This page provides supplemental information for using cloud audit logging with Cloud TPU.
Audit logs help you determine who did what, where, and when. Specifically, audit logs track how your Cloud TPU resources are modified and accessed within your Google Cloud projects.
Cloud Audit Logging returns two types of logs:
- Admin Activity log: Contains log entries for Cloud TPU API calls that modify the state or metadata of Cloud TPU resources in the system, such as creation and deletion of TPU Nodes or cancellation and deletion of TPU operations.
- Data Access log: Contains log entries for operations that perform read-only actions in the Cloud TPU API, specifically get and list APIs.
Admin Activity logs are recorded by default. These logs do not count towards your log ingestion quota.
Data Access logs are not recorded by default. These logs count towards your log ingestion quota. You can enable and configure aspects for data access-types through the Google Cloud Console or programmatically using the API or Cloud SDK.
The following users can view Admin Activity logs:
- Project owners, editors, and viewers.
- Users with the Logs Viewer IAM Role.
- Users with the logging.logEntries.list IAM permission.
The following users can view Data Access logs:
- Project owners.
- Users with the Private Logs Viewer IAM role.
- Users with the logging.privateLogEntries.list IAM permission.
Project owners can grant, change, and revoke access to project members.
You can also filter logs in the Logs Viewer.
Cloud TPU audit-logs are logged to the generic Audited Resource.