0

Following the docs available from GCP here: https://cloud.google.com/artifact-registry/docs/repositories/cleanup-policy

I set the cleanup policy on my artifact repository with the dry-run option enabled but could not get any audit logs to be outputted using the command.

gcloud logging read 'protoPayload.serviceName="artifactregistry.googleapis.com" AND protoPayload.request.parent:"projects/gift-service-app-jm/locations/australia-southeast1/repositories/gcf-artifacts" AND protoPayload.request.validateOnly=true' \
    --resource-names="projects/gift-service-app-jm" \
    --project=gift-service-app-jm

I was able to confirm the policy has been set and the dry-run option is enabled using the gcloud artifacts repositories describe gcf-artifacts command

{
  "cleanupPolicies": {
    "Delete Previous Versions": {
      "action": "DELETE",
      "condition": {
        "olderThan": "864000s",
        "tagState": "UNTAGGED"
      },
      "id": "Delete Previous Versions"
    }
  },
  "cleanupPolicyDryRun": true,
  "createTime": "2023-09-27T05:07:31.256470Z",
  "description": "This repository is created and used by Cloud Functions",
  "format": "DOCKER",
  "labels": {
    "goog-managed-by": "cloudfunctions"
  },
  "mode": "STANDARD_REPOSITORY",
  "name": "projects/gift-service-app-jm/locations/australia-southeast1/repositories/gcf-artifacts",
  "updateTime": "2024-07-10T05:39:56.088672Z"
}

Has anyone had this issue before, I have the owner role applied to my IAM principal but have also tried adding the logs viewer and private logs viewer roles explicitly.

Improve this question

1 Answer 1

Reset to default
1

Please go through this Google Cloud Community link, where it mentions that Artifact Registry does have cleanup policies. The deletion events triggered by these policies are not logged in Cloud Logging by default. Also make sure you have enabled the Audit Logging for Artifact Repository.

However, you can further check the effects of their cleanup policy in the Artifact Registry Data Access audit logs. They can further view these logs by enabling Data Access Audit Logs by following the documentation of filter the logs by following these steps:

Includes "admin read" operations that read metadata or configuration information. Also includes "data read" and "data write" operations that read or write user-provided data.

To receive Data Access audit logs, you must explicitly enable them.

Resource type: "Artifact Registry"

Log name: "data_access"

Note: Search for relevant keywords: "DELETE", "cleanup", or the specific names of your cleanup policies.

Improve this answer
1
  • @josh,Did you have time to check my answer? It helped you to solve your problem? If the answer was useful, please mark the answer as accepted for the greater visibility for the community.
    – Imran Premnawaz
    Commented Jul 11 at 9:40

Not the answer you're looking for? Browse other questions tagged or ask your own question.