Policy: GCP > Turbot > Event Handlers > Logging > Unique Writer Identity

Choose the writer identity used for Guardrails Event Handlers logging sink in the Project. If Enforce: Default Service Account, the default writer identity, serviceAccount:cloud-logs@system.gserviceaccount.com, is used. (This is the default setting.) If Enforce: Unique Identity, a new service account is created matching the pattern: serviceAccount:service-${projectNumber}@gcp-sa-logging.iam.gserviceaccount.com and it will then be used for creating the logging sink.

Targets

This policy targets the following resource types:

GCP > Project

Primary Policy

This policy is used with the following primary policy:

GCP > Turbot > Event Handlers > Logging

Controls

Setting this policy configures this control:

GCP > Turbot > Event Handlers > Pub/Sub

Policy Packs

This policy setting is used by the following policy packs:

GCP CIS v2.0.0 - Section 2 - Logging and Monitoring

Policy Specification

Schema Type	`string`
Default	`Enforce: Default Service Account`
Valid Values [YAML]	`Enforce: Default Service Account` `Enforce: Unique Identity`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/turbot

Policy Type URI

tmod:@turbot/gcp#/policy/types/eventHandlersLoggingUniqueWriterIdentity

GraphQL

query policyType(id: "tmod:@turbot/gcp#/policy/types/eventHandlersLoggingUniqueWriterIdentity") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp#/policy/types/eventHandlersLoggingUniqueWriterIdentity'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp#/policy/types/eventHandlersLoggingUniqueWriterIdentity'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp#/policy/types/eventHandlersLoggingUniqueWriterIdentity"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp#/policy/types/eventHandlersLoggingUniqueWriterIdentity"