This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Creating a Sink for BigQuery Audit Logs Across Organizations or Projects Error

Posted on 01-06-2025 05:25 PM
jisu
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello

I'm trying to set up an audit log sink in a BigQuery dataset.=
An issue persists, causing errors as follows: "Cloud Logging sink configuration error in orgid, sink all_auditlogs_sink_bq: dataset_org_policy_denied ()".


The inclusion filter I set for the sink is as follows: resource.type="bigquery_resource"
Do I need to pre-create tables under the dataset?
I have granted the service account used by the sink the BigQuery Data Editor role in the project where the BigQuery dataset is located. What could be the problem? Please check.

0 3 255
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
kolban
Staff
Reply posted on --/--/---- --:-- AM

I have a gut feel that this may manifest if you have VPC Service Controls (VPC SC) enabled.  VPC SC defines boundaries around your services describing how they can be accessed.

You might also want to review this section of the documentation (here) to see if you have have a restriction on where data can be saved as that might also result in the same symptom.

Posted on --/--/---- --:-- AM
jisu
Bronze 1
Bronze 1
In response to kolban
Reply posted on --/--/---- --:-- AM

I have applied VPC ingress controls to restrict access to authorized servers and accounts at the organizational level.
Egress controls have not been configured separately.

Could VPC errors still occur even when syncing to a project within the organization?

0 Likes

Posted on --/--/---- --:-- AM
kolban
Staff
In response to jisu
Reply posted on --/--/---- --:-- AM

I believe we are going down the right track ... and that the definition of the VPC Service Controls around the project hosting the target BigQuery Dataset into which you wish your logs to be written is preventing the log sink.  VPC SC can protect projects within the same organization from each other (for example ... think of a production project and a development project in your organization ... you'd likely want to ensure that the developers can't accidently touch your production data).  I'm confident that there will be a solution but sadly I don't know it ... we are likely going to want to pose the question in the GCP networking or GCP security forums unless some other kind soul knows how to make progress.  If you have a support contract this might be a good example of raising a ticket to ask for a recipe on how to authorize Cloud Logging to write to the target dataset within a VPC SC environment.

0 Likes
Top Solution Authors
View all