This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GCP audit documentation - request for additional information on "currentLocations"

Posted on 03-14-2022 06:30 AM
mhagoel
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

The question is about the "currentLocations" entry in the GCP audit log, as specified in https://cloud.google.com/service-infrastructure/docs/service-control/reference/rest/Shared.Types/Aud...

 

1. The "currentLocations" is an array - when will the audit contain more than one location? (can an action be performed on multiple locations?)

2. Each entry in the authorizationInfo also contains an indication for the zone/region of the resource. 

example:

 

      {
        "granted": true,
        "permission": "compute.subnetworks.useExternalIp",
        "resourceAttributes": {
          "name": "projects/aaa/regions/us-central1/subnetworks/default",
          "service": "compute",
          "type": "compute.subnetworks"
        }
      },
      {
        "granted": true,
        "permission": "compute.instances.setServiceAccount",
        "resourceAttributes": {
          "name": "projects/aaa/zones/us-central1-a/instances/bbb",
          "service": "compute",
          "type": "compute.instances"
        }

 

 And in addition might include "currentLocations" as well:

 

 

    "resourceLocation": {
      "currentLocations": [
        "us-central1-a"
      ]
    }

 

 

- Is it guaranteed that the information at the currentLocations will match the one in the authorizationInfo, at least at a region resolution? In the example above we got the zone in the currentLocations while we have zone and region in the  authorizationInfo. 

 

3. When can we expect the "currentLocations" entry in the log and when will it not be present? (what is the rule?) 

2 2 399
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
Oubi
Staff
Reply posted on --/--/---- --:-- AM

Hi,

The entries are populated by the products but in general if the request affects resources in more than one region/zone then each would be included in the entry. Sorry, but I don't have an example off hand.

This following command would print out any entries that have more than one item in the locations list:

gcloud logging read 'protoPayload.resourceLocation.currentLocations:* AND ( log_id("cloudaudit.googleapis.com/data_access") OR log_id("cloudaudit.googleapis.com/activity")'  ) --freshness=30d --format=json | jq -c -r  'select((.[].protoPayload.resourceLocation.currentLocations | length) > 1)|  .[].insertId + "\t" + "\(.[].protoPayload.resourceLocation.currentLocations | length)"'

Also, that applied on the "authorizationInfo " which should match the "currentLocation". 

I think this answers your 3 questions if I'm not wrong.

0 Likes

Posted on --/--/---- --:-- AM
Jahi9435
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Jahirul Islam

Jahi9435@gmail.com

 

0 Likes
Top Solution Authors
View all