diff --git a/google/cloud/audit/BUILD.bazel b/google/cloud/audit/BUILD.bazel
new file mode 100644
index 00000000..348d0dcc
--- /dev/null
+++ b/google/cloud/audit/BUILD.bazel
@@ -0,0 +1,168 @@
+# This file was automatically generated by BuildFileGenerator
+
+# This is an API workspace, having public visibility by default makes perfect sense.
+package(default_visibility = ["//visibility:public"])
+
+##############################################################################
+# Common
+##############################################################################
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
+proto_library(
+    name = "audit_proto",
+    srcs = [
+        "audit_log.proto",
+    ],
+    deps = [
+        "//google/rpc/context:attribute_context_proto",
+        "//google/rpc:status_proto",
+        "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:struct_proto",
+    ],
+)
+
+##############################################################################
+# Java
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "java_grpc_library",
+    "java_proto_library",
+)
+
+java_proto_library(
+    name = "audit_java_proto",
+    deps = [":audit_proto"],
+)
+
+java_grpc_library(
+    name = "audit_java_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_java_proto"],
+)
+
+##############################################################################
+# Go
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "go_proto_library",
+)
+
+go_proto_library(
+    name = "audit_go_proto",
+    compilers = ["@io_bazel_rules_go//proto:go_grpc"],
+    importpath = "google.golang.org/genproto/googleapis/cloud/audit",
+    protos = [":audit_proto"],
+    deps = [
+        "//google/rpc/context:attribute_context_go_proto",
+        "//google/rpc:status_go_proto",
+    ],
+)
+
+##############################################################################
+# Python
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "moved_proto_library",
+    "py_grpc_library",
+    "py_proto_library",
+)
+
+moved_proto_library(
+    name = "audit_moved_proto",
+    srcs = [":audit_proto"],
+    deps = [
+        "//google/rpc/context:attribute_context_proto",
+        "//google/rpc:status_proto",
+        "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:struct_proto",
+    ],
+)
+
+py_proto_library(
+    name = "audit_py_proto",
+    deps = [":audit_moved_proto"],
+)
+
+py_grpc_library(
+    name = "audit_py_grpc",
+    srcs = [":audit_moved_proto"],
+    deps = [":audit_py_proto"],
+)
+
+##############################################################################
+# PHP
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "php_grpc_library",
+    "php_proto_library",
+)
+
+php_proto_library(
+    name = "audit_php_proto",
+    deps = [":audit_proto"],
+)
+
+php_grpc_library(
+    name = "audit_php_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_php_proto"],
+)
+
+##############################################################################
+# Node.js
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "nodejs_gapic_assembly_pkg",
+    "nodejs_gapic_library",
+)
+
+
+##############################################################################
+# Ruby
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "ruby_grpc_library",
+    "ruby_proto_library",
+)
+
+ruby_proto_library(
+    name = "audit_ruby_proto",
+    deps = [":audit_proto"],
+)
+
+ruby_grpc_library(
+    name = "audit_ruby_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_ruby_proto"],
+)
+
+##############################################################################
+# C#
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "csharp_grpc_library",
+    "csharp_proto_library",
+)
+
+csharp_proto_library(
+    name = "audit_csharp_proto",
+    deps = [":audit_proto"],
+)
+
+csharp_grpc_library(
+    name = "audit_csharp_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_csharp_proto"],
+)
+
+##############################################################################
+# C++
+##############################################################################
+# Put your C++ code here
diff --git a/google/cloud/audit/audit_log.proto b/google/cloud/audit/audit_log.proto
index d76d2865..66ea0214 100644
--- a/google/cloud/audit/audit_log.proto
+++ b/google/cloud/audit/audit_log.proto
@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc.
+// Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,11 +16,12 @@ syntax = "proto3";
 
 package google.cloud.audit;
 
-import "google/api/annotations.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
+import "google/rpc/context/attribute_context.proto";
 import "google/rpc/status.proto";
 
