Firestore audit logging information

This document describes audit logging for Firestore. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For more information about Cloud Audit Logs, see the following:

Notes

When configuring audit logging, use the service name datastore.googleapis.com to configure both datastore.googleapis.com and firestore.googleapis.com.Once configured, logs for the Firestore API include the the service name firestore.googleapis.com.

To view the time it took to process a DATA_READ or DATA_WRITE request, see the processing_duration field within the metadata object of an AuditLog. processing_duration describes the time the database took to actually process a request. This is smaller than the end-user latency. In particular, it does not include network overhead.

For Listenrequests, processing_duration is only present on the Audit Log for the initial result set returned. Its absent from subsequent Audit Logs for that same Listen target.

Individual writes from import operations and TTL are not audit logged.

Service name

Firestore audit logs use the service name firestore.googleapis.com. Filter for this service:

    protoPayload.serviceName="firestore.googleapis.com"
  

Methods by permission type

Each IAM permission has a type property, whose value is an enum that can be one of four values: ADMIN_READ, ADMIN_WRITE, DATA_READ, or DATA_WRITE. When you call a method, Firestore generates an audit log whose category is dependent on the type property of the permission required to perform the method. Methods that require an IAM permission with the type property value of DATA_READ, DATA_WRITE, or ADMIN_READ generate Data Access audit logs. Methods that require an IAM permission with the type property value of ADMIN_WRITE generate Admin Activity audit logs.

Permission type Methods
ADMIN_READ google.cloud.location.Locations.GetLocation
google.cloud.location.Locations.ListLocations
google.firestore.admin.v1.FirestoreAdmin.GetBackup
google.firestore.admin.v1.FirestoreAdmin.GetBackupSchedule
google.firestore.admin.v1.FirestoreAdmin.GetDatabase
google.firestore.admin.v1.FirestoreAdmin.GetField
google.firestore.admin.v1.FirestoreAdmin.GetIndex
google.firestore.admin.v1.FirestoreAdmin.ListBackupSchedules
google.firestore.admin.v1.FirestoreAdmin.ListBackups
google.firestore.admin.v1.FirestoreAdmin.ListDatabases
google.firestore.admin.v1.FirestoreAdmin.ListFields
google.firestore.admin.v1.FirestoreAdmin.ListIndexes
google.firestore.admin.v1beta1.FirestoreAdmin.GetIndex
google.firestore.admin.v1beta1.FirestoreAdmin.ListIndexes
google.firestore.admin.v1beta2.FirestoreAdmin.GetField
google.firestore.admin.v1beta2.FirestoreAdmin.GetIndex
google.firestore.admin.v1beta2.FirestoreAdmin.ListFields
google.firestore.admin.v1beta2.FirestoreAdmin.ListIndexes
google.longrunning.Operations.GetOperation
google.longrunning.Operations.ListOperations
ADMIN_WRITE google.firestore.admin.v1.FirestoreAdmin.BulkDeleteDocuments
google.firestore.admin.v1.FirestoreAdmin.CreateBackupSchedule
google.firestore.admin.v1.FirestoreAdmin.CreateDatabase
google.firestore.admin.v1.FirestoreAdmin.CreateIndex
google.firestore.admin.v1.FirestoreAdmin.DeleteBackup
google.firestore.admin.v1.FirestoreAdmin.DeleteBackupSchedule
google.firestore.admin.v1.FirestoreAdmin.DeleteDatabase
google.firestore.admin.v1.FirestoreAdmin.DeleteIndex
google.firestore.admin.v1.FirestoreAdmin.ExportDocuments
google.firestore.admin.v1.FirestoreAdmin.ImportDocuments
google.firestore.admin.v1.FirestoreAdmin.RestoreDatabase
google.firestore.admin.v1.FirestoreAdmin.UpdateBackupSchedule
google.firestore.admin.v1.FirestoreAdmin.UpdateDatabase
google.firestore.admin.v1.FirestoreAdmin.UpdateField
google.firestore.admin.v1beta1.FirestoreAdmin.CreateIndex
google.firestore.admin.v1beta1.FirestoreAdmin.DeleteIndex
google.firestore.admin.v1beta1.FirestoreAdmin.ExportDocuments
google.firestore.admin.v1beta1.FirestoreAdmin.ImportDocuments
google.firestore.admin.v1beta2.FirestoreAdmin.CreateIndex
google.firestore.admin.v1beta2.FirestoreAdmin.DeleteIndex
google.firestore.admin.v1beta2.FirestoreAdmin.ExportDocuments
google.firestore.admin.v1beta2.FirestoreAdmin.ImportDocuments
google.firestore.admin.v1beta2.FirestoreAdmin.UpdateField
google.longrunning.Operations.CancelOperation
google.longrunning.Operations.DeleteOperation
DATA_READ google.firestore.v1.Firestore.BatchGetDocuments
google.firestore.v1.Firestore.BeginTransaction
google.firestore.v1.Firestore.GetDocument
google.firestore.v1.Firestore.ListCollectionIds
google.firestore.v1.Firestore.ListDocuments
google.firestore.v1.Firestore.Listen
google.firestore.v1.Firestore.PartitionQuery
google.firestore.v1.Firestore.Rollback
google.firestore.v1.Firestore.RunAggregationQuery
google.firestore.v1.Firestore.RunQuery
google.firestore.v1beta1.Firestore.BatchGetDocuments
google.firestore.v1beta1.Firestore.BeginTransaction
google.firestore.v1beta1.Firestore.GetDocument
google.firestore.v1beta1.Firestore.ListCollectionIds
google.firestore.v1beta1.Firestore.ListDocuments
google.firestore.v1beta1.Firestore.PartitionQuery
google.firestore.v1beta1.Firestore.Rollback
google.firestore.v1beta1.Firestore.RunAggregationQuery
google.firestore.v1beta1.Firestore.RunQuery
DATA_WRITE google.firestore.v1.Firestore.BatchWrite
google.firestore.v1.Firestore.Commit
google.firestore.v1.Firestore.CreateDocument
google.firestore.v1.Firestore.DeleteDocument
google.firestore.v1.Firestore.UpdateDocument
google.firestore.v1.Firestore.Write
google.firestore.v1beta1.Firestore.BatchWrite
google.firestore.v1beta1.Firestore.Commit
google.firestore.v1beta1.Firestore.CreateDocument
google.firestore.v1beta1.Firestore.DeleteDocument
google.firestore.v1beta1.Firestore.UpdateDocument

