Disable Cloud Logging for the Cloud Healthcare API

Overview

This guide explains how to set a constraint (constraints/gcp.disableCloudLogging) that disables Cloud Logging for the Cloud Healthcare API at the level of an organization, a project, or a folder. The constraint does not affect Cloud Audit Logs. Logs that are generated before the constraint takes effect are not deleted and can be accessed after the constraint takes effect.

Disabling Cloud Logging for the Cloud Healthcare API

To disable Cloud Logging for the Cloud Healthcare API, you must have the Organization Administrator (roles/resourcemanager.organizationAdmin) role. This role can only be granted at the Organization level. You must have the Organization Policy Administrator (roles/orgpolicy.policyAdminrole) to set or change organization policies.

Console

To disable Cloud Logging for the Cloud Healthcare API:

  1. Sign in to the Google Cloud console as a Google Workspace or Cloud Identity super administrator and go to the Organization policies page:

    Go to Organization policies

  2. Click Select, and then select the project, folder, or organization for which you want to view organization policies. The Organization policies page displays a filterable list of organization policy constraints that are available.

  3. In the list of policies that appears, select Disable Cloud Logging for Cloud Healthcare API. The Disable Cloud Logging for Cloud Healthcare API policy uses the constraints/gcp.disableCloudLogging ID. The Policy details page that appears describes the constraint and provides information about how the constraint is applied.

  4. To update the organization policy, click Manage policy.

  5. On the Edit policy page, select Override parent's policy.

  6. Click Add a rule.

  7. Under Enforcement, select an enforcement option:

    • To enable the constraint and disable Cloud Logging for the Cloud Healthcare API, select On.
    • To disable the constraint and enable Cloud Logging for the Cloud Healthcare API, select Off.
  8. To enforce the policy, click Set policy.

gcloud

  1. Get the current policy on the organization resource using the describe command:

    gcloud org-policies describe gcp.disableCloudLogging \
      --organization=ORGANIZATION_ID
    

    Replace the ORGANIZATION_ID: with the unique identifier for the organization resource. You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

    Because a policy isn't set, this returns a NOT_FOUND error:

    ERROR: (gcloud.org-policies.describe) NOT_FOUND: Requested entity was not found.
    
  2. Set the policy on the organization using the set-policy command.

    1. Create a temporary file /tmp/policy.yaml to store the policy:

      name: organizations/ORGANIZATION_ID/policies/gcp.disableCloudLogging
      spec:
        rules:
        - enforce: true
      
    2. Run the set-policy command:

      gcloud org-policies set-policy /tmp/policy.yaml
      
  3. View the current effective policy using the describe --effective command:

    gcloud org-policies describe \
      gcp.disableCloudLogging --effective \
      --organization=ORGANIZATION_ID
    

    After running the command, the following output displays:

    name: organizations/ORGANIZATION_ID/policies/gcp.disableCloudLogging
    spec:
      rules:
      - enforce: true
    

What's next

See Using constraints for more information on creating an organization policy with a particular constraint.