This page shows examples of the audit logs that are generated when you use
Workforce Identity Federation
. With
Workforce Identity Federation, you can allow third-party identities to access
Google Cloud resources, without using a service account key.
For more information about enabling and viewing audit logs, see
IAM audit logging
.
IAM can generate audit logs when you create and manage
workforce pools. To enable audit logs when managing workforce pools, you must
enable audit logs for Data Access activity
for the
following API:
- Identity and Access Management (IAM) API (enable log type "Admin Read")
To further configure audit logs for the token-exchange process or
Google Cloud console (federated) sign in, you must also
enable audit logs for Data Access activity
for the
following API:
- Security Token Service API (enable log type "Admin Read")
Logs for creating a workforce pool
The following example shows a log entry for creating a workforce pool. In this
example, the user
sam@example.com
created a workforce pool with the ID
my-pool
under the organization with the ID
123456789012
.
{
"logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "sam@example.com",
},
"methodName": "google.iam.admin.v1.WorkforcePools.CreateWorkforcePool",
"resourceName": "locations/global/workforcePools/my-pool",
"serviceName": "iam.googleapis.com",
"request": {
"@type": "type.googleapis.com/google.iam.admin.v1.CreateWorkforcePoolRequest",
"workforcePool": {
"parent": "organizations/123456789012"
},
"workforcePoolId": "my-pool"
}
},
"resource": {
"type": "audited_resource"
}
}
Logs for exchanging an IdP token for a federated token
After you set up your workforce identity pool and workforce identity pool
provider, you can create a token for your identity provider (IdP) and exchange
it for a federated token.
After you enable Cloud Audit Logs for Data Access activity, IAM
generates an audit log entry each time a principal exchanges a token. The log
entry includes the following fields:
protoPayload.authenticationInfo.principalSubject
: The subject of the
IdP token.
- For OIDC IdPs, this field contains the value of the
sub
, or subject, claim from the OIDC token.
- For SAML IdPs, this field contains the value of the
NameID
sub-attribute of the
Subject
attribute in the SAML assertion.
protoPayload.metadata.mapped_principal
: The subject of the token, using
IAM syntax to identify the principal:
principal://iam.googleapis.com/locations/global/workforcePools/
POOL_ID
/subject/
IDENTIFIER
protoPayload.resourceName
: The workforce pool provider that the
token is associated with.
The following example shows an audit log entry for a request to exchange a
token. In this example, an OIDC token is exchanged for a federated
token:
{
"logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e"
},
"metadata": {
"mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/a1234bcd-5678-9012-efa3-4b5cd678ef9a"
},
"methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeToken",
"resourceName": "locations/global/workforcePools/oidc-pool/providers/oidc-provider",
"serviceName": "sts.googleapis.com",
"request": {
"@type": "type.googleapis.com/google.identity.sts.v1.ExchangeTokenRequest",
"audience": "//iam.googleapis.com/locations/global/workforcePools/oidc-pool/providers/oidc-provider",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"subjectTokenType": "urn:ietf:params:oauth:token-type:id_token"
}
},
"resource": {
"type": "audited_resource"
}
}
Logs for signed and encrypted SAML assertions
This section describes the Cloud Audit Logs log entries that Security Token Service
creates when it attempts to verify signed SAML assertions or decrypt encrypted
assertions that are sent from your IdP.
For Workforce Identity Federation, the pertinent log
entry looks similar to the following:
"keyInfo": [
{
"use": "verify"
"fingerprint": "3C:B2:47:F8:A5:9A:8A:52:BD:1C:BC:96:B5:45:C1:8D:A7:F1:73:2D"
},
{
"use": "decrypt"
"resourceName": "//iam.googleapis.com/locations/global/workforcePools/
WORKFORCE_POOL_NAME
/providers/
PROVIDER_NAME
/keys/
KEY_NAME
"
}
]
This output includes the following values:
fingerprint
: the hexadecimal representation of the SHA-256 hash of the X.509
certificate that was used to verify the signature on the SAML credential. The
X.509 certificate is extracted from the SAML XML metadata that is attached to
the workforce identity pool provider.
resourceName
: the resource name of the workforce
identity pool provider key that was used to decrypt the encrypted
SAML assertion. This field is present only if identity federation receives an
encrypted SAML response from your IdP.
Logs for calling Google Cloud APIs with the federated token
After you exchange the IdP's token for a federated token, you can
use the federated token to call Google Cloud APIs. Some of the methods you
call might generate audit logs.
The following example shows an audit log entry for a request to list the
Cloud Storage buckets in a project using a federated token.
{
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/012345678901"
},
"methodName": "storage.buckets.list",
"serviceName": "storage.googleapis.com",
},
"resource": {
"type": "gcs_bucket"
}
}
Logs for Google Cloud console (federated) sign in
After you
set up your workforce identity pools
and
their IdPs, users can sign in to the Google Cloud using
single sign on
.
Logs for successful sign-in
This section provides an example Cloud Audit Logs entry that is logged as a result
of a successful sign-in. In this example, the user,
user@example.com
, signs in
using a provider
locations/global/workforcePools/my-pool/providers/my-provider
. In this case,
the following Cloud Audit Logs entry is generated:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"continueUrl": "https://console.cloud.google",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}
The Cloud Audit Logs entry for SAML providers can additionally contain signing key
information in the metadata field.
{
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
"keyInfo": [
{
"use": "verify",
"fingerprint": "AE:CK:LM:EF:LK:OG:EH:IJ:KN:AL:OM:AD:NO",
}
],
}
}
Logs for failed sign-in
This section provides an example Cloud Audit Logs entry that is logged as a result
of a failed sign-in. In this example, the user,
user@example.com
attempts to
sign-in using a provider
locations/global/workforcePools/my-pool/providers/my-provider
but is denied
access due to an attribute condition not being satisfied. In this case, the
following Cloud Audit Logs entry is generated:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"status": {
"code": 3,
"message": "The given credential is rejected by the attribute condition.",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/subject/user@example.com",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}
Logs for sign-out
This section provides an example Cloud Audit Logs entry that is logged as a result
of a sign-out event. In this example, the user,
user@example.com
, who is
signed in using a provider
locations/global/workforcePools/my-pool/providers/my-provider
initiates a
sign-out. In this case, the following Cloud Audit Logs entry is generated:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignOut",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignOutRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google"
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignOut"
}
},
}
What's next