API interface audit logs

For information about how and which permissions are evaluated for each method, see the Identity and Access Management documentation for Firestore.

google.cloud.location.Locations

The following audit logs are associated with methods belonging to google.cloud.location.Locations.

GetLocation

  • Method: google.cloud.location.Locations.GetLocation
  • Audit log type: Data access
  • Permissions:
    • datastore.locations.get - ADMIN_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.cloud.location.Locations.GetLocation"

ListLocations

  • Method: google.cloud.location.Locations.ListLocations
  • Audit log type: Data access
  • Permissions:
    • datastore.locations.list - ADMIN_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.cloud.location.Locations.ListLocations"

google.firestore.admin.v1.FirestoreAdmin

The following audit logs are associated with methods belonging to google.firestore.admin.v1.FirestoreAdmin.

BulkDeleteDocuments

CreateBackupSchedule

CreateDatabase

CreateIndex

DeleteBackup

DeleteBackupSchedule

DeleteDatabase

DeleteIndex

ExportDocuments

GetBackup

GetBackupSchedule

GetDatabase

GetField

GetIndex

ImportDocuments

ListBackupSchedules

ListBackups

ListDatabases

ListFields

ListIndexes

RestoreDatabase

UpdateBackupSchedule

UpdateDatabase

UpdateField

google.firestore.admin.v1beta1.FirestoreAdmin

The following audit logs are associated with methods belonging to google.firestore.admin.v1beta1.FirestoreAdmin.

CreateIndex

DeleteIndex

ExportDocuments

GetIndex

ImportDocuments

ListIndexes

google.firestore.admin.v1beta2.FirestoreAdmin

The following audit logs are associated with methods belonging to google.firestore.admin.v1beta2.FirestoreAdmin.

CreateIndex

DeleteIndex

ExportDocuments

GetField

GetIndex

ImportDocuments

ListFields

ListIndexes

UpdateField

google.firestore.v1.Firestore

The following audit logs are associated with methods belonging to google.firestore.v1.Firestore.

