This document describes audit logging for Datastore. Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources. For more information, see Cloud Audit Logs overview.
Notes
To view the time it took to process a DATA_READ or DATA_WRITE request, see the processing_duration field within the metadata object of an AuditLog.processing_duration describes the time the database took to actually process a request. This is smaller than the end-user latency. In particular, it does not include network overhead.
Service name
Datastore audit logs use the service name datastore.googleapis.com.
Methods by permission type
Methods that check DATA_READ, DATA_WRITE, and ADMIN_READ
permission types are Data Access audit logs.
Methods that check ADMIN_WRITE permission types are Admin Activity audit logs.
| Permission type | Methods |
|---|---|
| ADMIN_READ | google.datastore.admin.v1.DatastoreAdmin.GetIndex google.datastore.admin.v1.DatastoreAdmin.ListIndexes google.longrunning.Operations.GetOperation google.longrunning.Operations.ListOperations |
| ADMIN_WRITE | google.datastore.admin.v1.DatastoreAdmin.CreateIndex google.datastore.admin.v1.DatastoreAdmin.DeleteIndex google.datastore.admin.v1.DatastoreAdmin.ExportEntities google.datastore.admin.v1.DatastoreAdmin.ImportEntities google.datastore.admin.v1beta1.DatastoreAdmin.ExportEntities google.datastore.admin.v1beta1.DatastoreAdmin.ImportEntities google.longrunning.Operations.CancelOperation google.longrunning.Operations.DeleteOperation |
| DATA_READ | google.datastore.v1.Datastore.BeginTransaction google.datastore.v1.Datastore.Lookup google.datastore.v1.Datastore.Rollback google.datastore.v1.Datastore.RunAggregationQuery google.datastore.v1.Datastore.RunQuery google.datastore.v1beta3.Datastore.BeginTransaction google.datastore.v1beta3.Datastore.Lookup google.datastore.v1beta3.Datastore.Rollback google.datastore.v1beta3.Datastore.RunAggregationQuery google.datastore.v1beta3.Datastore.RunQuery |
| DATA_WRITE | google.datastore.v1.Datastore.AllocateIds google.datastore.v1.Datastore.Commit google.datastore.v1.Datastore.ReserveIds google.datastore.v1beta3.Datastore.AllocateIds google.datastore.v1beta3.Datastore.Commit google.datastore.v1beta3.Datastore.ReserveIds |
Audit logs per API interface
For information about which permissions are evaluated and how for each method, see the Identity and Access Management documentation for Datastore.
google.datastore.admin.v1.DatastoreAdmin
Details about audit logs associated with methods belonging to google.datastore.admin.v1.DatastoreAdmin.
google.datastore.admin.v1.DatastoreAdmin.CreateIndex
- Method: google.datastore.admin.v1.DatastoreAdmin.CreateIndex
- Audit log Type: Admin Activity
- Permissions:
datastore.indexes.create - ADMIN_WRITE
- Method is a Long Running Operation or Streaming:
Long Running Operation
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1.DatastoreAdmin.CreateIndex"
google.datastore.admin.v1.DatastoreAdmin.DeleteIndex
- Method: google.datastore.admin.v1.DatastoreAdmin.DeleteIndex
- Audit log Type: Admin Activity
- Permissions:
datastore.indexes.delete - ADMIN_WRITE
- Method is a Long Running Operation or Streaming:
Long Running Operation
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1.DatastoreAdmin.DeleteIndex"
google.datastore.admin.v1.DatastoreAdmin.ExportEntities
- Method: google.datastore.admin.v1.DatastoreAdmin.ExportEntities
- Audit log Type: Admin Activity
- Permissions:
datastore.databases.export - ADMIN_WRITE
- Method is a Long Running Operation or Streaming:
Long Running Operation
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1.DatastoreAdmin.ExportEntities"
google.datastore.admin.v1.DatastoreAdmin.GetIndex
- Method: google.datastore.admin.v1.DatastoreAdmin.GetIndex
- Audit log Type: Data Access
- Permissions:
datastore.indexes.get - ADMIN_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1.DatastoreAdmin.GetIndex"
google.datastore.admin.v1.DatastoreAdmin.ImportEntities
- Method: google.datastore.admin.v1.DatastoreAdmin.ImportEntities
- Audit log Type: Admin Activity
- Permissions:
datastore.databases.import - ADMIN_WRITE
- Method is a Long Running Operation or Streaming:
Long Running Operation
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1.DatastoreAdmin.ImportEntities"
google.datastore.admin.v1.DatastoreAdmin.ListIndexes
- Method: google.datastore.admin.v1.DatastoreAdmin.ListIndexes
- Audit log Type: Data Access
- Permissions:
datastore.indexes.list - ADMIN_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1.DatastoreAdmin.ListIndexes"
google.datastore.admin.v1beta1.DatastoreAdmin
Details about audit logs associated with methods belonging to google.datastore.admin.v1beta1.DatastoreAdmin.
