Search code examples
google-cloud-platformgoogle-compute-enginegcloudaudit-logging

Find Google Cloud Platform Operations Performed by a User

Is there a way to track what Google Cloud Platform operations were performed by a user? We want to audit our costs and track usage accordingly.

Edit: there's a Cloud SDK (gcloud) command:

compute operations list

that lists actions taken on Compute Engine instances. Is there a way to see what user performed these actions?

Solution

  • If you wish to only track Google Cloud Project (GCP) Compute Engine (GCE) operations with the list command for the operations subgroup, you are able to use the --filter flag to see operations performed by a given user $GCE_USER_NAME:

    gcloud compute operations list \
--filter="user=$GCE_USER_NAME" \
--limit=1 \
--sort-by="~endTime"

#=>

NAME                         TYPE   TARGET                      HTTP_STATUS  STATUS  TIMESTAMP
$GCP_COMPUTE_OPERATION_NAME  start  $GCP_COMPUTE_INSTANCE_NAME  200          DONE    1970-01-01T00:00:00.001-00:00

    Note: feeding the string "~endTime" into the --sort-by flag puts the most recent GCE operation first.

    It might help to retrieve the entire log object in JSON:

    gcloud compute operations list \
--filter="user=$GCE_USER_NAME" \
--format=json \
--limit=1 \
--sort-by="~endTime"

#=>

[
  {
    "endTime": "1970-01-01T00:00:00.001-00:00",
    . . .
    "user": "$GCP_COMPUTE_USER"
  }
]

    or YAML:

    gcloud compute operations list \
--filter="user=$GCE_USER_NAME" \
--format=yaml \
--limit=1 \
--sort-by="~endTime"

#=>

---
endTime: '1970-01-01T00:00:00.001-00:00'
. . .
user: $GCP_COMPUTE_USER

    You are also able to use the Cloud SDK (gcloud) to explore all audit logs, not just audit logs for GCE; it is incredibly clunky, as the other existing answer points out. However, for anyone who wants to use gcloud instead of the console:

    gcloud logging read \
'logName : "projects/$GCP_PROJECT_NAME/logs/cloudaudit.googleapis.com"
 protoPayload.authenticationInfo.principalEmail="GCE_USER_NAME"
 severity>=NOTICE' \
--freshness="1d" \
--limit=1 \
--order="desc" \
--project=$GCP_PROJECT_NAME

#=>

---
insertId: . . .
. . .
protoPayload:
  '@type': type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: $GCP_COMPUTE_USER
  . . .
. . .

    The read command defaults to YAML format, but you can also get your audit logs in JSON:

    gcloud logging read \
'logName : "projects/$GCP_PROJECT_NAME/logs/cloudaudit.googleapis.com"
 protoPayload.authenticationInfo.principalEmail="GCE_USER_NAME"
 severity>=NOTICE' \
--format=json \
--freshness="1d" \
--limit=1 \
--order="desc" \
--project=$GCP_PROJECT_NAME

#=>

[
  {
    . . .
    "protoPayload": {
      "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
      "authenticationInfo": {
        "principalEmail": "$GCE_USER_NAME"
      },
      . . .
    },
    . . .
  }
]