Console
    Contact Us Start free

    IAMAuditConfig

    IAMAuditConfig lets you manage the IAM policy audit configs (that is, Data Access audit logging) for a given Google Cloud resource. Read more about Data Access audit logs at Configuring Data Access audit logs .

    IAMAuditConfig represents an audit config for a single Google Cloud service. It adds an audit config for the given Google Cloud service to the associated Google Cloud resource's IAM policy.

    If you want to manage multiple audit configs, use IAMPolicy .

    Property Value
    Google Cloud Service Name IAM
    Google Cloud Service Documentation /iam/docs/
    Google Cloud REST Resource Name v1.iamPolicies
    Google Cloud REST Resource Documentation /iam/reference/rest/v1/iamPolicies
    Config Connector Resource Short Names gcpiamauditconfig
    gcpiamauditconfigs
    iamauditconfig
    Config Connector Service Name iam.googleapis.com
    Config Connector Resource Fully Qualified Name iamauditconfigs.iam.cnrm.cloud.google.com
    Can Be Referenced by IAMPolicy/IAMPolicyMember No
    Config Connector Default Average Reconcile Interval In Seconds 600

    Supported Resources

    You can use IAMAuditConfig to configure Data Access audit logging for the following resources.

    Kind External Reference Formats
    Folder

    folders/{{folder_id}}

    Organization

    {{org_id}}

    Project

    projects/{{project_id}}

    Custom Resource Definition Properties

    Spec

    Schema

      auditLogConfigs 
 : 
 - 
  
 exemptedMembers 
 : 
  
 - 
  
 string 
  
 logType 
 : 
  
 string 
 resourceRef 
 : 
  
 apiVersion 
 : 
  
 string 
  
 external 
 : 
  
 string 
  
 kind 
 : 
  
 string 
  
 name 
 : 
  
 string 
  
 namespace 
 : 
  
 string 
 service 
 : 
  
 string
    Fields

    auditLogConfigs

    Required*

    list (object)

    Required. The configuration for logging of each type of permission.

    auditLogConfigs[]

    Required*

    object

    auditLogConfigs[].exemptedMembers

    Optional

    list (string)

    Identities that do not cause logging for this type of permission. The format is the same as that for 'members' in IAMPolicy/IAMPolicyMember.

    auditLogConfigs[].exemptedMembers[]

    Optional

    string

    auditLogConfigs[].logType

    Required*

    string

    Permission type for which logging is to be configured. Must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'.

    resourceRef

    Required*

    object

    Immutable. Required. The GCP resource to set the IAMAuditConfig on (e.g. project).

    resourceRef.apiVersion

    Optional

    string

    APIVersion of the referenced resource

    resourceRef.external

    Optional

    string

    The external name of the referenced resource

    resourceRef.kind

    Required*

    string

    Kind of the referenced resource

    resourceRef.name

    Optional

    string

    resourceRef.namespace

    Optional

    string

    service

    Required*

    string

    Immutable. Required. The service for which to enable Data Access audit logs. The special value 'allServices' covers all services. Note that if there are audit configs covering both 'allServices' and a specific service, then the union of the two audit configs is used for that service: the 'logTypes' specified in each 'auditLogConfig' are enabled, and the 'exemptedMembers' in each 'auditLogConfig' are exempted.

    * Field is required when parent field is specified

    Status

    Schema

      conditions 
 : 
 - 
  
 lastTransitionTime 
 : 
  
 string 
  
 message 
 : 
  
 string 
  
 reason 
 : 
  
 string 
  
 status 
 : 
  
 string 
  
 type 
 : 
  
 string 
 observedGeneration 
 : 
  
 integer
    Fields
    conditions

    list (object)

