At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[],[],null,["This document describes how to configure Model Armor to log the\nfollowing operations:\n\n- Operations that create, update, or delete a template\n- Operations that sanitize a user prompt or model response\n\nModel Armor uses audit logs to record administrative and resource\nmanagement activities. For more information, see\n[Model Armor audit logging overview](/logging/docs/overview).\n\nBefore you begin\n\nComplete these tasks before you complete the remaining tasks on this page.\n\nObtain the required permissions\n\n\nTo get the permissions that\nyou need to configure logging for Model Armor,\n\nask your administrator to grant you the\n\n\n[Model Armor Admin](/iam/docs/roles-permissions/modelarmor#modelarmor.admin) (`roles/modelarmor.admin`)\nIAM role on the Model Armor template.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nEnable APIs\n\nYou must enable Model Armor APIs before you can use Model Armor. \n\nConsole\n\n1.\n\n\n Enable the Model Armor API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=modelarmor.googleapis.com)\n\n \u003cbr /\u003e\n\n2. Select the project where you want to activate Model Armor.\n\ngcloud\n\nBefore you begin, follow these steps using the Google Cloud CLI with the\nModel Armor API:\n\n1.\n\n\n In the Google Cloud console, activate Cloud Shell.\n\n [Activate Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n\n\n At the bottom of the Google Cloud console, a\n [Cloud Shell](/shell/docs/how-cloud-shell-works)\n session starts and displays a command-line prompt. Cloud Shell is a shell environment\n with the Google Cloud CLI\n already installed and with values already set for\n your current project. It can take a few seconds for the session to initialize.\n\n \u003cbr /\u003e\n\n2. Run the following command to set the API endpoint for the\n Model Armor service.\n\n ```bash\n gcloud config set api_endpoint_overrides/modelarmor \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e with the region where you want to use Model Armor.\n\nRun the following command to enable Model Armor.\n\n\u003cbr /\u003e\n\n```bash\n gcloud services enable modelarmor.googleapis.com --project=PROJECT_ID\n \n```\n\n\u003cbr /\u003e\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of the project.\n\nConfigure logging in templates\n\nTemplates define the filters and thresholds for different safety and\nsecurity categories. When creating or updating a\n[Model Armor template](/security-command-center/docs/manage-model-armor-templates),\nyou can specify whether Model Armor logs certain operations.\nUse the following flags in the template metadata:\n\n- `log_template_operations`: A boolean value that enables logging of the create, update, read, and delete template operations.\n- `log_sanitize_operations`: A boolean value that enables logging of the sanitize\n operations. The logs include the prompt and response,\n Model Armor's evaluation results, and additional metadata fields.\n\nConsole\n\n1. In the Google Cloud console, go to the **Model Armor** page.\n\n\n [Go to Model Armor](https://console.cloud.google.com/security/modelarmor)\n\n \u003cbr /\u003e\n\n2. Verify that you are viewing the project that you activated\n Model Armor on.\n\n3. On the **Model Armor** page, click **Create Template** .\n For more information on creating templates, see\n [Create a Model Armor template](/security-command-center/docs/manage-model-armor-templates#create-ma-template).\n\n4. In the **Configure logging** section, select the operations for which you\n want to configure logging.\n\n5. Click **Create**.\n\nREST \n\n curl -X POST \\\n -d '{ \"filterConfig\": {}, \"templateMetadata\": { \"logTemplateOperations\": true, \"logSanitizeOperations\": true } }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates?template_id=\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that the template belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of the template.\n- \u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e: the ID of the template.\n\nPython\n\n\nTo run this code, first [set up a Python development environment](/python/docs/setup)\nand [install the Model Armor Python SDK](/security-command-center/docs/reference/model-armor/client-libraries-install-python).\n\n\u003cbr /\u003e\n\n```python\n request = modelarmor_v1.CreateTemplateRequest(\n parent=\"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\",\n template_id=\"\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e\",\n template={\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates/\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e\",\n \"filter_config\": {},\n \"template_metadata\": {\n \"log_template_operations\": True,\n \"log_sanitize_operations\": True\n }\n }\n )\n response = client.create_template(request=request)\n \n```\n\n\u003cbr /\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that the template belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of the template.\n- \u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e: the ID of the template.\n\nView logs\n\nAccess Model Armor logs using Logs Explorer in Cloud Logging.\nFor more information, see\n[View logs by using the Logs Explorer](/logging/docs/view/logs-explorer-interface).\nFilter by the service name `modelarmor.googleapis.com`. Look for entries related\nto the operations that you enabled in your template. For a list of all the\nservice names and monitored resource types, see\n[Monitored resources and services](/logging/docs/api/v2/resource-list#resource-types).\n\nFilter Model Armor logs\n\nUse log labels for filtering the Model Armor logs for the\nsanitization operations and template logging.\n\nRun the following query in the Logs Explorer to filter the sanitization\noperations logs. \n\n jsonPayload.@type=\"type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry\"\n\nTo further refine the sanitization operation logs, you can specify a project ID,\nclient name, or correlation ID in the query.\n\n- Using a project ID:\n\n jsonPayload.@type=\"type.googleapis.com%2Fgoogle.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry\";project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n- Using a client name:\n\n jsonPayload.@type=\"type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry\"\n labels.\"modelarmor.googleapis.com/client_name\"=\"\u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e\"\n\n- Using a correlation ID:\n\n labels.\"modelarmor.googleapis.com/client_correlation_id\"=\"\u003cvar translate=\"no\"\u003eCORRELATION_ID\u003c/var\u003e\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e: the name of your client.\n- \u003cvar translate=\"no\"\u003eCORRELATION_ID\u003c/var\u003e: the unique identifier that you generate for a specific request.\n\nCorrelate logs and related events\n\nTo correlate logs and events related to that particular interaction, you will\nneed a client correlation ID. It is a unique identifier that you generate\n(for example, a UUID) to track a specific request across your system. To set a\nclient correlation ID in a curl header, use the `-H` option to include a custom\nheader in your request. Here's the sample format: \n\n curl -X POST -d '{\"userPromptData\": { \"text\": '\u003cvar translate=\"no\"\u003eUSER_PROMPT\u003c/var\u003e' } }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"MA-Client-Correlation-Id: $uuid\" \\\n \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates/\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e:sanitizeUserPrompt\"\n\n curl -X POST \\\n -d '{\"modelResponseData\": { \"text\": '\u003cvar translate=\"no\"\u003eMODEL_RESPONSE\u003c/var\u003e' }, \"userPrompt\": '\u003cvar translate=\"no\"\u003eUSER_PROMPT\u003c/var\u003e' }' \\\n -H \"Content-Type: application/json\" \\\n -H \"MA-Client-Correlation-Id: $uuid\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates/\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e:sanitizeModelResponse\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that the template belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of the template.\n- \u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e: the ID of the template.\n- \u003cvar translate=\"no\"\u003eUSER_PROMPT\u003c/var\u003e: the prompt provided to the model.\n- \u003cvar translate=\"no\"\u003eMODEL_RESPONSE\u003c/var\u003e: the response received from the model."]]
