From d3f88587023a93a4ef8ce6e254ab7d22fe5f9dca Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Thu, 17 Jul 2025 13:10:51 -0700 Subject: [PATCH] cloud: update logpush docs --- docs/cloud/index.mdx | 9 ++++----- docs/cloud/logpush_gcs.mdx | 20 ++++++++++++++++++++ docs/cloud/logpush_s3.mdx | 31 +++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 5 deletions(-) create mode 100644 docs/cloud/logpush_gcs.mdx create mode 100644 docs/cloud/logpush_s3.mdx diff --git a/docs/cloud/index.mdx b/docs/cloud/index.mdx index 6e90ef111..8c62f613e 100644 --- a/docs/cloud/index.mdx +++ b/docs/cloud/index.mdx @@ -154,8 +154,7 @@ To learn more about how the Sourcegraph team operates managed SMTP internally, r ### Audit Logs -Our Cloud instances provide [audit logs](/admin/audit_log#cloud) to help you monitor and investigate actions taken by users and the system. These logs are available to download by request and are also sent to a [centralized logging service](https://about.sourcegraph.com/security#logging) for 30 day retention. Should you wish to -extend this period, please be aware that additional charges will apply. +Our Cloud instances provide [audit logs](/admin/audit_log#cloud) to help you monitor and investigate actions taken by users and the system. These logs are available to download by request and are also sent to a [centralized logging service](https://about.sourcegraph.com/security#logging) for 30 day retention. Should you wish to extend this period, please be aware that additional charges will apply. To request an extension, please contact your assigned Customer Engineer (CE) or send an email to Sourcegraph Support at support@sourcegraph.com. #### Download audit logs @@ -164,12 +163,12 @@ For requesting audit logs, please contact your our support team. #### Deliver audit logs to customer-managed destination (LogPush) -Sourcegraph LogPush is an optional add-on to deliver audit logs to a customer provided destination. To enable this feature, please contact your assigned Customer Engineer (CE) or support team. +Sourcegraph LogPush is an optional add-on to deliver audit logs to a customer provided destination. To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the setup instructions for your destination. Supported destinations: -- Google Cloud Storage (GCS) -- Amazon S3 (AWS) +- [Google Cloud Storage (GCS)](./logpush_gcs) +- [Amazon Web Services S3 (AWS)](./logpush_s3) ## Requirements diff --git a/docs/cloud/logpush_gcs.mdx b/docs/cloud/logpush_gcs.mdx new file mode 100644 index 000000000..516c17516 --- /dev/null +++ b/docs/cloud/logpush_gcs.mdx @@ -0,0 +1,20 @@ +# LogPush for Google Cloud Storage (GCS) + +## Overview + +Our services will periodically push audit logs to customer-managed GCS bucket. Authentication and authorization are securely handled by GCP IAM service. + +## Steps + +To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps. + +- Sourcegraph provides below information to customer: + - email of a Sourcegraph-owned GCP Service Account (GSA) + - a unique file to prove bucket ownership +- Customer to perform the following: + - creates a GCS bucket + - grants the Sourcegraph-owned GSA sufficient IAM roles to access the bucket + - uploads the ownership file to prove bucket ownership +- Customer to inform Sourcegraph of the bucket name + +Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed GCS bucket. diff --git a/docs/cloud/logpush_s3.mdx b/docs/cloud/logpush_s3.mdx new file mode 100644 index 000000000..b3ddf6d0a --- /dev/null +++ b/docs/cloud/logpush_s3.mdx @@ -0,0 +1,31 @@ +# LogPush for Amazon S3 (AWS) + +## Overview + +Our services will periodically push audit logs to customer-managed AWS S3 bucket. Authentication and authorization are securely handled by AWS Security Token Service with an explicit trust relationship between Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket. + +## Steps + +To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps. + +- Sourcegraph provides below information to customer: + - GCP identity (GCP Service Account) + - a unique file to prove bucket ownership +- Customer to perform the following: + - creates a S3 bucket + - configures the trust relationship with AWS IAM + - uploads the ownership file to prove bucket ownership +- Customer to inform Sourcegraph of the S3 bucket ARN and the AWS IAM role ARN + +Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed S3 bucket. + +## FAQ + +### How does the authentication work? + +Sourcegraph will provide instructions on how to configure the trust relationship between the Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket. We will also provide the example configuration in Terraform. At a high level: + +- Customer creates a AWS IAM role: + - with a policy to permit such role to access the S3 bucket + - with a policy to permit the Sourcegraph-owned GSA to assume such role +- Sourcegraph assumes the provisioned AWS IAM role to access the bucket