    Conditions represent the latest available observations of the IAMAuditConfig's current state.
    conditions[]

    object

    conditions[].lastTransitionTime

    string

    Last time the condition transitioned from one status to another.
    conditions[].message

    string

    Human-readable message indicating details about last transition.
    conditions[].reason

    string

    Unique, one-word, CamelCase reason for the condition's last transition.
    conditions[].status

    string

    Status is the status of the condition. Can be True, False, Unknown.
    conditions[].type

    string

    Type is the type of the condition.
    observedGeneration

    integer

    ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

    Sample YAML(s)

    External Organization Level Audit Config

      # Copyright 2020 Google LLC 
 # 
 # Licensed under the Apache License, Version 2.0 (the "License"); 
 # you may not use this file except in compliance with the License. 
 # You may obtain a copy of the License at 
 # 
 #     http://www.apache.org/licenses/LICENSE-2.0 
 # 
 # Unless required by applicable law or agreed to in writing, software 
 # distributed under the License is distributed on an "AS IS" BASIS, 
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
 # See the License for the specific language governing permissions and 
 # limitations under the License. 
 # Replace ${PROJECT_ID?} and ${ORG_ID?} below with your desired project and 
 # organization IDs respectively. 
 apiVersion 
 : 
  
 iam.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 IAMAuditConfig 
 metadata 
 : 
  
 name 
 : 
  
 iamauditconfig-sample-orglevel 
 spec 
 : 
  
 service 
 : 
  
 allServices 
  
 auditLogConfigs 
 : 
  
 - 
  
 logType 
 : 
  
 DATA_WRITE 
  
 - 
  
 logType 
 : 
  
 DATA_READ 
  
 exemptedMembers 
 : 
  
 - 
  
 serviceAccount:iamauditconfig-dep-orglevel@${PROJECT_ID?}.iam.gserviceaccount.com 
  
 resourceRef 
 : 
  
 kind 
 : 
  
 Organization 
  
 external 
 : 
  
 "${ORG_ID?}" 
 --- 
 # Replace ${PROJECT_ID?} below with your desired project ID. 
 apiVersion 
 : 
  
 iam.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 IAMServiceAccount 
 metadata 
 : 
  
 annotations 
 : 
  
 cnrm.cloud.google.com/project-id 
 : 
  
 ${PROJECT_ID?} 
  
 name 
 : 
  
 iamauditconfig-dep-orglevel

    Project Level Audit Config

      # Copyright 2020 Google LLC 
 # 
 # Licensed under the Apache License, Version 2.0 (the "License"); 
 # you may not use this file except in compliance with the License. 
 # You may obtain a copy of the License at 
 # 
 #     http://www.apache.org/licenses/LICENSE-2.0 
 # 
 # Unless required by applicable law or agreed to in writing, software 
 # distributed under the License is distributed on an "AS IS" BASIS, 
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
 # See the License for the specific language governing permissions and 
 # limitations under the License. 
 # Replace ${PROJECT_ID?} below with your desired project ID. 
 apiVersion 
 : 
  
 iam.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 IAMAuditConfig 
 metadata 
 : 
  
 name 
 : 
  
 iamauditconfig-sample-projlevel 
 spec 
 : 
  
 service 
 : 
  
 allServices 
  
 auditLogConfigs 
 : 
  
 - 
  
 logType 
 : 
  
 DATA_WRITE 
  
 - 
  
 logType 
 : 
  
 DATA_READ 
  
 exemptedMembers 
 : 
  
 - 
  
 serviceAccount:iamauditconfig-dep-projlevel@${PROJECT_ID?}.iam.gserviceaccount.com 
  
 resourceRef 
 : 
  
 kind 
 : 
  
 Project 
  
 external 
 : 
  
 projects/${PROJECT_ID?} 
 --- 
 # Replace ${PROJECT_ID?} below with your desired project ID. 
 apiVersion 
 : 
  
 iam.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 IAMServiceAccount 
 metadata 
 : 
  
 annotations 
 : 
  
 cnrm.cloud.google.com/project-id 
 : 
  
 ${PROJECT_ID?} 
  
 name 
 : 
  
 iamauditconfig-dep-projlevel
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: