Retrieve VPC Service Controls errors from audit logs

This page describes how you can find VPC Service Controls errors using Cloud Logging.

VPC Service Controls helps mitigate data exfiltration risks by isolating multi-tenant Google Cloud services. For more information, see Overview of VPC Service Controls.

Determine if an error is due to VPC Service Controls

VPC Service Controls can modify the properties of Google Cloud and have cascading effects across services. This can make it difficult to debug issues, especially if you don't know what to look for.

The service perimeter changes can take up to 30 minutes to propagate and take effect. When the changes have propagated, access to the services restricted in the perimeter isn't allowed to cross the perimeter boundary unless explicitly authorized.

To determine if an error is related to VPC Service Controls, check whether you have enabled VPC Service Controls and applied it to the projects and services you are attempting to use. To verify whether the projects and services are protected by VPC Service Controls, check the VPC Service Controls policy at that level of resource hierarchy.

Consider an example scenario in which you indirectly use a service that is marked as a restricted service by VPC Service Controls in a project that is inside a service perimeter. In such a case, VPC Service Controls might be denying access.

Usually, services propagate error messages from their dependencies. If you encounter one of the following errors, it indicates a problem with VPC Service Controls.

Cloud Storage: 403: Request violates VPC Service Controls.
BigQuery: 403: VPC Service Controls: Request is prohibited by organization's policy.
Other services: 403: Request is prohibited by organization's policy.

Use the error's unique ID

Unlike the Google Cloud console, the gcloud command-line tool returns a unique ID for VPC Service Controls errors. To locate log entries for other errors, filter the logs using metadata.

An error generated by VPC Service Controls includes a unique ID that is used to identify relevant audit logs.

To obtain information about an error using the unique ID, do the following:

In the Google Cloud console, go to the Cloud Logging page for the project inside the service perimeter that triggered the error.

Go to Cloud Logging
In the search-filter field, enter the error's unique ID.

You can see the relevant log entry.

Filter logs using metadata

You can use the Logs Explorer to find errors related to VPC Service Controls. You can use the Logging query language to retrieve the logs. For information about building queries, see Building queries by using the Logging query language.

Console

To obtain the last 24 hours of VPC Service Controls errors in Logging, do the following:

In the Google Cloud console, go to the Cloud Logging page.

Go to Cloud Logging
Make sure that you are in the project that is inside the service perimeter.

In the search-filter field, enter the following:

protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"

In the Resource menu, select Audited Resource.
In the time-range selector menu, select Last 24 hours.
Optional: To find the VPC Service Controls errors that have occurred during a different period, use the time-range selector menu.

gcloud

To obtain the last 24 hours of VPC Service Controls errors, run the following command:
```
gcloud logging read 'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"'
```
By default, the read command is limited to the last 24 hours. To obtain VPC Service Controls logs for a different period, use one of the following commands:
To retrieve logs that were generated within a certain period from the current date, run the following command:
```
gcloud logging read \
'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"' \
  --freshness=DURATION
```
DURATION is a formatted period of time. For more information about formatting, see relative duration and time formats for gcloud CLI.

To retrieve all VPC Service Controls errors that have occurred in the past week, run the following command:

gcloud logging read \
'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"' \
  --freshness=7d

To retrieve logs that were generated between specific dates, run the following command:

gcloud logging read \
'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" AND
timestamp>="START_DATETIME" AND
timestamp<="END_DATETIME"'

START_DATETIME and END_DATETIME are formatted date and time strings. For more information about formatting, see absolute date and time formats for gcloud CLI.

For example, to obtain all VPC Service Controls errors that have occurred between March 22, 2019 and March 26, 2019:

gcloud logging read \
'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" AND
  timestamp>="2019-03-22T23:59:59Z" AND
  timestamp<="2019-03-26T00:00:00Z"'