Enabling Cloud Audit Logs

The following page describes how to enable Cloud Audit Logs for your Identity-Aware Proxy (IAP)-secured resources. Enabling Cloud Audit Logs lets you view a request and see all the access levels a user has and hasn't met.

Cloud Audit Logs will never generate logs for public resources.

Audit logging for users authenticated with an external ID is not available.

Before you begin

Before you begin, you need the following:

• A web app with IAP enabled or a virtual machine accessed via IAP for TCP.
• An up-to-date version of Google Cloud SDK. Get Google Cloud SDK.

Enabling Cloud Audit Logs using Google Cloud SDK

Enabling Cloud Audit Logs for your IAP-secured project lets you see authorized and unauthorized access requests. View requests and all the access levels a requestor has met by following the process below:

1. Download the Identity and Access Management (IAM) policy settings for the project by running the following gcloud command-line command:

   gcloud projects get-iam-policy PROJECT_ID > policy.yaml

2. Edit the policy.yaml file you downloaded by adding an auditConfigs section as follows. Make sure you don't change any etag values.

   auditConfigs:
   - auditLogConfigs:
     - logType: ADMIN_READ
     - logType: DATA_READ
     - logType: DATA_WRITE
     service: iap.googleapis.com
   

3. Update the IAM policy settings with the modified .yaml file by running the following gcloud command-line command:

   gcloud projects set-iam-policy PROJECT_ID policy.yaml

All requests to access the project resources will generate audit logs.

Enabling Cloud Audit Logs using the console

1. From the Google Cloud console, select IAM & Admin > Audit Logs:

   Go to Audit Logs

2. For Filter, enter Identity-Aware Proxy.

3. Select Cloud Identity-Aware Proxy API, and then select or deselect the logs that you want to enable or disable.

Viewing Cloud Audit Logs

To view Cloud Audit Logs logs, follow the process below:

1. Go to the Google Cloud console logs page for your project.
   Go to the Logs page
2. On the resource selector drop-down list, select a resource. IAP-secured resources are under GAE Application, GCE Backend Service, and VM Instance.
3. On the Log name drop-down list, select data_access.
   1. The data_access log name only appears if there was traffic to your resource after you enabled Cloud Audit Logs for IAP.
4. Click to expand the date and time of the access you want to review.
   1. Authorized access has a blue i icon.
   2. Unauthorized access has an orange !! icon.

The logs only contain information about the access levels that a user has met. Access levels that blocked an unauthorized request are not listed in the log entry. To determine what conditions are required to make a successful request for a given resource, check the access levels for the resource.

Following are important details about the log fields:

Field	Value
authenticationInfo	The email of the user who tried to access the resource as principalEmail. This information is not present in logs for unauthenticated requests.
requestMetadata.callerIp	The IP address the request originated from.
requestMetadata.requestAttributes	The request method and URL.
authorizationInfo.resource	The resource being accessed.
authorizationInfo.granted	A boolean representing whether IAP permitted the requested access.

Note that UpdateIapSettings and ValidateIapAttributeExpression are classified as data_access log, and shows up only after enabling Cloud Audit Logs for your project.

What's next

• Learn more about Cloud Audit Logs.