Configure GCP audit event archiving using the CLI
Use the CDP CLI to configure audit event archiving in GCP.
-
Use the CDP CLI to get the GCP command that creates the GCP service account and private
key required for audit credential generation. In the CDP CLI, run the following
command:
cdp environments get-audit-credential-prerequisites --cloud-platform gcp
The CDP CLI returns the service account creation command (in base64 decoded format) for GCP credential creation. Run this command in your terminal (with Google SDK installed) or Google Cloud Shell to create the new service account and download the private key that is required in the next step. - In the CDP CLI, run the command to upload the service account private
key:
For example:cdp environments set-gcp-audit-credential --credential-key <path to private key JSON file>
cdp environments set-gcp-audit-credential --credential-key file:///Users/jo/cdp_tools/artifacts/gcpauditcred.json
This command returns the credential name/CRN that you will need for the next step.
-
Run the following command to configure GCP audit event archiving in Cloudera:
Optionally, you can use thecdp audit configure-archiving --storage-location <full path to bucket> --credential-name <audit credential name or CRN> --enabled
--storage-region
parameter to designate the storage region or the--verify-only
parameter to verify the audit configuration but not update it.For example:cdp audit configure-archiving --storage-location gs://cdp/auditbucket --credential-name audit-credential-5617y894 --enabled --verify-only