Search code examples
google-cloud-platformgcloudgoogle-artifact-registry

Unable to trigger dry-run audit logs for Google Cloud Artifact Registry cleanup policy

Following the docs available from GCP here: https://cloud.google.com/artifact-registry/docs/repositories/cleanup-policy

I set the cleanup policy on my artifact repository with the dry-run option enabled but could not get any audit logs to be outputted using the command.

gcloud logging read 'protoPayload.serviceName="artifactregistry.googleapis.com" AND protoPayload.request.parent:"projects/gift-service-app-jm/locations/australia-southeast1/repositories/gcf-artifacts" AND protoPayload.request.validateOnly=true' \
    --resource-names="projects/gift-service-app-jm" \
    --project=gift-service-app-jm

I was able to confirm the policy has been set and the dry-run option is enabled using the gcloud artifacts repositories describe gcf-artifacts command

{
  "cleanupPolicies": {
    "Delete Previous Versions": {
      "action": "DELETE",
      "condition": {
        "olderThan": "864000s",
        "tagState": "UNTAGGED"
      },
      "id": "Delete Previous Versions"
    }
  },
  "cleanupPolicyDryRun": true,
  "createTime": "2023-09-27T05:07:31.256470Z",
  "description": "This repository is created and used by Cloud Functions",
  "format": "DOCKER",
  "labels": {
    "goog-managed-by": "cloudfunctions"
  },
  "mode": "STANDARD_REPOSITORY",
  "name": "projects/gift-service-app-jm/locations/australia-southeast1/repositories/gcf-artifacts",
  "updateTime": "2024-07-10T05:39:56.088672Z"
}

Has anyone had this issue before, I have the owner role applied to my IAM principal but have also tried adding the logs viewer and private logs viewer roles explicitly.

Solution

  • Please go through this Google Cloud Community link, where it mentions that Artifact Registry does have cleanup policies. The deletion events triggered by these policies are not logged in Cloud Logging by default. Also make sure you have enabled the Audit Logging for Artifact Repository.

    However, you can further check the effects of their cleanup policy in the Artifact Registry Data Access audit logs. They can further view these logs by enabling Data Access Audit Logs by following the documentation of filter the logs by following these steps:

    Includes "admin read" operations that read metadata or configuration information. Also includes "data read" and "data write" operations that read or write user-provided data.

    To receive Data Access audit logs, you must explicitly enable them.

    Resource type: "Artifact Registry"

    Log name: "data_access"

    Note: Search for relevant keywords: "DELETE", "cleanup", or the specific names of your cleanup policies.