This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Troubleshooting Query-Saving Permissions with Conditional Access in Google Cloud Logging

Posted on 11-14-2024 06:53 AM
julio-costa
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello, I have a question regarding a permission setup that would allow users to save queries. I came across this documentation: [https://cloud.google.com/logging/docs/view/building-queries#before_you_begin](https://cloud.google.c...).

After applying the permissions as outlined in the document, I noticed that the functionality was still not enabled for users. I concluded that it might be due to a condition that only allows access to specific buckets, and indeed, that seems to be the case. When I remove the condition, the permission works, and the user can save their query.

The condition currently configured is as follows: `resource.name == "projects/[project]/locations/global/buckets/[bucket_name]/views/_AllLogs"`

The permissions applied are:

logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.get
logging.locations.list
logging.logEntries.download
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.privateLogEntries.list
logging.queries.deleteShared
logging.queries.getShared
logging.queries.listShared
logging.queries.share
logging.queries.updateShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.access
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get

Does anyone have any ideas on how to make this work correctly with the condition enabled?

0 2 224
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ronnelg
Staff
Reply posted on --/--/---- --:-- AM

Hi @julio-costa

Welcome to Google Cloud Community!

It seems like your condition is the one causing the issue. Are you getting any error messages when the condition is enabled? Also, as part of the troubleshooting, please try to add the role Logging Admin (roles/logging.admin) and Logs View Accessor (roles/logging.viewAccessor) and try again with the condition enabled.

I hope the above information is helpful.

0 Likes

Posted on --/--/---- --:-- AM
julio-costa
Bronze 3
Bronze 3
In response to ronnelg
Reply posted on --/--/---- --:-- AM

 

Hi @ronnelg,

"Are you getting any error messages when the condition is enabled?" No, there are no error messages. However, the save icon becomes unavailable when the condition is enabled.


I've already tested the roles roles/logging.viewAccessor and roles/logging.admin, but they had no effect.

It's worth noting that if I remove the condition, everything works fine both with the suggested permissions and the ones I tested.

 

0 Likes
Top Solution Authors
View all