google.datastore.admin.v1beta1.DatastoreAdmin.ExportEntities
- Method: google.datastore.admin.v1beta1.DatastoreAdmin.ExportEntities
- Audit log Type: Admin Activity
- Permissions:
datastore.databases.export - ADMIN_WRITE
- Method is a Long Running Operation or Streaming:
Long Running Operation
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1beta1.DatastoreAdmin.ExportEntities"
google.datastore.admin.v1beta1.DatastoreAdmin.ImportEntities
- Method: google.datastore.admin.v1beta1.DatastoreAdmin.ImportEntities
- Audit log Type: Admin Activity
- Permissions:
datastore.databases.import - ADMIN_WRITE
- Method is a Long Running Operation or Streaming:
Long Running Operation
- Filter for this method:
protoPayload.methodName="google.datastore.admin.v1beta1.DatastoreAdmin.ImportEntities"
google.datastore.v1.Datastore
Details about audit logs associated with methods belonging to google.datastore.v1.Datastore.
google.datastore.v1.Datastore.AllocateIds
- Method: google.datastore.v1.Datastore.AllocateIds
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.allocateIds - DATA_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.AllocateIds"
google.datastore.v1.Datastore.BeginTransaction
- Method: google.datastore.v1.Datastore.BeginTransaction
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.BeginTransaction"
google.datastore.v1.Datastore.Commit
- Method: google.datastore.v1.Datastore.Commit
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.allocateIds - DATA_WRITEdatastore.entities.create - DATA_WRITEdatastore.entities.delete - DATA_WRITEdatastore.entities.update - DATA_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.Commit"
google.datastore.v1.Datastore.Lookup
- Method: google.datastore.v1.Datastore.Lookup
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.get - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.Lookup"
google.datastore.v1.Datastore.ReserveIds
- Method: google.datastore.v1.Datastore.ReserveIds
- Audit log Type: Data Access
- Permissions:
datastore.entities.allocateIds - DATA_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.ReserveIds"
google.datastore.v1.Datastore.Rollback
- Method: google.datastore.v1.Datastore.Rollback
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.Rollback"
google.datastore.v1.Datastore.RunAggregationQuery
- Method: google.datastore.v1.Datastore.RunAggregationQuery
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.get - DATA_READdatastore.entities.list - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.RunAggregationQuery"
google.datastore.v1.Datastore.RunQuery
- Method: google.datastore.v1.Datastore.RunQuery
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.get - DATA_READdatastore.entities.list - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1.Datastore.RunQuery"
google.datastore.v1beta3.Datastore
Details about audit logs associated with methods belonging to google.datastore.v1beta3.Datastore.
google.datastore.v1beta3.Datastore.AllocateIds
- Method: google.datastore.v1beta3.Datastore.AllocateIds
- Audit log Type: Data Access
- Permissions:
datastore.entities.allocateIds - DATA_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.AllocateIds"
google.datastore.v1beta3.Datastore.BeginTransaction
- Method: google.datastore.v1beta3.Datastore.BeginTransaction
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.BeginTransaction"
google.datastore.v1beta3.Datastore.Commit
- Method: google.datastore.v1beta3.Datastore.Commit
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.create - DATA_WRITEdatastore.entities.delete - DATA_WRITEdatastore.entities.update - DATA_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.Commit"
google.datastore.v1beta3.Datastore.Lookup
- Method: google.datastore.v1beta3.Datastore.Lookup
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.get - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.Lookup"
google.datastore.v1beta3.Datastore.ReserveIds
- Method: google.datastore.v1beta3.Datastore.ReserveIds
- Audit log Type: Data Access
- Permissions:
datastore.entities.allocateIds - DATA_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.ReserveIds"
google.datastore.v1beta3.Datastore.Rollback
- Method: google.datastore.v1beta3.Datastore.Rollback
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.Rollback"
google.datastore.v1beta3.Datastore.RunAggregationQuery
- Method: google.datastore.v1beta3.Datastore.RunAggregationQuery
- Audit log Type: Data Access
- Permissions:
datastore.entities.get - DATA_READdatastore.entities.list - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.RunAggregationQuery"
google.datastore.v1beta3.Datastore.RunQuery
- Method: google.datastore.v1beta3.Datastore.RunQuery
- Audit log Type: Data Access
- Permissions:
datastore.databases.get - DATA_READdatastore.entities.get - DATA_READdatastore.entities.list - DATA_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.datastore.v1beta3.Datastore.RunQuery"
google.longrunning.Operations
Details about audit logs associated with methods belonging to google.longrunning.Operations.
google.longrunning.Operations.CancelOperation
- Method: google.longrunning.Operations.CancelOperation
- Audit log Type: Admin Activity
- Permissions:
datastore.operations.cancel - ADMIN_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.longrunning.Operations.CancelOperation"
google.longrunning.Operations.DeleteOperation
- Method: google.longrunning.Operations.DeleteOperation
- Audit log Type: Admin Activity
- Permissions:
datastore.operations.delete - ADMIN_WRITE
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.longrunning.Operations.DeleteOperation"
google.longrunning.Operations.GetOperation
- Method: google.longrunning.Operations.GetOperation
- Audit log Type: Data Access
- Permissions:
datastore.operations.get - ADMIN_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.longrunning.Operations.GetOperation"
google.longrunning.Operations.ListOperations
- Method: google.longrunning.Operations.ListOperations
- Audit log Type: Data Access
- Permissions:
datastore.operations.list - ADMIN_READ
- Method is a Long Running Operation or Streaming: No.
- Filter for this method:
protoPayload.methodName="google.longrunning.Operations.ListOperations"