Enable Cloud Logging for Gemini Code Assist

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud Platform (GCP) Gemini Code Assist has Cloud Logging enabled to capture user interactions, prompts, responses, and metadata. Cloud Logging for Gemini Code Assist provides visibility into how developers use the AI-powered coding assistant within their IDE, enabling organizations to monitor usage patterns, detect potential security issues, maintain compliance with data governance policies, and create comprehensive audit trails. Logging captures two types of data: (1) Prompt and Response Logs which include user input, contextual information, and AI-generated responses, and (2) Metadata Logs which capture telemetry data and track lines of code accepted by users. Cloud Logging requires that the project be attached to a billing account, the Cloud Logging API be enabled, and appropriate IAM permissions be granted. Logging can be configured through the Google Cloud Console's "Admin for Gemini" settings or via API using the loggingSettings resource, and settings can be bound to specific projects for granular control. Note that logging is limited to user interactions within an IDE and does not support Gemini Code Assist on GitHub.

Security

By enabling Cloud Logging for Gemini Code Assist, organizations gain critical visibility into AI-assisted code generation activities and can maintain comprehensive security monitoring and compliance controls. Without logging enabled, organizations cannot track what code suggestions were provided, what prompts users submitted, or what context was shared with the AI model, creating blind spots in security monitoring and making it impossible to investigate potential security incidents involving code generation. Cloud Logging enables security teams to detect anomalous usage patterns, identify potential data leakage through prompts, monitor compliance with acceptable use policies, and maintain audit trails required by regulatory frameworks such as SOC 2, ISO 27001, and industry-specific compliance standards. The metadata logs provide quantitative insights into Code Assist adoption and usage effectiveness, while prompt and response logs enable detailed forensic analysis if security concerns arise. Organizations can use Cloud Audit Logs to track all administrative actions related to logging configuration changes. Selective logging configuration allows organizations to balance security monitoring needs with privacy considerations and storage costs. Without Cloud Logging enabled, organizations operating in regulated industries or those with strict data governance requirements cannot demonstrate adequate oversight of AI-assisted development activities or prove compliance with policies governing code generation tools.

Important: Logging captures prompts and contextual information that may include sensitive code snippets, comments, or intellectual property. Organizations should implement appropriate access controls on Cloud Logging data and consider data retention policies that comply with privacy regulations. Logged data should be protected with appropriate IAM permissions to prevent unauthorized access. Review your organization's data governance and privacy policies before enabling prompt and response logging. Gemini Code Assist on GitHub does not support logging with Cloud Logging.

Audit

To determine if Cloud Logging is enabled for your Gemini Code Assist instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Admin for Gemini console (search for "Admin for Gemini" in the search bar).

04 Click on Settings in the Admin for Gemini page.

05 Review the logging configuration status for both Logging for Code Assist metadata and Logging for Code Assist prompts and responses.

06 If both logging options show as disabled or off, Cloud Logging is not properly configured for security monitoring, therefore the configuration is not compliant.

07 If at minimum Logging for Code Assist metadata is enabled (recommended: both metadata and prompt/response logging should be enabled), the configuration provides adequate audit capabilities.

08 Verify that the Cloud Logging API is enabled by navigating to APIs & Services > Library and searching for "Cloud Logging API". If the API shows as disabled, logging cannot function properly.

09 Repeat steps no. 2 – 8 for each project available within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-codeassist-project-112233
cc-development-project-445566

03 Run services list command (Windows/macOS/Linux) to verify that the Cloud Logging API is enabled:

gcloud services list
	--enabled
	--project cc-codeassist-project-112233
	--filter="name:logging.googleapis.com"
	--format="table(name)"

04 The command output should return the Cloud Logging API if enabled:

NAME
logging.googleapis.com

05 If the output is empty, the Cloud Logging API is not enabled, therefore logging cannot function.

06 To check the logging configuration using the Cloud AI Companion API, run the following curl command (Windows/macOS/Linux) to retrieve the logging settings:

curl -X GET \
"https://cloudaicompanion.googleapis.com/v1/projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json"

