Stay organized with collections
Save and categorize content based on your preferences.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-23 UTC."],[[["\u003cp\u003eAuditConfig defines the logging configuration for a service, specifying which permission types are logged and which identities are exempt.\u003c/p\u003e\n"],["\u003cp\u003eIf both \u003ccode\u003eallServices\u003c/code\u003e and a specific service have AuditConfigs, the union of these configurations dictates the logging behavior for that service.\u003c/p\u003e\n"],["\u003cp\u003eAuditLogConfigs within an AuditConfig detail the logging settings for specific permission types, like DATA_READ or DATA_WRITE, including any exempted members.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eservice\u003c/code\u003e field in AuditConfig determines which service the audit logging applies to, with \u003ccode\u003eallServices\u003c/code\u003e covering all services.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAuditLogConfig\u003c/code\u003e has a \u003ccode\u003elogType\u003c/code\u003e to specify which type of log is enabled, and \u003ccode\u003eexemptedMembers\u003c/code\u003e to specify identities not subject to the log type.\u003c/p\u003e\n"]]],[],null,["# AuditConfig\n\nSpecifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.\n\nIf there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exemptedMembers in each AuditLogConfig are exempted.\n\nExample Policy with multiple AuditConfigs: \n\n {\n \"auditConfigs\": [\n {\n \"service\": \"allServices\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n },\n {\n \"logType\": \"ADMIN_READ\"\n }\n ]\n },\n {\n \"service\": \"sampleservice.googleapis.com\",\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\"\n },\n {\n \"logType\": \"DATA_WRITE\",\n \"exemptedMembers\": [\n \"user:aliya@example.com\"\n ]\n }\n ]\n }\n ]\n }\n\nFor sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts `jose@example.com` from DATA_READ logging, and `aliya@example.com` from DATA_WRITE logging.\n\nAuditLogConfig\n--------------\n\nProvides the configuration for logging a type of permissions. Example: \n\n {\n \"auditLogConfigs\": [\n {\n \"logType\": \"DATA_READ\",\n \"exemptedMembers\": [\n \"user:jose@example.com\"\n ]\n },\n {\n \"logType\": \"DATA_WRITE\"\n }\n ]\n }\n\nThis enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting [jose@example.com](mailto:jose@example.com) from DATA_READ logging."]]
