Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for bothallServicesand a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exemptsjose@example.comfrom DATA_READ logging, andaliya@example.comfrom DATA_WRITE logging.
Specifies a service that will be enabled for audit logging. For example,storage.googleapis.com,cloudsql.googleapis.com.allServicesis a special value that covers all services.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-28 UTC."],[[["\u003cp\u003eAudit configurations (\u003ccode\u003eAuditConfig\u003c/code\u003e) define which permission types are logged and which identities are exempted from logging for a given service.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAuditLogConfig\u003c/code\u003e specifies the configuration for logging a specific type of permission, and includes a list of \u003ccode\u003eexemptedMembers\u003c/code\u003e that do not trigger logging.\u003c/p\u003e\n"],["\u003cp\u003eIf \u003ccode\u003eAuditConfigs\u003c/code\u003e are defined for both \u003ccode\u003eallServices\u003c/code\u003e and a specific service, the configuration applied to that service is the combination of both \u003ccode\u003eAuditConfigs\u003c/code\u003e, including the union of log types and exempted members.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eservice\u003c/code\u003e field specifies the service for audit logging, with \u003ccode\u003eallServices\u003c/code\u003e covering all, and \u003ccode\u003eauditLogConfigs\u003c/code\u003e details the configuration for each permission type's logging.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAuditLogConfig\u003c/code\u003e JSON representation includes \u003ccode\u003elogType\u003c/code\u003e and \u003ccode\u003eexemptedMembers\u003c/code\u003e fields, determining the type of log and the users not logged respectively.\u003c/p\u003e\n"]]],[],null,["# AuditConfig\n\n- [JSON representation](#SCHEMA_REPRESENTATION)\n- [AuditLogConfig](#AuditLogConfig)\n - [JSON representation](#AuditLogConfig.SCHEMA_REPRESENTATION)\n\nSpecifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.\n\nIf there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.\n\nExample Policy with multiple AuditConfigs: \n\n {\n \"auditConfigs\": [\n {\n \"service\": \"allServices\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n },\n {\n \"logType\": \"ADMIN_READ\"\n }\n ]\n },\n {\n \"service\": \"sampleservice.googleapis.com\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\"\n },\n {\n \"logType\": \"DATA_WRITE\",\n \"exemptedMembers\": [\n \"user:aliya@example.com\"\n ]\n }\n ]\n }\n ]\n }\n\nFor sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts [jose@example.com](mailto:jose@example.com) from DATA_READ logging, and [aliya@example.com](mailto:aliya@example.com) from DATA_WRITE logging.\n\nAuditLogConfig\n--------------\n\nProvides the configuration for logging a type of permissions. Example: \n\n {\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n }\n ]\n }\n\nThis enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [jose@example.com](mailto:jose@example.com) from DATA_READ logging."]]