07 The command output should return the logging configuration settings:

{
	"name": "projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233",
	"labels": {},
	"logMetadata": false,
	"logPromptsAndResponses": false,
	"createTime": "2024-01-15T10:30:00.123456789Z",
	"updateTime": "2024-01-15T10:30:00.123456789Z"
}

08 Review the values for logMetadata and logPromptsAndResponses. If they are false, Cloud Logging is disabled.

09 To verify that settings are actually bound to the project (required for them to take effect), run:

curl -X GET \
"https://cloudaicompanion.googleapis.com/v1/projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233/settingBindings/cc-codeassist-project-112233" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json"

10 The command output should confirm that the binding exists:

{
	"name": "projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233/settingBindings/cc-codeassist-project-112233",
	"target": "projects/123456789012",
	"product": "GEMINI_CODE_ASSIST",
	"createTime": "2024-01-15T10:30:00.123456789Z",
	"updateTime": "2024-01-15T10:30:00.123456789Z"
}

11 If the command returns a 404 error, the setting binding is missing, and logging is effectively disabled regardless of the setting values.

12 The configuration is compliant only if logMetadata is true AND the setting binding exists.

13 Repeat steps no. 3 – 12 for each project available within your Google Cloud account.

Remediation / Resolution

To enable Cloud Logging for your Gemini Code Assist, you must ensure the Cloud Logging API is enabled, configure appropriate IAM permissions, and enable logging for prompts/responses and metadata. Perform the following operations:

Important: Gemini Code Assist logging requires that the project be attached to a billing account. Logging applies to Gemini Code Assist Standard and Enterprise editions but does not support Gemini Code Assist on GitHub. Prompt and response logs may contain sensitive information including code snippets and intellectual property, so implement appropriate IAM access controls on logged data. The "Gemini for Google Cloud Settings Admin" role (roles/cloudaicompanion.settingsAdmin) is recommended for managing logging settings. Review your organization's data privacy and retention policies before enabling logging.

Using GCP Console

Step 1: Enable Cloud Logging API

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project where Gemini Code Assist is used from the console top navigation bar.

03 Verify that the project is attached to a billing account by navigating to Billing and confirming active billing.

04 Navigate to APIs & Services > Library.

05 Search for "Cloud Logging API".

06 If the API is not already enabled, click Enable to activate the Cloud Logging API for your project.

Step 2: Verify IAM Permissions

07 Navigate to IAM & Admin > IAM by clicking the navigation menu (☰) in the top-left corner, then selecting IAM & Admin > IAM from the left sidebar.

08 In the IAM page, review the principals list to verify that your user account or service account has the Gemini for Google Cloud Settings Admin role (roles/cloudaicompanion.settingsAdmin) or equivalent permissions:

Use the filter box at the top to search for your email address or service account
Look in the Role column for the principal
Check if Gemini for Google Cloud Settings Admin (roles/cloudaicompanion.settingsAdmin) is listed

09 If the role is not assigned, grant the necessary permissions:

Click the Grant Access button at the top of the IAM page
In the Add principals dialog, enter the email address of the user or service account in the New principals field
Click the Select a role dropdown
Search for "Gemini for Google Cloud Settings Admin" or type "roles/cloudaicompanion.settingsAdmin"
Select Gemini for Google Cloud Settings Admin from the filtered results
Click Save to grant the role
Verify the principal now appears in the IAM list with the assigned role

Step 3: Enable Logging for Gemini Code Assist

10 Navigate to Admin for Gemini (search for "Admin for Gemini" in the console search bar).

11 Click on Settings in the Admin for Gemini page.

12 Locate the logging configuration section.

13 Enable Logging for Code Assist metadata by toggling the switch to on. This captures telemetry metadata and lines of code accepted by users.

