Event Streaming with GCP Pub/Sub

Follow these steps to start streaming audit logs from your GCP project to SlashID.

Prerequisites

Before you begin, ensure you have:

A GCP Project data source configured in the SlashID console. Note the Connection ID shown in the data source details — you will need it in the steps below.
The gcloud CLI installed and authenticated with an account that has project-level permissions.

Setup

Set the following environment variables. Resource names (such as topic and subscription names) can be modified to fit your naming conventions.

# The GCP project to stream audit logs from. The Pub/Sub resources will also be created in this project.
$ export PROJECT_ID=<YOUR_GCP_PROJECT_ID>

# The Connection ID for the GCP Project data source you created in the SlashID console.
$ export CONNECTION_ID=<YOUR_SLASHID_CONNECTION_ID>

# Names for the Pub/Sub resources and log sink. You can change these to match your conventions.
$ export TOPIC_NAME=audit-logs
$ export SUBSCRIPTION_NAME=audit-logs-push-slashid
$ export SINK_NAME=audit-sink

Ensure the Pub/Sub and Logging APIs are enabled in the project:

$ gcloud services enable pubsub.googleapis.com --project=${PROJECT_ID}
$ gcloud services enable logging.googleapis.com --project=${PROJECT_ID}

1. Create a Pub/Sub topic

$ gcloud pubsub topics create ${TOPIC_NAME} --project=${PROJECT_ID}

2. Create a push subscription to the SlashID events endpoint

The push subscription delivers messages to SlashID using an OIDC token signed by Google for authentication. The service account used for signing must be in the same project as the subscription and must have the roles/iam.serviceAccountTokenCreator role in that project.

$ gcloud pubsub subscriptions create ${SUBSCRIPTION_NAME} \
    --project=${PROJECT_ID} \
    --topic=${TOPIC_NAME} \
    --push-endpoint='https://slashid.com/nhi/events/v2/gcp_project' \
    --ack-deadline=60 \
    --push-auth-token-audience=${CONNECTION_ID} \
    --push-auth-service-account=<YOUR_SERVICE_ACCOUNT_EMAIL> \
    --push-no-wrapper

3. Create a project-level log sink

This creates a log sink that exports audit logs from the project to the Pub/Sub topic.

$ gcloud logging sinks create ${SINK_NAME} \
    pubsub.googleapis.com/projects/${PROJECT_ID}/topics/${TOPIC_NAME} \
    --project=${PROJECT_ID} \
    --log-filter='logName:"cloudaudit.googleapis.com"'

4. Grant the sink permission to publish to the topic

The log sink uses a dedicated service account managed by Google. Grant it the publisher role on the topic:

$ gcloud pubsub topics add-iam-policy-binding ${TOPIC_NAME} \
    --member=$(gcloud logging sinks describe ${SINK_NAME} --project=${PROJECT_ID} --format="value(writerIdentity)") \
    --role=roles/pubsub.publisher \
    --project=${PROJECT_ID}

Event Streaming with GCP Pub/Sub

Prerequisites​

Setup​

1. Create a Pub/Sub topic​

2. Create a push subscription to the SlashID events endpoint​

3. Create a project-level log sink​