I am trying to trigger a Cloud Run service by uploading a file to a Google Cloud Storage bucket. To do so, an Eventarc trigger was created via Terraform, which filters for storage.objects.create event from the Audit Logs. Google has documentation on this exact topic: here
Even though the audit log is correctly recorded, the event is not getting fired (no activity from Eventarc, Pub/Sub, and Cloud Run). I am not sure where else to look.
My question is: Can I still achieve this using Audit Log triggers without relying on direct triggers (e.g., google.cloud.storage.object.v1.finalized)?
Truncated output of gcloud eventarc triggers describe:
destination:
cloudRun:
region: us-east4
service: <SERVICE_NAME>
eventFilters:
- attribute: serviceName
value: storage.googleapis.com
- attribute: type
value: google.cloud.audit.log.v1.written
- attribute: methodName
value: storage.objects.create
name: projects/<PROJECT>/locations/us-east4/triggers/<TRIGGER_NAME>
serviceAccount: <COMPUTE_ENGINE_DEFAULT_SERVICE_ACCOUNT>
transport:
pubsub:
subscription: projects/<PROJECT>/subscriptions/eventarc-us-east4-<TRIGGER_NAME>-sub-279
topic: projects/<PROJECT>/topics/eventarc-us-east4-<TRIGGER_NAME>-401
Truncated output of gcloud logging read "protoPayload.methodName=storage.objects.create" --format=json:
{
"logName": "projects/<PROJECT>/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"methodName": "storage.objects.create",
"resourceName": "projects/_/buckets/<BUCKET>/objects/<BLOB>",
"serviceData": {
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta": {}
},
"serviceName": "storage.googleapis.com",
"status": {}
},
"resource": {
"labels": {
"bucket_name": "<BUCKET>",
"project_id": "<PROJECT>"
},
"type": "gcs_bucket"
},
"severity": "INFO",
}
From GCP Console:
Finally, how I'm creating the Eventarc Trigger with Terraform:
resource "google_eventarc_trigger" "cloud_run_trigger" {
name = "<TRIGGER_NAME>"
matching_criteria {
attribute = "type"
value = "google.cloud.audit.log.v1.written"
}
matching_criteria {
attribute = "serviceName"
value = "storage.googleapis.com"
}
matching_criteria {
attribute = "methodName"
value = "storage.objects.create"
}
destination {
cloud_run_service {
service = google_cloud_run_service.default.name
}
}
}
I've done everything I can to follow Google's documentation & filter for correct Audit Log based on serviceName and methodName. The entire project is silent when the event is logged, which seems like the event is not firing for some reason. I do not observe any activity in Cloud Run, Eventarc, and Pub/Sub.
