Configure GCP audit event archiving using the CLI

Use the CDP CLI to configure audit event archiving in GCP.

  1. Use the CDP CLI to get the GCP command that creates the GCP service account and private key required for audit credential generation. In the CDP CLI, run the following command:
    cdp environments get-audit-credential-prerequisites --cloud-platform gcp
    The CDP CLI returns the service account creation command (in base64 decoded format) for GCP credential creation. Run this command in your terminal (with Google SDK installed) or Google Cloud Shell to create the new service account and download the private key that is required in the next step.
  2. In the CDP CLI, run the command to upload the service account private key:
    cdp environments set-gcp-audit-credential --credential-key <path to private key JSON file> 
    For example:
    cdp environments set-gcp-audit-credential --credential-key file:///Users/jo/cdp_tools/artifacts/gcpauditcred.json 

    This command returns the credential name/CRN that you will need for the next step.

  3. Run the following command to configure GCP audit event archiving in CDP:
    cdp audit configure-archiving --storage-location <full path to bucket> --credential-name <audit credential name or CRN> --enabled
    Optionally, you can use the --storage-region parameter to designate the storage region or the --verify-only parameter to verify the audit configuration but not update it.
    For example:
    cdp audit configure-archiving --storage-location gs://cdp/auditbucket --credential-name audit-credential-5617y894 --enabled --verify-only