Let's say I have a Cloud Build workflow, and I trigger it by running gcloud builds triggers run my-workflow.
Is it possible for the Cloud Build workflow to identify "who" triggered it? That is, can the workflow somehow figure out that it was called by wasabi@foo.com or 1234567890-service-account@google.com? (Having the user pass their email as a --substitution doesn't count)
To be clear, this isn't about identifying the service account which is running the build; that's available directly via $SERVICE_ACCOUNT[_EMAIL]. This is about identifying who ran gcloud builds triggers run.
After some digging, I've seen mentions to IAP as a possible means of doing this, but always in the context of Cloud Functions or actual apps and services. I'm therefore unsure if this is possible with GCB. If it is true, I'm also unclear on how to use it:
gcloud builds triggers run, with IAP working invisibly in the background?@guillaume-blaquiere is correct, the data is captured by Audit Logs.
I think (!) you don't need to enable Data Access audit logs but, if the logs don't include examples of the following, update the Data Access audit logs for "Cloud Build API" to include "Admin Read":
https://console.cloud.google.com/iam-admin/audit?referrer=search&project=${PROJECT}
You can filter the audit logs for Cloud Build methods and the auth user:
PROJECT="..."
FILTER='
log_id("cloudaudit.googleapis.com/activity")
protoPayload.serviceName=~"cloudbuild.googleapis.com"
'
FORMAT='
value(
timestamp,
protoPayload.methodName,
protoPayload.authenticationInfo.principalEmail
)'
gcloud logging read "${FILTER}" \
--format="${FORMAT}" \
--project=${PROJECT}