principalEmail missing from PERMISSION_DENIED storage.objects.get logs

603 views

Skip to first unread message

Bikram Sisodia

unread,

Nov 8, 2019, 12:46:08 PM11/8/19

to Google Stackdriver Discussion Forum

Hi,

I am monitoring access to GCS buckets - who is accessing which blob and if there is unauthorized access attempt. I am getting logs of both - authorized as well as unauthorized attempts. However, in case of unauthorized attempts, I am not getting principlaEmail so it is not possible for me to know who attempted it. How to enable logging pricipalEmail in case of failed attempt?

Here are the two log snippets:

Successful fetch of a blob:

{
 insertId: "x****o"  
 logName: "projects/my_project/logs/cloudaudit.googleapis.com%2Fdata_access"  
 protoPayload: {
  @type: "type.googleapis.com/google.cloud.audit.AuditLog"   
  authenticationInfo: {
   principalEmail: "firstname...@mydomain.com"    
  }
  authorizationInfo: [
   0: {
    granted: true     
    permission: "storage.objects.get"     
    resource: "projects/_/buckets/my_bucket/objects/my_blob"     
    resourceAttributes: {
    }
   }
  ]
  methodName: "storage.objects.get"   
  requestMetadata: {.. }
  resourceLocation: {.. }
  resourceName: "projects/_/buckets/my_bucket/objects/my_blob"   
  serviceName: "storage.googleapis.com"   
  status: {
  }
 }
 receiveTimestamp: "2019-10-08T14:28:17.999855669Z"  
 resource: {.. }
 severity: "INFO"  
 timestamp: "2019-10-08T14:28:17.297Z"  
}

Failed attempt:

{
 insertId: "3***c"  
 logName: "projects/my_project/logs/cloudaudit.googleapis.com%2Fdata_access"  
 protoPayload: {
  @type: "type.googleapis.com/google.cloud.audit.AuditLog"   
  authenticationInfo: {
  }
  authorizationInfo: [
   0: {
    permission: "storage.objects.get"     
    resource: "projects/_/buckets/my_bucket/objects/my_blob"     
    resourceAttributes: {
    }
   }
  ]
  methodName: "storage.objects.get"   
  requestMetadata: {.. }
  resourceLocation: {.. }
  resourceName: "projects/_/buckets/my_bucket/objects/my_blob"   
  serviceName: "storage.googleapis.com"   
  status: {
   code: 7    
   message: "PERMISSION_DENIED"    
  }
 }
 receiveTimestamp: "2019-10-08T13:26:48.440149454Z"  
 resource: {..}
 severity: "ERROR"  
 timestamp: "2019-10-08T13:26:47.467Z"  
}

-------------------------------------------------------

essenceglobal.com
Facebook • Twitter • YouTube • Instagram

Philip O'Toole

unread,

Nov 8, 2019, 2:07:03 PM11/8/19

to Google Stackdriver Discussion Forum

Hello,

In the case of "permission denied" read-only accesses, the identity of the actor is deliberately redacted in the Audit Logs, as per the documentation. This is to protect the privacy of the actor.

Thanks,

Philip

On Friday, November 8, 2019 at 12:46:08 PM UTC-5 Bikram Sisodia wrote:

Hi,
I am monitoring access to GCS buckets - who is accessing which blob and if there is unauthorized access attempt. I am getting logs of both - authorized as well as unauthorized attempts. However, in case of unauthorized attempts, I am not getting principlaEmail so it is not possible for me to know who attempted it. How to enable logging pricipalEmail in case of failed attempt?
Here are the two log snippets:

Successful fetch of a blob:

{ insertId: "x****o" logName: "projects/my_project/logs/cloudaudit.googleapis.com%2Fdata_access" protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: {

principalEmail: "firstname.lastname@mydomain.com" }

Reply all

Reply to author

Forward

0 new messages