Using Cloud Audit Logging with Cloud KMS

Cloud Audit Logging can be used to generate logs for all operations performed in Cloud Key Management Service.

What is logged

Audit log types

There are two types of audit logs:

  • Admin Activity logs, which are entries for operations that modify the configuration or metadata of a project, and

  • Data Access logs, which are entries for operations that read a configuration or metadata; or create, read, or modify user-provided data. Within Data Access logs, there are several log entry types:

    • "ADMIN_READ": reads of metadata or configuration information. (Admin Activity logs already record writes of metadata.)
    • "DATA_READ": reads of user-provided data.
    • "DATA_WRITE": writes of user-provided data.

The following table summarizes which operations correspond to each log entry type in Cloud KMS:

Log entry type Operations
Admin Activity
  • cloudkms.projects.locations.keyRings.create
  • cloudkms.projects.locations.keyRings.setIamPolicy
  • cloudkms.projects.locations.keyRings.cryptoKeys.create
  • cloudkms.projects.locations.keyRings.cryptoKeys.patch
  • cloudkms.projects.locations.keyRings.cryptoKeys.setIamPolicy
  • cloudkms.projects.locations.keyRings.cryptoKeys.updatePrimaryVersion
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.create
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.patch
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.restore
Data Access ADMIN_READ
  • cloudkms.projects.locations.get
  • cloudkms.projects.locations.list
  • cloudkms.projects.locations.keyRings.get
  • cloudkms.projects.locations.keyRings.getIamPolicy
  • cloudkms.projects.locations.keyRings.list
  • cloudkms.projects.locations.keyRings.testIamPermissions
  • cloudkms.projects.locations.keyRings.cryptoKeys.get
  • cloudkms.projects.locations.keyRings.cryptoKeys.list
  • cloudkms.projects.locations.keyRings.cryptoKeys.getIamPolicy
  • cloudkms.projects.locations.keyRings.cryptoKeys.testIamPermissions
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.get
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list
  • cloudkms.projects.locations.keyRings.cryptoKeys.decrypt
  • cloudkms.projects.locations.keyRings.cryptoKeys.encrypt
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricDecrypt
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricSign
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.getPublicKey

Configuring logging

Default logging

Administrative activity is logged by default, and does not count towards your log ingestion quota.

Data access isn't logged by default in Cloud KMS. Data access operations are high volume and count toward your log ingestion quota.

Enabling Data Access logs

To enable Data Access operations logs, update the AuditConfig object for service The AuditConfig object is part of the Cloud Identity and Access Management policy associated with projects and individual resources, like key rings and keys. You can read and write policies using GetIamPolicy and SetIamPolicy, as well as with gcloud commands such as gcloud kms keys get-iam-policy and gcloud kms keys set-iam-policy.

When you update a policy, first retrieve the policy using getIamPolicy() or the gcloud equivalent, update the policy, and then write the updated policy using setIamPolicy() or the gcloud equivalent. Use the etag value when setting the policy only if the retrieved policy contains an etag value. Cloud Identity and Access Management uses an etag property in Cloud IAM policies to prevent a conflict if two or more independent processes attempt to write a policy. To learn more about the etag property in Cloud IAM policies, see Set policy.

If you want to enable logs for Encrypt and Decrypt operations with no exempted members, first retrieve the existing policy, and then add the following audit log configuration:

  "service": ""
  "auditLogConfigs": [
      "logType": "DATA_READ",

To enable Data Access logs for a single key with the gcloud command-line tool, first retrieve the policy to local file /tmp/policy.json by running:

gcloud kms keys get-iam-policy \
  projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY] \
  --format=json > /tmp/policy.json

A policy that has no configuration will contain only an etag value (you may have a different value for etag):

  "etag": "ACAB"

Then update the policy with the desired audit configuration. For example (use your etag value instead of ACAB):

   "auditConfigs": [
       "auditLogConfigs": [
           "logType": "DATA_READ"
           "logType": "ADMIN_READ"
           "logType": "DATA_WRITE"
       "service": ""
   "etag": "ACAB"

You can then set the policy by running:

gcloud kms keys set-iam-policy \
  projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY] \

Learn more about Configuring Data Access Logs.

Format of logs

Cloud KMS logs follow the same format as other Cloud Audit Logging logs, using the AuditLog object. Logs contain the following:

  • the user who made the request, including the email address of that user
  • the resource name on which the request was made
  • the outcome of the request

Accessing logs


Any user of the project can view Admin Activity logs. To view Data Access logs, a user needs at least the Owner role, or the Private Logs Viewer role. See the section on using Cloud IAM with Cloud KMS on how to configure these.

Viewing logs

You can view Cloud Audit Logs for your project in the Activity Stream on the Cloud Platform Console, as well as more detailed logs in the Logs Viewer. Further instructions on filtering logs in the Logs Viewer can be found in the Cloud Audit Logging documentation.

If desired, you can also export logs.

What's next

Learn how to create alerts on logged activities at Monitoring Cloud KMS resources.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation