Supported services
This page lists all the Google Cloud services that write Access Transparency logs.
GA indicates that a log type is generally available for a service. Preview indicates that a log type is available, but might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
Access Transparency logs for products in Preview are disabled by default. To opt in to Access Transparency for Preview products on your organization, contact Cloud Customer Care.
If you want to enable Access Transparency logs, see Enabling Access Transparency.
Supported Google Cloud services
Access Transparency supports the following Google Cloud services:
| Supported service | Launch stage | Notes |
|---|---|---|
| Access Context Manager | GA | None |
| Access Transparency | GA | None |
| Agent Assist | GA | None |
| AlloyDB for PostgreSQL | GA | None |
| Anti Money Laundering AI | GA | None |
| Apigee | GA |
The following Apigee features are not supported by Access Transparency:
|
| App Engine | GA | Cloud Storage and Cloud SQL are the only compatible storage backends for App Engine supported by Access Transparency. |
| Application Integration | GA | None |
| Artifact Registry | GA | None |
| Backup for GKE | Preview | None |
| BigQuery | GA |
Some information about your queries, tables, and datasets might not generate an
Access Transparency log entry if viewed by Cloud Customer Care. Viewing query text, table names,
dataset names, and dataset access control lists might not generate Access Transparency log
entries; this access pathway gives read-only access. Viewing query results and table or dataset
data generates Access Transparency log entries. Some Access Transparency logs for BigQuery might not contain the accessApprovals field.Data in queries residing in non-Google regions for BigQuery Omni does not generate an Access Transparency log entry. Gemini in BigQuery is not supported in Assured Workloads. |
| Bigtable | GA | None |
| BigQuery Data Transfer Service | GA | None |
| Binary Authorization | GA | None |
| Certificate Authority Service | GA | None |
| Cloud Build | GA | None |
| Cloud Composer | GA | None |
| Cloud DNS | GA | None |
| Cloud Data Fusion | GA | None |
| Cloud Data Fusion | GA | None |
| Cloud External Key Manager (Cloud EKM) | GA | None |
| Cloud Run functions | GA | None |
| Cloud Healthcare API | GA | Features within Cloud Healthcare API that are not yet generally available might not generate Access Transparency logs. For more information, see the Cloud Healthcare API documentation. |
| Cloud Interconnect | GA | None |
| Cloud Key Management Service (Cloud KMS) | GA | None |
| Cloud Logging | GA | None |
| Cloud NAT | GA | None |
| Cloud OS Login API | GA | None |
| Cloud Router | GA | None |
| Cloud Run | GA | None |
| Cloud SQL | GA | None |
| Cloud Service Mesh | GA | None |
| Cloud Storage | GA | None |
| Cloud Tasks | GA | None |
| Cloud VPN | GA | None |
| Cloud Vision API | GA | None |
| Cloud Workstations | GA | None |
| Colab Enterprise | GA | None |
| Compute Engine | GA | None |
| Container Registry | Preview | None |
| Conversational Insights | GA | None |
| Database Center | GA | None |
| Dataflow | GA | None |
| Dataform | GA | None |
| Dataplex | GA | None |
| Dataproc | GA | None |
| Dialogflow CX | GA | None |
| Google Distributed Cloud | GA | None |
| Document AI | GA |
Requests that use the features exposed through the alpha-documentai.googleapis.com
endpoint won't generate Access Transparency logs.
|
| Eventarc | GA | None |
| External passthrough Network Load Balancer | GA | None |
| Filestore | GA | None |
| Firebase Security Rules | GA | None |
| Firestore | GA | None |
| GKE Connect | GA | None |
| GKE Hub | GA | None |
| GKE Identity Service | GA | None |
| Google Cloud Armor | GA | Access Transparency logs are generated for regional Google Cloud Armor security policies. Global Google Cloud Armor security policies won't generate logs. |
| Google Cloud NetApp Volumes | Preview | None |
| Google Distributed Cloud | GA | None |
| Google Kubernetes Engine | GA | None |
| Google Security Operations SIEM | GA | None |
| Google Security Operations SOAR | GA | None |
| Cloud HSM | GA | None |
| Identity and Access Management (IAM) | GA | None |
| Identity-Aware Proxy | GA | None |
| Integration Connectors | GA | None |
| Internal passthrough Network Load Balancer | GA | None |
| Jurisdictional Google Cloud console | GA | None |
| Looker (Google Cloud core) | GA | None |
| Memorystore for Redis | GA | None |
| Model Armor | GA | None |
| Cloud Monitoring | GA | None |
| Org Lifecycle API | GA | None |
| Organization Policy Service | Preview | None |
| Parameter Manager | GA | None |
| Persistent Disk | GA | None |
| Pub/Sub | GA | Some information about your topics and subscriptions might not generate an Access Transparency log entry if viewed by Cloud Customer Care. Viewing topic names, subscription names, message attributes, and timestamps might not generate Access Transparency log entries; this access pathway gives read-only access. Viewing message payloads generates Access Transparency log entries. |
| regional external Application Load Balancer | GA | None |
| regional external proxy Network Load Balancer | GA | None |
| regional internal Application Load Balancer | GA | None |
| regional internal proxy Network Load Balancer | GA | None |
| Resource Manager | GA | None |
| Secret Manager | GA | None |
| Secure Source Manager | GA | None |
| Sensitive Data Protection | GA | None |
| Serverless VPC Access | GA | None |
| Spanner | GA | None |
| Speaker ID | GA | None |
| Speech-to-Text | GA | None |
| Storage Transfer Service | GA | None |
| Text-to-Speech | GA | None |
| Vector Search | GA | There are some scenarios for which access to your data in Vertex AI by Google personnel isn't logged. See Limitations of Access Transparency in Vertex AI for the complete list of such scenarios. |
| Vertex AI Feature Store | GA | None |
| Vertex AI Search | GA | There are some scenarios for which access to your data in Vertex AI by Google personnel isn't logged. See Limitations of Access Transparency in Vertex AI for the complete list of such scenarios. |
| Vertex AI Workbench instances | GA | None |
| Vertex AI Workbench managed notebooks | GA | None |
| Vertex AI Workbench user-managed notebooks | GA | None |
| Virtual Private Cloud (VPC) | GA | None |
| Workforce Identity Federation | GA | None |
| Workload Identity Federation | GA | None |
Support for Google Workspace
Several Google Workspace services such as Gmail, Google Docs, Google Calendar, and Google Drive record the actions that Google personnel take when accessing customer content.
Access Transparency logs help ensure that Google personnel access customer content with a valid business justification. Access Transparency logs can also help security information and event management (SIEM) tools identify data exfiltration and exposure to external malicious actors targeting your Google Workspace resources. You can use the Google Cloud console to access the Access Transparency logs that Google Workspace services generate.
For more information about Access Transparency logs for Google Workspace, including the list of Google Workspace services that support Access Transparency, see Access Transparency: View logs on Google access to user content.
For information about viewing and understanding the Access Transparency logs that Google Workspace services generate, see Viewing Access Transparency logs for Google Workspace.
For information about the audit logs that Google Workspace services generate, see Cloud Audit Logs for Google Workspace.