Configure logging for Model Armor

This document describes how to configure Model Armor to log the following operations:

  • Operations that create, update, or delete a template
  • Operations that sanitize a user prompt or model response

Model Armor uses audit logs to record administrative and resource management activities. For more information, see Model Armor audit logging overview.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Obtain the required permissions

To get the permissions that you need to configure logging for Model Armor, ask your administrator to grant you the Model Armor Admin (roles/modelarmor.admin) IAM role on the Model Armor template. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable APIs

You must enable Model Armor APIs before you can use Model Armor.

Console

  1. Enable the Model Armor API.

    Enable the API

  2. Select the project where you want to activate Model Armor.

gcloud

Before you begin, follow these steps using the Google Cloud CLI with the Model Armor API:

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Run the following command to set the API endpoint for the Model Armor service.

    gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.LOCATION.rep.googleapis.com/"

    Replace LOCATION with the region where you want to use Model Armor.

Run the following command to enable Model Armor.

  gcloud services enable modelarmor.googleapis.com --project=PROJECT_ID
   

Replace PROJECT_ID with the ID of the project.

Configure logging in templates

Templates define the filters and thresholds for different safety and security categories. When creating or updating a Model Armor template, you can specify whether Model Armor logs certain operations. Use the following flags in the template metadata:

  • log_template_operations: A boolean value that enables logging of the create, update, read, and delete template operations.
  • log_sanitize_operations: A boolean value that enables logging of the sanitize operations. The logs include the prompt and response, Model Armor's evaluation results, and additional metadata fields.

REST

  curl -X POST \
      -d '{ "filterConfig": {}, "templateMetadata": { "logTemplateOperations": true, "logSanitizeOperations": true } }' \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
      "https://modelarmor.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/templates?template_id=TEMPLATE_ID"

Replace the following:

  • PROJECT_ID: the ID of the project that the template belongs to.
  • LOCATION: the location of the template.
  • TEMPLATE_ID: the ID of the template.

Python

   request = modelarmor_v1.CreateTemplateRequest(
     parent="projects/PROJECT_ID/locations/LOCATION",
     template_id="TEMPLATE_ID",
     template={
        "name": "projects/PROJECT_ID/locations/LOCATION/templates/TEMPLATE_ID",
        "filter_config": {},
        "template_metadata": {
           "log_template_operations": True,
           "log_sanitize_operations": True
        }
     }
   )
   response = client.create_template(request=request)
   

Replace the following:

  • PROJECT_ID: the ID of the project that the template belongs to.
  • LOCATION: the location of the template.
  • TEMPLATE_ID: the ID of the template.

View logs

Access Model Armor logs using Logs Explorer in Cloud Logging. For more information, see View logs by using the Logs Explorer. Filter by the service name modelarmor.googleapis.com. Look for entries related to the operations that you enabled in your template. For a list of all the service names and monitored resource types, see Monitored resources and services.

Filter Model Armor logs

Use log labels for filtering the Model Armor logs for the sanitization operations and template logging.

Run the following query in the Logs Explorer to filter the sanitization operations logs.

jsonPayload.@type="type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry"

To further refine the sanitization operation logs, you can specify a project ID, client name, or correlation ID in the query.

  • Using a project ID:

    jsonPayload.@type="type.googleapis.com%2Fgoogle.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry";project=PROJECT_ID
    
  • Using a client name:

    jsonPayload.@type="type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry"
    labels."modelarmor.googleapis.com/client_name"="CLIENT_NAME"
    
  • Using a correlation ID:

    labels."modelarmor.googleapis.com/client_correlation_id"="CORRELATION_ID"
    

Replace the following:

  • PROJECT_ID: the Google Cloud project ID.
  • CLIENT_NAME: the name of your client.
  • CORRELATION_ID: the unique identifier that you generate for a specific request.

Correlate logs and related events

To correlate logs and events related to that particular interaction, you will need a client correlation ID. It is a unique identifier that you generate (for example, a UUID) to track a specific request across your system. To set a client correlation ID in a curl header, use the -H option to include a custom header in your request. Here's the sample format:

curl -X POST -d  '{"userPromptData": { "text": 'USER_PROMPT' } }' \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "MA-Client-Correlation-Id: $uuid" \
    "https://modelarmor.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/templates/TEMPLATE_ID:sanitizeUserPrompt"

curl -X POST \
    -d  '{"modelResponseData": { "text": 'MODEL_RESPONSE' }, "userPrompt": 'USER_PROMPT' }' \
    -H "Content-Type: application/json" \
    -H "MA-Client-Correlation-Id: $uuid" \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    "https://modelarmor.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/templates/TEMPLATE_ID:sanitizeModelResponse"

Replace the following:

  • PROJECT_ID: the ID of the project that the template belongs to.
  • LOCATION: the location of the template.
  • TEMPLATE_ID: the ID of the template.
  • USER_PROMPT: the prompt provided to the model.
  • MODEL_RESPONSE: the response received from the model.