You manage an application that is writing logs to Stackdriver Logging. You need to give some team members the ability to export logs. What should you do?
A.
Grant the team members the IAM role of logging.configWriter on Cloud IAM.
B.
Configure Access Context Manager to allow only these members to export logs.
C.
Create and grant a custom IAM role with the permissions logging.sinks.list and logging.sink.get.
D.
Create an Organizational Policy in Cloud IAM to allow only these members to create log exports.
I understand that option A gives the ability to export logs, but isn't C the best option following the least privilege principle since the question only says that the team members needs to export logs and not to write them?
It's should be C. least privilege
The question is ask about export log and does not mention about read and write log
Option A give too many permission
Logs Configuration Writer
(roles/logging.configWriter)
Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.
logging.buckets.create
logging.buckets.delete
logging.buckets.get
logging.buckets.list
logging.buckets.undelete
logging.buckets.update
logging.cmekSettings.*
logging.exclusions.*
logging.locations.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.sinks.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.update
resourcemanager.projects.get
resourcemanager.projects.list
ability to use sinks Add logging.sinks.{list, create, get, update, delete} , the list, get function can only have view permission. can not create sinks to export logs. u need create sink to export logs.
correct ans is A
Logs Configuration Writer
(roles/logging.configWriter)
Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.
roles/logging.configWriter (Logs Configuration Writer) gives you the permissions to create log-based metrics, exclusions, buckets, and views, and to use sinks. To use the Logs Explorer (console) for these actions, add roles/logging.viewer.
in addition to other comments here, C would be too restrictive. User new to have logs list permissions at least to know which logs to export.
Goram113 also indicate that logging.sinks.create is needed to export logs hence why C is wrong
Write answer is A as stated in the documentation here
https://cloud.google.com/logging/docs/export/configure_export_v2#before-you-begin
"Note that this guide describes creating and managing sinks at the Cloud project level, but you can create sinks (non-aggregated) for billing accounts, folders, and organizations. As you get started, ensure the following:
You have a Google Cloud project with logs that you can see in the Logs Explorer.
You have one of the following IAM roles for the source Cloud project from which you're routing logs.
Owner (roles/owner)
Logging Admin (roles/logging.admin)
Logs Configuration Writer (roles/logging.configWriter)
The permissions contained in these roles allow you to create, delete, or modify sinks. For information on setting IAM roles, see the Logging Access control guide."
I agree. logging.configWriter (answer A) gives too much power to the team members. We only need to give them the rights to export, not change the whole logging configuration.
C is ok.
A is correct
Logs Configuration Writer
(roles/logging.configWriter)
- Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.
https://cloud.google.com/logging/docs/access-control
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rinkeshgala1
Highly Voted 2 years, 10 months agoakg001
2 years, 10 months agoirocketsoldier
2 years, 5 months agoManh
Highly Voted 2 years, 5 months agoManh
2 years, 5 months agoGoram113
2 years, 4 months agohanweiCN
1 year, 4 months agojomonkp
Most Recent 4 months, 3 weeks agoJonathanSJ
1 year, 3 months agoGaneshSurwase
1 year, 4 months agoAnanda
1 year, 11 months agoSreedharveluru
2 years agoEpic_rose
2 years agoShasha1
2 years, 1 month agoric79
2 years, 1 month agozygomar
2 years, 2 months agoPhilipKoku
2 years, 2 months agovijaigcp
2 years, 2 months agocloudbee
2 years, 3 months agonot_thanos
2 years, 4 months agogiammydell
2 years, 5 months agoTrony
2 years, 5 months agosticky
2 years, 6 months ago