BatchGetDocuments

BatchWrite

  • Method: google.firestore.v1.Firestore.BatchWrite
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.delete - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.BatchWrite"

BeginTransaction

Commit

  • Method: google.firestore.v1.Firestore.Commit
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.delete - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.Commit"

CreateDocument

  • Method: google.firestore.v1.Firestore.CreateDocument
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.allocateIds - DATA_WRITE
    • datastore.entities.create - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.CreateDocument"

DeleteDocument

  • Method: google.firestore.v1.Firestore.DeleteDocument
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.delete - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.DeleteDocument"

GetDocument

  • Method: google.firestore.v1.Firestore.GetDocument
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.GetDocument"

ListCollectionIds

ListDocuments

  • Method: google.firestore.v1.Firestore.ListDocuments
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
    • datastore.entities.list - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.ListDocuments"

Listen

  • Method: google.firestore.v1.Firestore.Listen
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
    • datastore.entities.list - DATA_READ
  • Method is a long-running or streaming operation: Streaming RPC
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.Listen"

PartitionQuery

  • Method: google.firestore.v1.Firestore.PartitionQuery
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
    • datastore.entities.list - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.PartitionQuery"

Rollback

  • Method: google.firestore.v1.Firestore.Rollback
  • Audit log type: Data access
  • Permissions:
    • datastore.databases.get - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.Rollback"

RunAggregationQuery

RunQuery

  • Method: google.firestore.v1.Firestore.RunQuery
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
    • datastore.entities.list - DATA_READ
  • Method is a long-running or streaming operation: Streaming RPC
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.RunQuery"

UpdateDocument

  • Method: google.firestore.v1.Firestore.UpdateDocument
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.UpdateDocument"

Write

  • Method: google.firestore.v1.Firestore.Write
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: Streaming RPC
  • Filter for this method: protoPayload.methodName="google.firestore.v1.Firestore.Write"

google.firestore.v1beta1.Firestore

The following audit logs are associated with methods belonging to google.firestore.v1beta1.Firestore.

BatchGetDocuments

BatchWrite

  • Method: google.firestore.v1beta1.Firestore.BatchWrite
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.BatchWrite"

BeginTransaction

Commit

  • Method: google.firestore.v1beta1.Firestore.Commit
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.Commit"

CreateDocument

  • Method: google.firestore.v1beta1.Firestore.CreateDocument
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.allocateIds - DATA_WRITE
    • datastore.entities.create - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.CreateDocument"

DeleteDocument

GetDocument

ListCollectionIds

ListDocuments

  • Method: google.firestore.v1beta1.Firestore.ListDocuments
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
    • datastore.entities.list - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.ListDocuments"

PartitionQuery

  • Method: google.firestore.v1beta1.Firestore.PartitionQuery
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.get - DATA_READ
    • datastore.entities.list - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.PartitionQuery"

Rollback

  • Method: google.firestore.v1beta1.Firestore.Rollback
  • Audit log type: Data access
  • Permissions:
    • datastore.databases.get - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.Rollback"

RunAggregationQuery

RunQuery

UpdateDocument

  • Method: google.firestore.v1beta1.Firestore.UpdateDocument
  • Audit log type: Data access
  • Permissions:
    • datastore.entities.create - DATA_WRITE
    • datastore.entities.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firestore.v1beta1.Firestore.UpdateDocument"

google.longrunning.Operations

The following audit logs are associated with methods belonging to google.longrunning.Operations.

CancelOperation

DeleteOperation

GetOperation

  • Method: google.longrunning.Operations.GetOperation
  • Audit log type: Data access
  • Permissions:
    • datastore.operations.get - ADMIN_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.longrunning.Operations.GetOperation"

ListOperations

  • Method: google.longrunning.Operations.ListOperations
  • Audit log type: Data access
  • Permissions:
    • datastore.operations.list - ADMIN_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.longrunning.Operations.ListOperations"

Identify request callers

Audit Log entries include information about the identity that performed the logged operation. To identify a request caller, see the following fields within an AuditLog object:

  • The caller's identity is held in the AuthenticationInfo field. This can include the principalEmail of the user. This information is sometimes redacted.

    If a JSON Web Token (JWT) was used for third-party authentication, the thirdPartyPrincipal field includes the token's header and payload. For example, audit logs for requests authenticated with Firebase Authentication include that request's auth token.

  • The callerIp field within the requestMetadata object of an AuditLog entry includes the IP address of the caller.