+option cc_enable_arenas = true;
 option go_package = "google.golang.org/genproto/googleapis/cloud/audit;audit";
 option java_multiple_files = true;
 option java_outer_classname = "AuditLogProto";
@@ -48,6 +49,18 @@ message AuditLog {
   //     "shelves/SHELF_ID/books/BOOK_ID"
   string resource_name = 11;
 
+  // The resource location information.
+  ResourceLocation resource_location = 20;
+
+  // The resource's original state before mutation. Present only for
+  // operations which have successfully modified the targeted resource(s).
+  // In general, this field should contain all changed fields, except those
+  // that are already been included in `request`, `response`, `metadata` or
+  // `service_data` fields.
+  // When the JSON object represented here has a proto equivalent,
+  // the proto name will be indicated in the `@type` property.
+  google.protobuf.Struct resource_original_state = 19;
+
   // The number of items returned from a List or Query API method,
   // if applicable.
   int64 num_response_items = 12;
@@ -82,6 +95,11 @@ message AuditLog {
   // name will be indicated in the `@type` property.
   google.protobuf.Struct response = 17;
 
+  // Other service-specific data about the request, response, and other
+  // information associated with the current audited event.
+  google.protobuf.Struct metadata = 18;
+
+  // Deprecated, use `metadata` field instead.
   // Other service-specific data about the request, response, and other
   // activities.
   google.protobuf.Any service_data = 15;
@@ -89,15 +107,46 @@ message AuditLog {
 
 // Authentication information for the operation.
 message AuthenticationInfo {
-  // The email address of the authenticated user making the request.
+  // The email address of the authenticated user (or service account on behalf
+  // of third party principal) making the request. For privacy reasons, the
+  // principal email address is redacted for all read-only operations that fail
+  // with a "permission denied" error.
   string principal_email = 1;
+
+  // The authority selector specified by the requestor, if any.
+  // It is not guaranteed that the principal was allowed to use this authority.
+  string authority_selector = 2;
+
+  // The third party identification (if any) of the authenticated user making
+  // the request.
+  // When the JSON object represented here has a proto equivalent, the proto
+  // name will be indicated in the `@type` property.
+  google.protobuf.Struct third_party_principal = 4;
+
+  // The name of the service account key used to create or exchange
+  // credentials for authenticating the service account making the request.
+  // This is a scheme-less URI full resource name. For example:
+  //
+  // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
+  string service_account_key_name = 5;
+
+  // Identity delegation history of an authenticated service account that makes
+  // the request. It contains information on the real authorities that try to
+  // access GCP resources by delegating on a service account. When multiple
+  // authorities present, they are guaranteed to be sorted based on the original
+  // ordering of the identity delegation events.
+  repeated ServiceAccountDelegationInfo service_account_delegation_info = 6;
+
+  // String representation of identity of requesting party.
+  // Populated for both first and third party identities.
+  string principal_subject = 8;
 }
 
 // Authorization information for the operation.
 message AuthorizationInfo {
   // The resource being accessed, as a REST-style string. For example:
   //
-  //     bigquery.googlapis.com/projects/PROJECTID/datasets/DATASETID
+  //     bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
   string resource = 1;
 
   // The required IAM permission.
@@ -106,11 +155,27 @@ message AuthorizationInfo {
   // Whether or not authorization for `resource` and `permission`
   // was granted.
   bool granted = 3;
+
+  // Resource attributes used in IAM condition evaluation. This field contains
+  // resource attributes like resource type and resource name.
+  //
+  // To get the whole view of the attributes used in IAM
+  // condition evaluation, the user must also look into
+  // `AuditLog.request_metadata.request_attributes`.
+  google.rpc.context.AttributeContext.Resource resource_attributes = 5;
 }
 