14 Enable Logging for Code Assist prompts and responses by toggling the switch to on. This captures user input, contextual information, and AI responses.

15 Click Save Changes to apply the logging configuration.

16 Verify that the logging settings are saved and both options show as enabled.
Note: Even with the resource created and API showing enabled, console toggles may still appear unchecked if the setting binding is missing. Always verify configuration and binding using the CLI commands in the CLI method sections - the API is the authoritative source of truth.

Step 4: EVerify Logging Configuration

17 Navigate to Logging > Logs Explorer to verify that Gemini Code Assist logs are being captured.

Use the following filter to search for Gemini Code Assist logs:

resource.type="cloud_ai_companion"

Verify that logs appear when developers use Gemini Code Assist in their IDE.

20 Repeat steps no. 2 – 19 for each project available within your Google Cloud account.

Using GCP CLI

Step 1: Enable Cloud Logging API

01 Run services enable command (Windows/macOS/Linux) to enable the Cloud Logging API:

gcloud services enable logging.googleapis.com
	--project cc-codeassist-project-112233

02 Verify that the API is enabled by running:

gcloud services list
	--enabled
	--project cc-codeassist-project-112233
	--filter="name:logging.googleapis.com"

03 The command output should return the Cloud Logging API if enabled:

NAME
logging.googleapis.com

Step 2: Configure Logging Settings Using API

04 Run the following curl command (Windows/macOS/Linux) to create or update the logging settings to enable both metadata and prompt/response logging:

curl -X PATCH \
	"https://cloudaicompanion.googleapis.com/v1/projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233?updateMask=logMetadata,logPromptsAndResponses" \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d '{
		"logMetadata": true,
		"logPromptsAndResponses": true
	}'

05 The command output should confirm the logging configuration:

{
	"name": "projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233",
	"labels": {},
	"logMetadata": true,
	"logPromptsAndResponses": true,
	"createTime": "2024-01-15T10:30:00.123456789Z",
	"updateTime": "2024-01-15T10:35:00.123456789Z"
}

Step 3: Create Setting Binding

06 Run the following curl command (Windows/macOS/Linux) to bind the logging settings to the project. This step is required for the settings to take effect:

curl -X POST \
	"https://cloudaicompanion.googleapis.com/v1/projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233/settingBindings?settingBindingId=cc-codeassist-project-112233" \
	-H "Authorization: Bearer $(gcloud auth print-access-token)" \
	-H "Content-Type: application/json" \
	-d '{
		"target": "projects/cc-codeassist-project-112233"
	}'

07 The command output should confirm the creation of the setting binding:

{
	"name": "projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233/settingBindings/cc-codeassist-project-112233",
	"target": "projects/cc-codeassist-project-112233",
	"product": "GEMINI_CODE_ASSIST",
	"createTime": "2024-01-15T10:30:00.123456789Z",
	"updateTime": "2024-01-15T10:30:00.123456789Z"
}

Step 4: Verify Logging Configuration

08 Run the following curl command (Windows/macOS/Linux) to verify the logging settings are enabled:

curl -X GET \
"https://cloudaicompanion.googleapis.com/v1/projects/cc-codeassist-project-112233/locations/global/loggingSettings/cc-codeassist-project-112233" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json"

09 Verify that the output shows both logMetadata and logPromptsAndResponses are set to true.

10 Query Cloud Logging to verify logs are being captured:

gcloud logging read "resource.type=cloud_ai_companion" \
	--project cc-codeassist-project-112233 \
	--limit 10

11 Repeat steps no. 1 – 10 for each project available within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Configure Gemini Code Assist Standard and Enterprise logging
Cloud Logging documentation
IAM roles and permissions index
Gemini Code Assist Standard and Enterprise overview
IAM roles and permissions index
Cloud Audit Logs overview

GCP Command Line Interface (CLI) Documentation
gcloud services enable
gcloud services list
gcloud logging read
gcloud projects list

Publication date Jan 22, 2026

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CodeAssist rules