Enabling Cloud Audit Logging

This page describes how to enable Cloud Audit Logging for Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

Before you begin, you'll need the following:

  • An App Engine or Compute Engine app with Cloud IAP enabled for which you want to enable Cloud Audit Logging.
  • An up to date version of GCP SDK. Get GCP SDK.

Enabling Cloud Audit Logging using GCP SDK

To enable Cloud Audit Logging for all Cloud IAP resources in a specific project, follow the process below:

  1. Download the Cloud Identity and Access Management (Cloud IAM) policy settings for the project by running the following gcloud command-line command:
    gcloud projects get-iam-policy PROJECT_ID > policy.yaml
  2. Edit the policy.yaml file you downloaded to add a new auditConfigs section as follows. Make sure you don't change any etag values.
    - auditLogConfigs:
      - logType: ADMIN_READ
      - logType: DATA_READ
      - logType: DATA_WRITE
      service: allServices
  3. Update the Cloud IAM policy settings with the modified .yaml file by running the following gcloud command-line command:
    gcloud projects set-iam-policy PROJECT_ID policy.yaml

All requests to access the project resources will generate audit logs.

Viewing Cloud Audit Logging logs

To view Cloud Audit Logging logs, follow the process below:

  1. Go to the GCP Console Logs page for your project.
    Go to the Logs page
  2. On the resource selector drop-down list, select a resource.
  3. On the logs type drop-down list, select data_access.
    1. The data_access log type only appears if there was traffic to your resource after you enabled Cloud Audit Logging for Cloud IAP.
  4. Click to expand the date and time of the access you want to review.
    1. Authorized access has a blue i icon.
    2. Unauthorized access has an orange !! icon.

Following are important details about the log fields:

Field Value
authenticationInfo The email of the user who tried to access the resource as principalEmail.
authorizationInfo The permission the user must have to access the resource. This displays as granted: true if the user has the permission.
resourceName The name of the resource the user tried to access.
request The base URL the user tried to access as urlBase and any sub-path as urlPathEtc.
response The result of the access attempt as resultStatus. This indicates if the user was AUTHENTICATED or not.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation