Skip to main content

Overview

The GCP Cloud Logging integration automatically discovers AI model usage in your Google Cloud environment by reading audit logs for Vertex AI API calls. This gives your security team visibility into which AI models are being used, by whom, and how frequently.

What Data Is Collected

Ayliea reads API call metadata only from Cloud Logging:
  • Model names — which Vertex AI models are invoked (e.g., gemini-pro)
  • User identities — service accounts or users making the calls
  • Timestamps — when calls occurred
  • Method names — the API method (e.g., predict, generateContent)
Ayliea never reads prompt content, model responses, or any payload data. Only audit log metadata from Cloud Logging is accessed.

Prerequisites

  • A Google Cloud project with Vertex AI enabled
  • Permission to create service accounts and manage IAM roles
  • An Ayliea organization on the Business plan or higher

Setup Steps

1. Create a Service Account

  1. Go to the GCP Console
  2. Navigate to IAM & Admin > Service Accounts
  3. Click Create Service Account
  4. Name it (e.g., ayliea-logging-reader)
  5. Click Create and Continue

2. Add the Logging Viewer Role

  1. In the Grant this service account access step, add the role:
    • Logs Viewer (roles/logging.viewer)
  2. Click Continue, then Done
The Logs Viewer role grants read-only access to log entries. It cannot modify any GCP resources.

3. Download the JSON Key

  1. Open the service account you created
  2. Go to the Keys tab
  3. Click Add Key > Create new key
  4. Select JSON format
  5. Download and save the key file
The JSON key file contains credentials. Store it securely and delete it from your local machine after entering it in Ayliea.

4. Connect in Ayliea

  1. Go to Organization > Cloud Integrations
  2. Click Connect on the GCP Cloud Logging card
  3. Paste the contents of your service account JSON key file
  4. Click Test Connection to validate
  5. Click Connect to save

Polling Schedule

Once connected, Ayliea polls Cloud Logging daily at 7:00 AM UTC. Each poll covers the time since the last successful poll. The first poll covers the previous 24 hours.

Troubleshooting

”Invalid service account JSON format”

  • Ensure you pasted the entire JSON key file contents, including the opening and closing braces
  • Verify the JSON contains client_email, private_key, and project_id fields

”Invalid credentials or insufficient permissions”

  • Confirm the service account has the roles/logging.viewer role
  • Check that the service account key hasn’t been revoked
  • Verify Cloud Logging API is enabled in your project

”Failed to connect to GCP Cloud Logging”

  • Verify the project ID in the service account JSON is correct
  • Check that the Cloud Logging API is enabled for your project

No platforms discovered after connecting

  • Confirm that Vertex AI is being used in the project
  • Audit logs may take a few minutes to appear in Cloud Logging
  • The first poll covers only the last 24 hours — wait for the next daily poll

Security Considerations

  • Credentials are encrypted with AES-256-GCM before storage
  • The Logs Viewer role grants read-only access to log entries only
  • Ayliea never accesses Cloud Storage, Compute Engine, or any other GCP services
  • You can revoke access at any time by deleting the service account key or disconnecting in Ayliea