Enabling Cloud Audit Logging

This page describes how to enable Cloud Audit Logging for Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

Before you begin, you'll need the following:

  • An App Engine or Compute Engine app with Cloud IAP enabled for which you want to enable Cloud Audit Logging.
  • An up to date version of Cloud SDK. Get Cloud SDK.

Enabling Cloud Audit Logging using Cloud SDK

To enable Cloud Audit Logging for all Cloud IAP resources in a specific project, follow the process below:

  1. Download the Cloud Identity Access Management (Cloud IAM) policy settings for the project by running the following gcloud command-line command:
    gcloud projects get-iam-policy PROJECT_ID > policy.yaml
  2. Edit the policy.yaml file you downloaded to add a new auditConfigs section as follows. Make sure you don't change any etag values.
    auditConfigs:
    - auditLogConfigs:
      - logType: ADMIN_READ
      - logType: DATA_READ
      - logType: DATA_WRITE
      service: allServices
    
  3. Update the Cloud IAM policy settings with the modified .yaml file by running the following gcloud command-line command:
    gcloud projects set-iam-policy PROJECT_ID policy.yaml

All requests to access the project resources will generate audit logs.

Viewing Cloud Audit Logging logs

To view Cloud Audit Logging logs, follow the process below:

  1. Go to the logs page for your project.
  2. On the logs type dropdown, select data_access.
  3. Click to expand the date and time of the access you want to review.
    • Authorized access is displayed with a blue i icon.
    • Unauthorized access is displayed with an orange !! icon.

Following are important details about the log fields:

Field Value
authenticationInfo The email of the user who tried to access the resource as principalEmail.
authorizationInfo The permission the user needs to have to access the resource. This displays as granted: true if the user has the permission.
resourceName The name of the resource the user tried to access.
request The base URL the user tried to access as urlBase and any sub-path as urlPathEtc.
response The result of the access attempt as resultStatus. This indicates if the user was AUTHENTICATED or not.

What's next

Send feedback about...

Identity-Aware Proxy Documentation