The gcp:projects/iAMAuditConfig:IAMAuditConfig resource, part of the Pulumi GCP provider, configures audit logging for GCP services at the project level. It controls which operations are logged and which members are exempted from logging. This guide focuses on enabling audit logging across all services.
This resource is one of four IAM resources for managing project-level permissions and audit configuration. It cannot be used alongside IAMPolicy, which manages the entire IAM policy authoritatively. The example is intentionally small. Combine it with your own project configuration and log sink setup.
Enable audit logging for all services
Compliance and security teams need visibility into administrative actions and data access across GCP projects to track who did what, when, and where.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = new gcp.projects.IAMAuditConfig("project", {
project: "your-project-id",
service: "allServices",
auditLogConfigs: [
{
logType: "ADMIN_READ",
},
{
logType: "DATA_READ",
exemptedMembers: ["user:joebloggs@example.com"],
},
],
});
import pulumi
import pulumi_gcp as gcp
project = gcp.projects.IAMAuditConfig("project",
project="your-project-id",
service="allServices",
audit_log_configs=[
{
"log_type": "ADMIN_READ",
},
{
"log_type": "DATA_READ",
"exempted_members": ["user:joebloggs@example.com"],
},
])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := projects.NewIAMAuditConfig(ctx, "project", &projects.IAMAuditConfigArgs{
Project: pulumi.String("your-project-id"),
Service: pulumi.String("allServices"),
AuditLogConfigs: projects.IAMAuditConfigAuditLogConfigArray{
&projects.IAMAuditConfigAuditLogConfigArgs{
LogType: pulumi.String("ADMIN_READ"),
},
&projects.IAMAuditConfigAuditLogConfigArgs{
LogType: pulumi.String("DATA_READ"),
ExemptedMembers: pulumi.StringArray{
pulumi.String("user:joebloggs@example.com"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = new Gcp.Projects.IAMAuditConfig("project", new()
{
Project = "your-project-id",
Service = "allServices",
AuditLogConfigs = new[]
{
new Gcp.Projects.Inputs.IAMAuditConfigAuditLogConfigArgs
{
LogType = "ADMIN_READ",
},
new Gcp.Projects.Inputs.IAMAuditConfigAuditLogConfigArgs
{
LogType = "DATA_READ",
ExemptedMembers = new[]
{
"user:joebloggs@example.com",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.IAMAuditConfig;
import com.pulumi.gcp.projects.IAMAuditConfigArgs;
import com.pulumi.gcp.projects.inputs.IAMAuditConfigAuditLogConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var project = new IAMAuditConfig("project", IAMAuditConfigArgs.builder()
.project("your-project-id")
.service("allServices")
.auditLogConfigs(
IAMAuditConfigAuditLogConfigArgs.builder()
.logType("ADMIN_READ")
.build(),
IAMAuditConfigAuditLogConfigArgs.builder()
.logType("DATA_READ")
.exemptedMembers("user:joebloggs@example.com")
.build())
.build());
}
}
resources:
project:
type: gcp:projects:IAMAuditConfig
properties:
project: your-project-id
service: allServices
auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
exemptedMembers:
- user:joebloggs@example.com
The service property determines which GCP services are audited. Setting it to “allServices” enables logging across all services in the project. The auditLogConfigs array defines which log types to capture: ADMIN_READ tracks administrative operations, while DATA_READ tracks data access. The exemptedMembers property excludes specific users from logging, useful for service accounts that generate high-volume routine operations.
Beyond these examples
This snippet focuses on audit logging configuration for GCP services. It’s intentionally minimal rather than a full compliance monitoring solution.
The example references pre-existing infrastructure such as a GCP project with appropriate IAM permissions. It focuses on configuring audit logging rather than provisioning the surrounding infrastructure.
To keep things focused, common audit logging patterns are omitted, including:
- Service-specific audit configurations (using specific service names instead of allServices)
- Log type combinations and their implications (ADMIN_READ, DATA_READ, DATA_WRITE)
- Integration with Cloud Logging and log sinks
- Audit log retention and storage configuration
These omissions are intentional: the goal is to illustrate how audit logging is wired, not provide drop-in compliance modules. See the IAMAuditConfig resource reference for all available configuration options.
Let's configure GCP Project IAM Audit Logging
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.projects.IAMPolicy cannot be used with gcp.projects.IAMBinding, gcp.projects.IAMMember, or gcp.projects.IAMAuditConfig as they will conflict over policy management. Choose one approach: use IAMPolicy alone for full control, or use combinations of IAMBinding, IAMMember, and IAMAuditConfig for granular management.gcp.projects.IAMBinding or gcp.projects.IAMMember, not both.Choose based on your needs:
gcp.projects.IAMPolicy: Authoritative, replaces entire policygcp.projects.IAMBinding: Authoritative for a specific rolegcp.projects.IAMMember: Non-authoritative, adds single member to a rolegcp.projects.IAMAuditConfig: Authoritative for audit logging on a service
gcp.projects.IAMPolicy removes access from anyone without organization-level access, potentially locking you out. It’s not recommended for your provider project. If you use it, import the existing policy before applying changes, and only use it with projects fully managed by Pulumi.Audit Logging Configuration
service to allServices enables audit logging for all GCP services. If you have both allServices and specific service configurations, their union applies: all log_types are enabled, and all exempted_members are exempted.auditLogConfigs with different logType values such as ADMIN_READ and DATA_READ. Each config can have its own exemptedMembers list.exemptedMembers array to the relevant auditLogConfig entry, specifying members like user:joebloggs@example.com.IAM Conditions & Constraints
Project Configuration
project property is immutable and cannot be changed after resource creation.