The following page describes how to enable Cloud Audit Logs for your Identity-Aware Proxy (IAP)-secured resources. Enabling Cloud Audit Logs lets you view a request and see all the access levels a user has and hasn't met.
Cloud Audit Logs will never generate logs for public resources.
Audit logging for users authenticated with an external ID is not available.
Before you begin
Before you begin, you need the following:
- A web app with IAP enabled or a virtual machine accessed via IAP for TCP.
- An up-to-date version of Google Cloud SDK. Get Google Cloud SDK.
Enabling Cloud Audit Logs using Google Cloud SDK
Enabling Cloud Audit Logs for your IAP-secured project lets you see authorized and unauthorized access requests. View requests and all the access levels a requestor has met by following the process below:
-
Download the Identity and Access Management (IAM) policy settings for the
project by running the following gcloud command-line command:
gcloud projects get-iam-policy PROJECT_ID > policy.yaml
-
Edit the
policy.yaml
file you downloaded by adding anauditConfigs
section as follows. Make sure you don't change any etag values.auditConfigs: - auditLogConfigs: - logType: ADMIN_READ - logType: DATA_READ - logType: DATA_WRITE service: iap.googleapis.com
-
Update the IAM policy settings with the modified
.yaml
file by running the following gcloud command-line command:gcloud projects set-iam-policy PROJECT_ID policy.yaml
All requests to access the project resources will generate audit logs.
Enabling Cloud Audit Logs using the console
From the Google Cloud console, select IAM & Admin > Audit Logs:
For Filter, enter Identity-Aware Proxy.
Select Cloud Identity-Aware Proxy API, and then select or deselect the logs that you want to enable or disable.
Viewing Cloud Audit Logs
To view Cloud Audit Logs logs, follow the process below:
- Go to the Google Cloud console logs page for your project.
Go to the Logs page - On the resource selector drop-down list, select a resource. IAP-secured resources are under GAE Application, GCE Backend Service, and VM Instance.
- On the Log name drop-down list, select data_access.
- The data_access log name only appears if there was traffic to your resource after you enabled Cloud Audit Logs for IAP.
- Click to expand the date and time of the access you want to review.
- Authorized access has a blue
i
icon. - Unauthorized access has an orange
!!
icon.
- Authorized access has a blue
The logs only contain information about the access levels that a user has met. Access levels that blocked an unauthorized request are not listed in the log entry. To determine what conditions are required to make a successful request for a given resource, check the access levels for the resource.
Following are important details about the log fields:
Field | Value |
---|---|
authenticationInfo |
The email of the user who tried to access the resource as principalEmail . This information is not present in logs for unauthenticated requests. |
requestMetadata.callerIp |
The IP address the request originated from. |
requestMetadata.requestAttributes |
The request method and URL. |
authorizationInfo.resource |
The resource being accessed. |
authorizationInfo.granted |
A boolean representing whether IAP permitted the requested access. |
Note that UpdateIapSettings
and ValidateIapAttributeExpression
are classified as data_access log, and shows up only after enabling Cloud Audit Logs for your project.
What's next
- Learn more about Cloud Audit Logs.