Reputation: 12808
GCP logging: Find all resources (recently) used by a specific user
This is part of my journey to get a clear overview of which users/service accounts are in my GCP Project and when they last logged in.
Endgoal: to be able to clean up users/service-accounts if needed when they weren't on GCP for a long time.
First question:
How can I find in the logs when a specific user used resources, so I can determine when this person last logged in?
Upvotes: 1
Views: 1475
Answers (3)
Reputation: 241
log_id("cloudaudit.googleapis.com/activity") AND
resource.type="project" AND
protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.bindingDeltas.action="Add" AND
protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ID"
See here for more examples. https://cloud.google.com/logging/docs/view/query-library
Upvotes: 0
Reputation: 12808
There is now also the newly added Log Analytics.
This allows you to use SQL to query your logs.
Your logging buckets _Default and _Required need to be upgraded to be able to use Log Analytics:
https://cloud.google.com/logging/docs/buckets#upgrade-bucket
After that you use for example the console to use SQL on your logs:
https://console.cloud.google.com/logs/analytics
Unfortunately, at the moment you can only query the logs that were created after you've switched on Log Analytics.
Example query in the Log Analytics:
SELECT
timestamp,
proto_Payload.audit_log.authentication_info.principal_email,
auth_info.resource,
auth_info.permission,
auth_info.granted
FROM
`logs__Default_US._AllLogs`
left join unnest(proto_Payload.audit_log.authorization_info) auth_info
WHERE
timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY)
and proto_payload.type = "type.googleapis.com/google.cloud.audit.AuditLog"
and proto_Payload.audit_log.authentication_info.principal_email in ("name_of_your_user")
ORDER BY
timestamp
Upvotes: 1
Reputation: 12808
You need the Auditlogs and to see them you can run the following query in Cloud Logging:
protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
protoPayload.authenticationInfo.principalEmail="your_user_name_email_or_your_service_account_email"
You can also check the Activity logs and filter on a user:
https://console.cloud.google.com/home/activity
Related questions + answers:
Pull "last access" information on projects from Google Cloud Platform (GCP)
IAM users and last login date in google cloud
How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
Upvotes: 1
Related Questions
- GCP: how can i find in Cloud Logging permission / role changes for a specific user?
- GCP Logging: who created service account?
- How can i get the logs of roles modifications on some specific IAM user in GCP
- How to list/get the 'creator' of all GCP resource in a project?
- Regarding GCP logging
- How to audit and show which user made changes to a GKE node pool using Logs Explorer?
- GCP: How to query logs from labeled resources?
- How to see the activity history of a resource on Google Cloud Platform (GCP)?
- GCP Storage Bucket Access Logs
- How to check who created VM and other resources in GCP?