All posts
June 18, 20264 min read

Putting access controls around Claude: audit trails for AI coding agents (on GCP)

An unchecked Claude coding agent can silently write, read, and delete production code without leaving any trace. Teams that hand Claude a long‑lived service‑account key and let it connect directly to GCP services assume that platform logs are enough, but they lack audit trails. In practice they miss three critical gaps: the platform rarely records each individual command the agent issues, sensitive secrets returned by APIs are exposed in clear text, and risky operations can happen without a huma

Free White Paper

AI Audit Trails + GCP VPC Service Controls: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An unchecked Claude coding agent can silently write, read, and delete production code without leaving any trace. Teams that hand Claude a long‑lived service‑account key and let it connect directly to GCP services assume that platform logs are enough, but they lack audit trails. In practice they miss three critical gaps: the platform rarely records each individual command the agent issues, sensitive secrets returned by APIs are exposed in clear text, and risky operations can happen without a human sign‑off. The result is a blind spot that makes forensic investigations, compliance reporting, and breach containment extremely difficult.

The most common mistake is to treat Claude as just another client and grant it broad permissions through a static credential. Engineers often configure the agent once, store the key in a CI secret store, and never revisit the access policy. Because the credential never expires, the agent can continue to act even after the original project is finished. Even when an organization uses OIDC to issue short‑lived tokens, the authentication step only proves who started the session; it does not capture what the session does, nor does it allow inline data masking or just‑in‑time approval for destructive commands.

What is needed is an identity‑aware proxy that sits on the actual data path and enforces audit‑level controls. The proxy must be able to see every request and response, decide in real time whether a command is allowed, mask any secret fields before they reach the agent, and record the full interaction for later replay. Authentication alone cannot provide those guarantees; it merely decides whether a request may start. The enforcement point must be the gateway that actually forwards traffic to the target service.

hoop.dev fulfills that role. It acts as a Layer 7 gateway between Claude and the GCP resources it accesses, such as Cloud SQL, Cloud Storage, or Cloud Run APIs. When Claude sends a request, it first contacts hoop.dev’s built‑in MCP server. hoop.dev validates the OIDC token, extracts group membership, and then proxies the request to the target service. While the traffic flows through hoop.dev, the gateway records every command, masks configured sensitive fields in responses, and can pause a request that matches a high‑risk policy for manual approval. If a command is explicitly disallowed, hoop.dev blocks it before it reaches the backend.

Because hoop.dev sits in the data path, it can generate the audit trails that organizations need. Each session is stored with a timestamp, the identity that initiated it, and a complete command log. The logs can be replayed to reconstruct exactly what Claude did, which is essential for forensic analysis and for demonstrating compliance with internal policies. Inline masking ensures that secrets such as database passwords or API keys never appear in the agent’s output, protecting them even if the agent’s environment is compromised. Just‑in‑time approval adds a human checkpoint for operations that could impact production workloads, reducing the risk of accidental or malicious changes.

Deploying hoop.dev is straightforward. The quick‑start uses Docker Compose to run the gateway alongside a network‑resident agent that lives close to the GCP resources. After deployment, you register each GCP target as a connection, supply the credential that hoop.dev will use (the gateway never hands the credential to Claude), and define policies for masking, approval, and command blocking. Identity is handled via any OIDC or SAML provider, Okta, Azure AD, Google Workspace, etc., so you can continue to use your existing IdP without changes. Because hoop.dev is open source and MIT‑licensed, you can host it in your own VPC, on‑prem, or in any cloud that can run Docker or Kubernetes.

Continue reading? Get the full guide.

AI Audit Trails + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

To get started, follow the official getting‑started guide, which walks you through deploying the gateway, configuring OIDC, and registering a Claude connection. The repository contains the full source code and example deployment manifests. Once the gateway is running, point Claude’s endpoint to the hoop.dev MCP address and let the gateway enforce the audit‑trail policies you have defined.

Audit trails for Claude coding agents

With hoop.dev in place, every interaction Claude has with GCP services becomes a documented event. The audit trail includes:

  • Who initiated the session (the OIDC identity).
  • When the session started and ended.
  • A line‑by‑line log of each request and response, with masked fields removed.
  • Approval metadata for any command that required a human sign‑off.

This level of visibility turns an opaque AI assistant into a controllable, auditable component of your development pipeline.

Common pitfalls and how hoop.dev avoids them

  • Static credentials. hoop.dev stores the credential internally; the agent never sees it, eliminating credential leakage.
  • Missing command‑level logs. The gateway records each command before it reaches the backend, so no operation is invisible.
  • Unmasked secrets. Configurable field masks strip secrets from responses, protecting them from accidental exposure.
  • No approval workflow. Policies can require a human to approve high‑risk commands, preventing unintended changes.

FAQ

Do I need to modify Claude’s code to use hoop.dev? No. Claude only needs to be pointed at the MCP endpoint that hoop.dev exposes. All enforcement happens transparently in the gateway.

Where are the audit logs stored? hoop.dev records each session and retains the audit trail for the period defined by your policy, making it available for replay through the UI or API.

Can I limit Claude to specific GCP resources? Yes. Policies are attached to each registered connection, allowing you to whitelist databases, buckets, or APIs and to block everything else.

By placing an auditable, policy‑driven gateway between Claude and your GCP environment, you turn a powerful coding assistant into a controlled, traceable component of your security posture.

For the full implementation details, see the getting‑started guide and explore the source code on GitHub. Additional feature information is available in the learn section of the documentation.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot