Cloud Identity audit log
| Service | Google Cloud Identity Workspace |
|---|---|
| Cloud | Google Cloud (GCP) |
| Guide type | Procedure |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on account size |
When Cloud Identity audit log bites you on Google Cloud Identity Workspace, the first instinct is to open a ticket. Most of the time you do not have to. The steps below are the ones Google Cloud Support would walk you through on the call.
What cloud identity audit log actually involves on Google Cloud Identity Workspace
This task on Cloud Identity Workspace is one of the more searched operational topics on AWS in the last 12 months. The procedure below is the path that works in a current AWS account with default IAM and standard VPC config.
The rest of this page is the structured fix path. Start with diagnose, then remediation, then the automation options so you do not have to do this by hand the next time it surfaces. Verify and safety sections at the end are the discipline that keeps the fix from regressing in production.
Diagnose first, fix second
Check Cloud Monitoring Logs for the calling service. Lambda, ECS, EKS, Step Functions, API Gateway, and most managed services write detailed traces to Cloud Monitoring Logs under predictable log group names. Use Cloud Monitoring Logs Insights with fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 50 to surface the most recent failures.
Look at the Cloud Audit Log event for the failed call, even if you are not enrolled in Cloud Logging Log Router. The basic 90-day event history works for most diagnostic purposes and lives in the console under Cloud Audit Logs > Event history. Filter by event name (the API action) and time range; the event JSON shows the exact user identity, source IP, request parameters, and error code.
Start by capturing the exact Google Cloud error string. The Cloud Console truncates messages in popups, but Cloud Logging keeps the full record in protoPayload.status and protoPayload.methodName. The camelCase error code (e.g. AccessDenied, InsufficientInstanceCapacity, ConditionalCheckFailedException) is the thing you grep for in Google Cloud Community and StackOverflow, not the human-readable sentence next to it. Paste the code into the re:Post search bar in quotes and you will usually land on at least one Google-staff-verified answer within the first three results.
Solution-focused remediation path
If the issue points at IAM, do not start by adding * to a policy. Use IAM Policy Troubleshooter and IAM Recommender against the failed action to see the minimum scope. Adding * is the fastest way to fail your next Google Cloud Architecture Framework security review, and it usually does not even fix the issue because the explicit deny is often coming from a higher level (Org Policy, RCP, or permission boundary), not a missing allow.
Most Google Cloud Identity Workspace failures fall into one of three buckets: IAM permission gap, networking path break (security group, NACL, or VPC endpoint policy), or service-limit / quota hit. Run that mental triage first - it covers around 80 percent of real-world cases. If the failure does not fit any of the three, it is likely a service-side regression worth opening a re:Post or support ticket for.
For IAM and STS issues, the timing matters. STS sessions can take up to 60 seconds to propagate after creation. The first call right after assume-role can fail with a permission error even when the policy is correct. Add a small retry with backoff before treating the first failure as definitive.
Automate this fix so you do not do it twice
Add a Cloud Monitoring alert policy so you know next time
The cheapest way to never see the same incident twice is a Cloud Monitoring alert policy on the metric that would have warned you. For Google Cloud Identity Workspace, the relevant metrics live under compute.googleapis.com/google namespace or under custom metrics published by your Cloud Run service or GKE pod. Set thresholds based on observed normal range plus one or two standard deviations, not on round-number guesses. Cloud Monitoring anomaly-based alert policies remove the threshold-guessing problem entirely for metrics with regular seasonality.
Automate the fix with the gcloud CLI
The CLI one-liner pattern for Google Cloud Identity Workspace operations is roughly: gcloud google describe RESOURCE --format=json --filter ... to read state, gcloud google update RESOURCE --quiet to apply the change, and gcloud google describe RESOURCE --format=json --filter ... again to verify. Wrap it in a shell script that sets a region variable at the top and exits on first error with set -euo pipefail so a partial run does not leave the account in a half-fixed state.
