Technolead: Audit logging - Google Cloud Build

The page describes the audit logs created by Cloud Build.

Audit logging summary

Google Cloud services write audit logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud projects and organizations.

Audited information is divided into different categories of information:

Admin Activity: Operations that modify the configuration or metadata of a Cloud Build resource. Any API call that creates or cancels a build, and creates, deletes, enables, disables, or updates a trigger falls into this category. This audit information is provided by default.
Data Access (ADMIN_READ): Operations that read the configuration or metadata of a project, build, or a trigger. This audit information is not provided by default.
Data Access (DATA_READ): Operations that read user-provided data from a resource. This audit information is not provided by default.
Data Access (DATA_WRITE): Operations that write user-provided data to a resource. This audit information is not provided by default.

For more information, see Cloud Audit Logging.

Audited operations

The following table summarizes which Cloud Build API operations are listed in each audit log category:

Audit logs category	Cloud Build Operations
Admin activity	`projects.builds.create` `projects.builds.cancel` `projects.builds.approve` `projects.triggers.create` `projects.triggers.delete` `projects.triggers.update` Running triggers using the Run Trigger button in the Google Cloud console Creating/updating IAM policies
Data access (`ADMIN_READ`)	`projects.builds.get` `projects.builds.list` `projects.triggers.list` `projects.triggers.get` Getting IAM policies
Data access (`DATA_READ`)	None
Data access (`DATA_WRITE`)	None

Unlike audit logs for other services, Cloud Build only has ADMIN_READ data access logs and does not offer DATA_READ and DATA_WRITE logs. This is because DATA_READ and DATA_WRITE logs are only used for services that store and manage user data, and Cloud Build considers builds and triggers to be administrative config information.

Permissions for accessing the logs

The following users can view admin activity logs:

Project owners, editors, and viewers.
Users with the Logs Viewer IAM role.
Users with the logging.logEntries.list IAM permission.

The following users can view data access logs:

Project owners.
Users with the Private Logs Viewer IAM role.
Users with the logging.privateLogEntries.list IAM permission.

For instructions on granting IAM permissions, see Configuring Access Control.

Audit log format

Audit log entries have the following structure:

An object of type LogEntry that contains the entire log entry.
An object of type AuditLog that is held in the protoPayload field of the LogEntry object.

Knowing what information is held in these objects will help you understand and retrieve your audit log entries using the Logs Explorer and the Stackdriver Logging API.

All audit log entries contain the name of an audit log, a resource, and a service:

logName: This field will indicate whether the log is an Admin Activity or Data Access audit log. For example:

projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access
organizations/[ORGANIZATION_ID]/logs/cloudaudit.googleapis.com%2Factivity
organizations/[ORGANIZATION_ID]/logs/cloudaudit.googleapis.com%2Fdata_access

Within a project or organization, these log names are suffixed with the abbreviated activity or data_access.

Monitored resource type:
- build: Includes the project, build, and build trigger for the audited operation.
serviceName: For Cloud Build, the field will contain cloudbuild.googleapis.com.
Resource types belongs to a single service, but a service can have several resource types. For a list of services and resources, see Mapping services to resources.

For more details, see Audit Log Datatypes.

Enabling logs

Admin activity logs are enabled and logged by default. These logs do not count towards your log ingestion quota.

Data access logs for Cloud Build operations are not recorded by default. You can configure Data Access audit logs in your project or organization. To learn how to enable logs for data access-type operations, see Configuring Data Access Logs.

Quotas and limits

Admin Activity logs do not count towards your log ingestion quota.

Data access operations are high volume and count toward your log ingestion quota.

For more information, see Quotas and Limits.

Viewing logs

To view a summary of your Admin Activity:

Open Google Cloud Platform Activity:
Go to Activity

To select and filter your logs and view them in detail:

Open the Logs Explorer page:
Go to the Logs Explorer page
In the first drop-down menu, select the resource whose audit logs you wish to see. Select a specific project or "all projects."
In the second menu, select the log name you want to see: activity for Admin Activity audit logs and data_access for Data Access audit logs (if the logs are available).

The audit logs appear in the Logs Explorer.

You can also use the Logs Explorer advanced filter interface to specify the resource type and log name. For more information, see Retrieving audit logs.

Exporting your audit logs

You can export copies of some or all of your logs to other applications, other repositories, or third parties. To export your logs, see Exporting logs.

An organization can create an aggregated sink that can export log entries from all the projects, folders, and billing accounts of the organization. Like any sink, your aggregated sink contains a filter that selects individual log entries. To aggregate and export your audit logs, see Aggregated sinks.

To read your log entries through the API, see entries.list. To read your log entries using the SDK, see Reading log entries.