I need to give developers access to our production logs in Stackdriver but i'd like to restrict their ability to export/download the data. After reviewing the docs it appears anybody who has view access on a project will be able to download bulk logs from the console log viewer. Is that correct?
Asked
Active
Viewed 38 times
1 Answers
0
That is correct. Granting viewer role on a project or logging level will enable your developers to both read and download logs but unable to create an export sink for it. Although, the download limit is only up to 300 log entries and beyond that, it will require an export as prompted when Download Logs is used:
Up to 300 log entries currently loaded into the Logs Viewer will be downloaded. If you need to download more logs, consider exporting your logs.
As of this moment, there is no granular role specific for downloading logs which groups it with listing log entries through the console. You can check the references about custom role [1] and other logging roles [2] :
In order to implement restriction, you can still:
Create a separate project that contains non-sensitive log entries (e.g. lower environment) which their log viewing roles can be unrestricted.
Assign the viewer role to a single person (e.g. lead developer) for the production.
[1] https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts
[2] https://cloud.google.com/iam/docs/understanding-roles#logging-roles
Justin
- 176
- 7