 10'
    

    The job completion generates an event that is passed as a runtime argument to the workflow which returns the email of the user who ran the query and the query itself.

  2. To verify that a workflow execution was triggered, list the last five executions:

    gcloud workflows executions list ${MY_WORKFLOW} --limit=5
    

    The output should be similar to the following, listing a NAME and STATE equal to SUCCEEDED for each workflow execution.

    NAME: projects/218898424763/locations/us-central1/workflows/myFirstWorkflow/executions/a073ad6a-c76b-4437-8d39-2ab3ade289d2
    STATE: SUCCEEDED
    START_TIME: 2021-11-08T21:59:33.870561996Z
    END_TIME: 2021-11-08T21:59:34.150034659Z
    NAME: projects/218898424763/locations/us-central1/workflows/myFirstWorkflow/executions/35d7c730-7ba5-4055-afee-c04ed706b179
    STATE: SUCCEEDED
    START_TIME: 2021-10-14T19:32:39.908739298Z
    END_TIME: 2021-10-14T19:32:40.147484015Z
    Note that in the output, a073ad6a-c76b-4437-8d39-2ab3ade289d2 from the NAME field is the ID of the workflow execution. Copy your execution ID to use in the next step.

  3. To view the event message:

    1. View the execution status:

      gcloud workflows executions describe WORKFLOW_EXECUTION_ID --workflow=${MY_WORKFLOW}
      
      Replace WORKFLOW_EXECUTION_ID with the ID of the workflow execution that corresponds to the time at which the BigQuery job completed. The output is similar to the following:
      argument: '{"data":{"insertId":"eg1840e6vdpr","logName":"projects/eventarc-min/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"authenticationInfo":{"principalEmail":"USER_EMAIL"},"methodName":"jobservice.jobcompleted","[...],"serviceData":{"@type":"type.googleapis.com/google.cloud.bigquery.logging.v1.AuditData","jobCompletedEvent":{"eventName":"query_job_completed","[...]","query":"SELECT* FROM bigquery-samples.reddit.full LIMIT 10","[...],"createTime":"2021-11-08T21:59:30.861Z","endTime":"2021-11-08T21:59:31.609Z","[...]","jobStatus":{"error":{},"state":"DONE"}}}},"[...]","serviceName":"bigquery.googleapis.com","source":"//cloudaudit.googleapis.com/projects/eventarc-min/logs/data_access","specversion":"1.0","subject":"bigquery.googleapis.com/projects/eventarc-min/jobs/bqjob_r2ff9ebe121883ce1_0000017d01904084_1","time":"2021-11-08T21:59:32.436340881Z","type":"google.cloud.audit.log.v1.written"}'
      endTime: '2021-11-08T21:59:34.150034659Z'
      name: projects/218898424763/locations/us-central1/workflows/myFirstWorkflow/executions/a073ad6a-c76b-4437-8d39-2ab3ade289d2
      result: '{"query":"SELECT * FROM bigquery-samples.reddit.full LIMIT 10","user":"USER_EMAIL"}'
      startTime: '2021-11-08T21:59:33.870561996Z'
      state: SUCCEEDED
      workflowRevisionId: 000008-5d7
      Verify that the time at which the BigQuery job completed, referred to as startTime: '2021-11-08T21:59:33 and the START_TIME of the workflow execution correspond to each other.

    2. Look for the result:'{"query":"SELECT * FROM bigquery-samples.reddit.full LIMIT 10","user":"USER_EMAIL"}' event message.

Congratulations, you have successfully generated a BigQuery event that has triggered a Workflows event receiver using Eventarc.

Clean up

  1. Delete the workflow you created:
    gcloud workflows delete ${MY_WORKFLOW}
    When asked if you want to continue, enter y.
  2. Delete the trigger created in this tutorial:
    gcloud eventarc triggers delete events-cal-trigger
    
  3. Alternatively, you can delete your Google Cloud project to avoid stop billing for all the resources used within that project.
    To delete your project:
    gcloud projects delete PROJECT_ID_OR_NUMBER
    
    Replace PROJECT_ID_OR_NUMBER with your Google Cloud project ID or number.

What's next