Skip to main content
Reach out to Omni support to have audit logs enabled for your instance.
Audit logs are detailed records of the activity your users are taking in Omni, which can be useful for security and performance analysis. Events included in logs are structured as JSON payloads and sent in batches to your cloud storage bucket a few minutes after they’re written.

Supported authentication methods

Audit logs can be delivered to a Google Cloud Storage (GCS) bucket using one of two authentication methods:
  • Workload Identity Federation - Workload Identity Federation allows Omni’s audit log delivery service to authenticate to your GCS bucket using AWS IAM credentials through GCP Workload Identity Federation.
    This is the recommended authentication method for GCS as it eliminates the need to manage long-lived service account keys.
  • Service account key - This method uses a service account JSON key file for authentication. While straightforward, it requires managing long-lived credentials.

Option 1: Workload Identity Federation

This approach provides enhanced security by:
  • Eliminating the need to share or rotate service account keys
  • Using temporary, automatically rotating credentials
  • Leveraging your existing AWS and GCP IAM policies

Requirements

  • An existing GCS bucket where audit logs will be delivered
  • Permissions to create and configure a Workload Identity Pool in your GCP project
  • Permissions to create and configure a service account with write access to your GCS bucket

Setup

Work with Omni support to configure Workload Identity Federation. The setup involves:
1

Get credentials from Omni support

Omni support will provide you with the AWS Account ID and AWS IAM role ARN that will authenticate to your GCS bucket.
2

Create a Workload Identity Pool

Create a Workload Identity Pool and AWS provider in your GCP project.
3

Create a GCP service account

Create a GCP service account with write permissions (objectCreator role) to your GCS bucket.
4

Configure the Workload Identity Pool

Configure the Workload Identity Pool to allow the Omni AWS IAM role you received in step 1 to impersonate your GCP service account.
5

Provide Omni with the connection details

Provide Omni support with the following:
  • Project number
  • Pool ID
  • Provider ID
  • Service account email
6

Complete setup with Omni support

Omni support completes the configuration on the Omni side.
Once configured, audit logs will be automatically delivered to your GCS bucket without requiring any credential management.

Option 2: Service account key

This approach uses a service account JSON key file to authenticate to the GCS bucket.
The Workplace Identity Federation approach is recommended over using a service account key.

Requirements

  • An existing GCS bucket where audit logs will be delivered
  • Permissions in GCS that allow you to create a service account key

Setup

1

Create a serviceaccount key

Create a service account key in GCS.
2

Provide Omni support with your bucket details

Provide Omni support with the name of your GCS bucket and the service account key you created in the previous step.
3

Complete setup with Omni support

Omni support completes the configuration on the Omni side.
Once configured, audit logs will be automatically delivered to your GCS bucket.

Next steps