# Template - replace placeholders with your account specifics
export GOOGLE_CLOUD_REGION=us-central1
export GOOGLE_CLOUD_PROJECT=prod-project
gcloud google describe RESOURCE --format=json --filter 'Resources[?Status==`FAILED`].[Id,Reason]' --output table
gcloud google modify-... --resource-id RESOURCE_ID --no-dry-run
gcloud google describe RESOURCE_ID --query 'Status'Automate the fix with Python and boto3
For anything you do more than twice, write a small Python script. The boto3 pattern below uses paginators (so it does not blow up on accounts with thousands of resources), explicit region binding, and a dry-run flag that defaults to True. Keep the script under 100 lines; if it grows beyond that, you are building a tool and should put it behind a Lambda with proper logging.
import boto3, sys
DRY_RUN = '--apply' not in sys.argv
client = boto3.client('google', region_name='us-east-1')
paginator = client.get_paginator('describe_...')
for page in paginator.paginate(): for item in page.get('Items', []): if item.get('Status') == 'FAILED': if DRY_RUN: print(f'[dry-run] would fix {item["Id"]}') else: client.modify_...(ResourceId=item['Id']) print(f'fixed {item["Id"]}')
Common pitfalls and what to watch for
A subtle pitfall on Google Cloud Identity Workspace is that the Cloud Console and the SDK can disagree about resource state during a configuration change. Console UI is cached for performance and may show the old config for up to 10 minutes after you change it via API or Deployment Manager or Terraform. Always confirm with describe-* CLI calls during a change window, not with screenshots from the Console.
The other pitfall: assuming that an automated remediation is correct because it succeeded. A Lambda that fires on a Cloud Monitoring alert policy and runs a remediation step should also publish a metric for every remediation; sudden surges in auto-fix invocations are themselves an outage signal. Otherwise you can hide a slow-burn regression behind a quiet remediation loop for weeks.
Verify the fix worked
- Reproduce the original symptom path. If it still surfaces in any account or region or IAM role or service account, you have not fixed it.
- Watch for 24 to 48 hours. Cloud Monitoring metrics and Cloud Asset Inventory can mask issues with cached health for 6 to 12 hours, especially Cloud CDN and Cloud DNS.
- Run a smoke test under realistic load. Happy-path tests miss race conditions and IAM session-cache issues.
- Capture the new state in a runbook so the next person on call does not have to rediscover this. Push it to Confluence or your team wiki, not into Slack.
- If the fix involved a permission change, run IAM Access Analyzer one more time to confirm you did not open a separate hole while closing this one.
Safety, rollback, blast radius
- Test in a non-production account if your environment has Resource Manager and Organization Policy or Cloud Resource Manager (organizations, folders, projects). The cost of one sandbox account is cheaper than one rollback meeting.
- Export the existing config before changing it. Most Google Cloud Identity Workspace resources support describe + export to JSON via CLI - capture that to source control before you start.
- Know your rollback path. Some Google Cloud Identity Workspace operations are one-way (region migration, account-level feature opt-in, Cloud KMS key deletion past pending window). Confirm reversibility on the Google Cloud doc before you commit.
- Be aware of cross-service impact. IAM role or service account changes ripple to every service trusting that role. Cloud KMS key changes break every workload depending on that key. VPC endpoint changes affect every VPC consumer of that endpoint.
- Maintenance window discipline: if the change touches DNS, certificate rotation, or anything that emits TLS handshakes, line up a window with stakeholder notification, not a heroic mid-day swap.
FAQ
gcloud google describe-... first, then commit it before you change anything. A few operations are one-way (Cloud KMS key deletion past the pending window, region migration, account closure). Check the Google Cloud doc for the specific API before you commit.aws CLI or SDK calls - those almost always still work.References
- docs.cloud.google.com - official documentation for Google Cloud Identity Workspace
- Google Cloud Community - community Q&A with Google-staff-verified answers
- Cloud Service Health Dashboard at health.cloud.google.com
- Quotas page in Cloud Console (IAM & Admin > Quotas) and Architecture Framework checklists
Related fixes
Related guides worth a look while you sort this one out:
- Cloud Identity vs Workspace when to upgrade
- Domain-wide delegation for service accounts Workspace API
- Access on Cloud Identity Workspace, what causes it and how to fix
- Account on Cloud Identity Workspace: what causes it and how to fix
- Account recovery codes regeneration
- Advanced Protection Program for high-risk users