Enabling Cloud Audit Logs

This page describes how to enable Cloud Audit Logs for Cloud Identity-Aware Proxy (Cloud IAP).

Note that Cloud Audit Logs will never generate logs for public Cloud IAP resources.

Before you begin

Before you begin, you'll need the following:

  • An App Engine or Compute Engine app with Cloud IAP enabled for which you want to enable Cloud Audit Logs.
  • An up to date version of Cloud SDK. Get Cloud SDK.

Enabling Cloud Audit Logs using Cloud SDK

To enable Cloud Audit Logs for all Cloud IAP resources in a specific project, follow the process below:

  1. Download the Cloud Identity and Access Management (Cloud IAM) policy settings for the project by running the following gcloud command-line command:
    gcloud projects get-iam-policy PROJECT_ID > policy.yaml
  2. Edit the policy.yaml file you downloaded to add a new auditConfigs section as follows. Make sure you don't change any etag values.
    - auditLogConfigs:
      - logType: ADMIN_READ
      - logType: DATA_READ
      - logType: DATA_WRITE
      service: iap.googleapis.com
  3. Update the Cloud IAM policy settings with the modified .yaml file by running the following gcloud command-line command:
    gcloud projects set-iam-policy PROJECT_ID policy.yaml

All requests to access the project resources will generate audit logs.

Cloud Audit Logs and access levels

Enabling Cloud Audit Logs for your Cloud IAP-secured project allows you to see authorized and unauthorized access requests. View requests and all the access levels a requestor has met by following the process below:

  1. Go to the GCP Console Logs page for your project.
    Go to the logs page
  2. On the resource selector drop-down list, select a resource. Cloud IAP-secured HTTPS resources are under GAE Application and GCE Backend Service. Cloud IAP-secured SSH and TCP resources are under GCE VM instance.
  3. On the logs type drop-down list, select data_access.
    • The data_access log type only appears if there was traffic to your resource after you enabled Cloud Audit Logs for Cloud IAP.
  4. Click to expand the date and time of the access you want to review.
    • Authorized access has a blue i icon.
    • Unauthorized access has an orange !! icon.
  5. View the access levels the requester has met by clicking to expand sections until you reach protoPayload > requestMetadata > requestAttributes > auth > accessLevels.

Note that all access levels that a user has met are visible when viewing a request, including access levels that weren't required to access it. Viewing an unauthorized request doesn't indicate what access levels weren't met. This is determined by comparing the conditions on the resource to the access levels visible on the request.

See the Cloud Audit Logs guide for more information about logs.

Following are important details about the log fields:

Field Value
authenticationInfo The email of the user who tried to access the resource as principalEmail.
requestMetadata.callerIp The IP address the request originated from.
requestMetadata.requestAttributes The request method and URL.
authorizationInfo.resource The resource being accessed.
authorizationInfo.granted A boolean representing whether or not Cloud IAP permitted the requested access.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation