AuditConfig
Stay organized with collections
Save and categorize content based on your preferences.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"auditConfigs": [
{
"service": "allServices",
"auditLogConfigs": [
{
"logType": "DATA_READ",
"exemptedMembers": [
"user:jose@example.com"
]
},
{
"logType": "DATA_WRITE"
},
{
"logType": "ADMIN_READ"
}
]
},
{
"service": "sampleservice.googleapis.com",
"auditLogConfigs": [
{
"logType": "DATA_READ"
},
{
"logType": "DATA_WRITE",
"exemptedMembers": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com
from DATA_READ logging, and aliya@example.com
from DATA_WRITE logging.
AuditLogConfig
Provides the configuration for logging a type of permissions. Example:
{
"auditLogConfigs": [
{
"logType": "DATA_READ",
"exemptedMembers": [
"user:jose@example.com"
]
},
{
"logType": "DATA_WRITE"
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com
from DATA_READ logging.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License
, and code samples are licensed under the Apache 2.0 License
. For details, see the Google Developers Site Policies
. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-30 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-30 UTC."],[[["\u003cp\u003eAuditConfig specifies audit settings for a service, including which permission types are logged and which identities are exempt.\u003c/p\u003e\n"],["\u003cp\u003eWhen both \u003ccode\u003eallServices\u003c/code\u003e and a specific service have AuditConfigs, the union of both configurations applies to that service.\u003c/p\u003e\n"],["\u003cp\u003eAuditLogConfig details the logging configuration for specific permission types, such as \u003ccode\u003eDATA_READ\u003c/code\u003e or \u003ccode\u003eDATA_WRITE\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eIdentities can be exempted from logging for specific permission types through the \u003ccode\u003eexemptedMembers\u003c/code\u003e field in AuditLogConfig.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eservice\u003c/code\u003e field in AuditConfig determines the service for which audit logging is enabled, with \u003ccode\u003eallServices\u003c/code\u003e covering every service.\u003c/p\u003e\n"]]],[],null,["# AuditConfig\n\n- [JSON representation](#SCHEMA_REPRESENTATION)\n- [AuditLogConfig](#AuditLogConfig)\n - [JSON representation](#AuditLogConfig.SCHEMA_REPRESENTATION)\n\nSpecifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.\n\nIf there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.\n\nExample Policy with multiple AuditConfigs: \n\n {\n \"auditConfigs\": [\n {\n \"service\": \"allServices\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n },\n {\n \"logType\": \"ADMIN_READ\"\n }\n ]\n },\n {\n \"service\": \"sampleservice.googleapis.com\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\"\n },\n {\n \"logType\": \"DATA_WRITE\",\n \"exemptedMembers\": [\n \"user:aliya@example.com\"\n ]\n }\n ]\n }\n ]\n }\n\nFor sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [jose@example.com](mailto:jose@example.com) from DATA_READ logging, and [aliya@example.com](mailto:aliya@example.com) from DATA_WRITE logging.\n\nAuditLogConfig\n--------------\n\nProvides the configuration for logging a type of permissions. Example: \n\n {\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n }\n ]\n }\n\nThis enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [jose@example.com](mailto:jose@example.com) from DATA_READ logging."]]
