Package google.cloud.audit

Index

AuditLog

Common audit log format for Google Cloud Platform API operations.

Fields
service_name

string

The name of the API service performing the operation. For example, "datastore.googleapis.com".

method_name

string

The name of the service method or operation. For API calls, this should be the name of the API method. For example,

"google.datastore.v1.Datastore.RunQuery"
"google.logging.v1.LoggingService.DeleteLog"

resource_name

string

The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example:

"shelves/SHELF_ID/books"
"shelves/SHELF_ID/books/BOOK_ID"

resource_location

ResourceLocation

The resource location information.

resource_original_state

Struct

The resource's original state before mutation. Present only for operations which have successfully modified the targeted resource(s). In general, this field should contain all changed fields, except those that are already been included in request, response, metadata or service_data fields. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

num_response_items

int64

The number of items returned from a List or Query API method, if applicable.

status

Status

The status of the overall operation.

authentication_info

AuthenticationInfo

Authentication information.

authorization_info[]

AuthorizationInfo

Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.

request_metadata

RequestMetadata

Metadata about the operation.

request

Struct

The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

response

Struct

The operation response. This may not include all response elements, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

metadata

Struct

Other service-specific data about the request, response, and other information associated with the current audited event.

service_data

Any

Deprecated, use metadata field instead. Other service-specific data about the request, response, and other activities.

AuthenticationInfo

Authentication information for the operation.

Fields
principal_email

string

The email address of the authenticated user (or service account on behalf of third party principal) making the request. For privacy reasons, the principal email address is redacted for all read-only operations that fail with a "permission denied" error.

authority_selector

string

The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.

third_party_principal

Struct

The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

AuthorizationInfo

Authorization information for the operation.

Fields
resource

string

The resource being accessed, as a REST-style string. For example:

bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID

permission

string

The required IAM permission.

granted

bool

Whether or not authorization for resource and permission was granted.

resource_attributes

Resource

Resource attributes used in IAM condition evaluation. This field contains resource attributes like resource type and resource name.

To get the whole view of the attributes used in IAM condition evaluation, the user must also look into AuditLog.request_metadata.request_attributes.

RequestMetadata

Metadata about the request.

Fields
caller_ip

string

The IP address of the caller. For caller from internet, this will be public IPv4 or IPv6 address. For caller from a Compute Engine VM with external IP address, this will be the VM's external IP address. For caller from a Compute Engine VM without external IP address, if the VM is in the same organization (or project) as the accessed resource, caller_ip will be the VM's internal IPv4 address, otherwise the caller_ip will be redacted to "gce-internal-ip". See https://cloud.google.com/compute/docs/vpc/ for more information.

caller_supplied_user_agent

string

The user agent of the caller. This information is not authenticated and should be treated accordingly. For example:

  • google-api-python-client/1.4.0: The request was made by the Google API client for Python.
  • Cloud SDK Command Line Tool apitools-client/1.0 gcloud/0.9.62: The request was made by the Google Cloud SDK CLI (gcloud).
  • AppEngine-Google; (+http://code.google.com/appengine; appid: s~my-project: The request was made from the my-project App Engine app. NOLINT

caller_network

string

The network of the caller. Set only if the network host project is part of the same GCP organization (or project) as the accessed resource. See https://cloud.google.com/compute/docs/vpc/ for more information. This is a scheme-less URI full resource name. For example:

"//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"

request_attributes

Request

Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request.

To get the whole view of the attributes used in IAM condition evaluation, the user must also look into AuditLog.authentication_info.resource_attributes.

destination_attributes

Peer

The destination of a network activity, such as accepting a TCP connection. In a multi hop network activity, the destination represents the receiver of the last hop. Only two fields are used in this message, Peer.port and Peer.ip. These fields are optionally populated by those services utilizing the IAM condition feature.

ResourceLocation

Location information about a resource.

Fields
current_locations[]

string

The locations of a resource after the execution of the operation. For example:

"europe-west1-a"
"us-east1"
"nam3"

original_locations[]

string

The locations of a resource prior to the execution of the operation. For example:

"europe-west1-a"
"us-east1"
"nam3"

Esta página foi útil? Conte sua opinião sobre:

Enviar comentários sobre…

Service Infrastructure Documentation