Audit or change logs on Google Cloud DNS?

Question

We've been evaluating Google Cloud DNS and ran into this question: How do you keep track of changes?

For GCE an activity log is kept but I could not find any DNS related logs.

From the CLI there is some more:

$ gcloud dns record-sets changes list --zone="my-zone"     
ID  START_TIME                STATUS  
2   2016-02-18T09:29:35.314Z  done  
1   2016-02-18T09:10:42.253Z  done

and

$ gcloud dns record-sets changes describe 2 --zone="my-zone"  
additions:  
(yaml transaction file)

Neither shows the ID/user/key of the system or person that performed the change. That is kind of essential for an audit trail.

How can I get an audit trail from Google Cloud, what command am I missing?
Or isn't it there (yet) and would I need to generate it via (very) limited access procedures, front-proxy or the like?

Much appreciated,

Gérard

JICYWTK: There is no audit logging on the Google Cloud DNS side yet. We're now building a pipeline where DNS changes are performed through gcloud CLI service account, fronted by Go.CD pipeline. Go.CD will handle the authentication (using google oauth), authorization and logging. — Gérard de Vos, Mar 03 '16 at 10:18

score 0 · Answer 1 · answered Dec 05 '17 at 17:12

0

This ID of the actor that did the change is not available from the Cloud DNS API and probably never will.

Instead we are working on exposing it in the Stackdriver Logging logs. However there is no ETA for the release date.

answered Dec 05 '17 at 17:12

Matt-y-er

659
7
14

Running `gcloud dns record-sets changes describe ID --zone=MYZONE` doesn't include the actor – Christian Nov 04 '19 at 22:28

Audit or change logs on Google Cloud DNS?

1 Answers1