Enabling Cloud Audit Logs

The following page describes how to enable Cloud Audit Logs for your Identity-Aware Proxy (IAP)-secured resources. Enabling Cloud Audit Logs lets you view a request and see all the access levels a user has and hasn't met.

Cloud Audit Logs will never generate logs for public resources.

Before you begin

Before you begin, you need the following:

  • A web app or virtual machine with IAP enabled for which you want to enable Cloud Audit Logs.
  • An up-to-date version of Cloud SDK. Get Cloud SDK.

Enabling Cloud Audit Logs using Cloud SDK

Enabling Cloud Audit Logs for your IAP-secured project lets you see authorized and unauthorized access requests. View requests and all the access levels a requestor has met by following the process below:

  1. Download the Identity and Access Management (IAM) policy settings for the project by running the following gcloud command-line command:
    gcloud projects get-iam-policy PROJECT_ID > policy.yaml
  2. Edit the policy.yaml file you downloaded by adding an auditConfigs section as follows. Make sure you don't change any etag values.
    auditConfigs:
    - auditLogConfigs:
      - logType: ADMIN_READ
      - logType: DATA_READ
      - logType: DATA_WRITE
      service: iap.googleapis.com
    
  3. Update the IAM policy settings with the modified .yaml file by running the following gcloud command-line command:
    gcloud projects set-iam-policy PROJECT_ID policy.yaml

All requests to access the project resources will generate audit logs.

Viewing Cloud Audit Logs

To view Cloud Audit Logs logs, follow the process below:

  1. Go to the Cloud Console Logs page for your project.
    Go to the Logs page
  2. On the resource selector drop-down list, select a resource. IAP-secured resources are under GAE Application, GCE Backend Service, and GCE VM instance.
  3. On the logs type drop-down list, select data_access.
    1. The data_access log type only appears if there was traffic to your resource after you enabled Cloud Audit Logs for IAP.
  4. Click to expand the date and time of the access you want to review.
    1. Authorized access has a blue i icon.
    2. Unauthorized access has an orange !! icon.

The logs only contain information about the access levels that a user has met. Access levels that blocked an unauthorized request are not listed in the log entry. To determine what conditions are required to make a successful request for a given resource, check the access levels for the resource.

Following are important details about the log fields:

Field Value
authenticationInfo The email of the user who tried to access the resource as principalEmail.
requestMetadata.callerIp The IP address the request originated from.
requestMetadata.requestAttributes The request method and URL.
authorizationInfo.resource The resource being accessed.
authorizationInfo.granted A boolean representing whether IAP permitted the requested access.

What's next