 // Metadata about the request.
 message RequestMetadata {
   // The IP address of the caller.
+  // For caller from internet, this will be public IPv4 or IPv6 address.
+  // For caller from a Compute Engine VM with external IP address, this
+  // will be the VM's external IP address. For caller from a Compute
+  // Engine VM without external IP address, if the VM is in the same
+  // organization (or project) as the accessed resource, `caller_ip` will
+  // be the VM's internal IPv4 address, otherwise the `caller_ip` will be
+  // redacted to "gce-internal-ip".
+  // See https://cloud.google.com/compute/docs/vpc/ for more information.
   string caller_ip = 1;
 
   // The user agent of the caller.
@@ -125,4 +190,81 @@ message RequestMetadata {
   // s~my-project`:
   //     The request was made from the `my-project` App Engine app.
   string caller_supplied_user_agent = 2;
+
+  // The network of the caller.
+  // Set only if the network host project is part of the same GCP organization
+  // (or project) as the accessed resource.
+  // See https://cloud.google.com/compute/docs/vpc/ for more information.
+  // This is a scheme-less URI full resource name. For example:
+  //
+  //     "//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"
+  string caller_network = 3;
+
+  // Request attributes used in IAM condition evaluation. This field contains
+  // request attributes like request time and access levels associated with
+  // the request.
+  //
+  //
+  // To get the whole view of the attributes used in IAM
+  // condition evaluation, the user must also look into
+  // `AuditLog.authentication_info.resource_attributes`.
+  google.rpc.context.AttributeContext.Request request_attributes = 7;
+
+  // The destination of a network activity, such as accepting a TCP connection.
+  // In a multi hop network activity, the destination represents the receiver of
+  // the last hop. Only two fields are used in this message, Peer.port and
+  // Peer.ip. These fields are optionally populated by those services utilizing
+  // the IAM condition feature.
+  google.rpc.context.AttributeContext.Peer destination_attributes = 8;
+}
+
+// Location information about a resource.
+message ResourceLocation {
+  // The locations of a resource after the execution of the operation.
+  // Requests to create or delete a location based resource must populate
+  // the 'current_locations' field and not the 'original_locations' field.
+  // For example:
+  //
+  //     "europe-west1-a"
+  //     "us-east1"
+  //     "nam3"
+  repeated string current_locations = 1;
+
+  // The locations of a resource prior to the execution of the operation.
+  // Requests that mutate the resource's location must populate both the
+  // 'original_locations' as well as the 'current_locations' fields.
+  // For example:
+  //
+  //     "europe-west1-a"
+  //     "us-east1"
+  //     "nam3"
+  repeated string original_locations = 2;
+}
+
+// Identity delegation history of an authenticated service account.
+message ServiceAccountDelegationInfo {
+  // First party identity principal.
+  message FirstPartyPrincipal {
+    // The email address of a Google account.
+    string principal_email = 1;
+
+    // Metadata about the service that uses the service account.
+    google.protobuf.Struct service_metadata = 2;
+  }
+
+  // Third party identity principal.
+  message ThirdPartyPrincipal {
+    // Metadata about third party identity.
+    google.protobuf.Struct third_party_claims = 1;
+  }
+
+  // Entity that creates credentials for service account and assumes its
+  // identity for authentication.
+  oneof Authority {
+    // First party (Google) identity as the real authority.
+    FirstPartyPrincipal first_party_principal = 1;
+
+    // Third party identity as the real authority.
+    ThirdPartyPrincipal third_party_principal = 2;
+  }
 }
diff --git a/google/cloud/audit/cloudaudit.yaml b/google/cloud/audit/cloudaudit.yaml
new file mode 100644
index 00000000..0e5fef6c
--- /dev/null
+++ b/google/cloud/audit/cloudaudit.yaml
@@ -0,0 +1,7 @@
+type: google.api.Service
+config_version: 2
+name: cloudaudit.googleapis.com
+title: Audit Log
+
+types:
+- name: google.cloud.audit.AuditLog