Enabling Cloud Audit Logging

This page describes how to enable Cloud Audit Logging for Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

Before you begin, you'll need the following:

  • An App Engine or Compute Engine app with Cloud IAP enabled for which you want to enable Cloud Audit Logging.
  • An up to date version of Cloud SDK. Get Cloud SDK.

Enabling Cloud Audit Logging using Cloud SDK

To enable Cloud Audit Logging for all Cloud IAP resources in a specific project, follow the process below:

  1. Download the Cloud Identity and Access Management (Cloud IAM) policy settings for the project by running the following gcloud command-line command:
    gcloud projects get-iam-policy PROJECT_ID > policy.yaml
  2. Edit the policy.yaml file you downloaded to add a new auditConfigs section as follows. Make sure you don't change any etag values.
    auditConfigs:
    - auditLogConfigs:
      - logType: ADMIN_READ
      - logType: DATA_READ
      - logType: DATA_WRITE
      service: allServices
    
  3. Update the Cloud IAM policy settings with the modified .yaml file by running the following gcloud command-line command:
    gcloud projects set-iam-policy PROJECT_ID policy.yaml

All requests to access the project resources will generate audit logs.

Viewing Cloud Audit Logging logs

To view Cloud Audit Logging logs, follow the process below:

  1. Go to the GCP Console Logs page for your project.
    Go to the Logs page
  2. On the resource selector drop-down list, select a resource. Cloud IAP-secured resources include GAE Application and GCE Backend Service.
  3. On the logs type drop-down list, select data_access.
    1. The data_access log type only appears if there was traffic to your resource after you enabled Cloud Audit Logging for Cloud IAP.
  4. Click to expand the date and time of the access you want to review.
    1. Authorized access has a blue i icon.
    2. Unauthorized access has an orange !! icon.

Following are important details about the log fields:

Field Value
authenticationInfo The email of the user who tried to access the resource as principalEmail.
requestMetadata.callerIp The IP address the request originated from.
requestMetadata.requestAttributes The request method and URL.
authorizationInfo.resource The resource being accessed.
authorizationInfo.granted A boolean representing whether or not Cloud IAP permitted the requested access.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation