员工身份联合示例日志

本页面介绍使用员工身份联合生成的审核日志示例。借助员工身份联合,您可以允许第三方身份访问 Google Cloud 资源,而无需使用服务账号密钥。

如需详细了解如何启用和查看审核日志,请参阅 IAM 审核日志记录

当您创建和管理员工池时,IAM 可以生成审核日志。如需在管理员工池时启用审核日志,您必须为以下 API 启用数据访问活动审核日志

  • Identity and Access Management (IAM) API(启用日志类型“管理员读取”)

如需进一步为令牌交换过程或 Google Cloud 控制台(联合)登录配置审核日志,您还必须为以下 API 启用数据访问活动审核日志

  • Security Token Service API(启用日志类型“管理员读取”)

用于创建员工池的日志

以下示例展示了用于创建员工池的日志条目。在此示例中,用户 sam@example.com 在该组织(ID 为 123456789012)下创建了一个 ID 为 my-pool 的员工池。

{
  "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "sam@example.com",
    },
    "methodName": "google.iam.admin.v1.WorkforcePools.CreateWorkforcePool",
    "resourceName": "locations/global/workforcePools/my-pool",
    "serviceName": "iam.googleapis.com",
    "request": {
      "@type": "type.googleapis.com/google.iam.admin.v1.CreateWorkforcePoolRequest",
      "workforcePool": {
        "parent": "organizations/123456789012"
      },
      "workforcePoolId": "my-pool"
    }
  },
  "resource": {
    "type": "audited_resource"
  }
}

为联合令牌交换 IdP 令牌时生成的日志

设置员工身份池和员工身份池提供方后,您可以为身份提供方 (IdP) 创建令牌,并用其换取联合令牌。

为数据访问活动启用 Cloud Audit Logs 后,IAM 会在主账号每次交换令牌时生成一个审核日志条目。该日志条目包含以下字段:

  • protoPayload.authenticationInfo.principalSubject:IdP 令牌的主题。
    • 对于 OIDC IdP,此字段包含 OIDC 令牌中的 sub 值或主题声明。
    • 对于 SAML IdP,此字段包含 SAML 断言中 Subject 属性的 NameID 子属性值。
  • protoPayload.metadata.mapped_principal:令牌的主题,使用 IAM 语法来标识主账号:

    principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
    
  • protoPayload.resourceName:与令牌关联的员工池提供方。

以下示例展示了用于交换令牌的请求的审核日志条目。在此示例中,OIDC 令牌被交换为联合令牌:

{
  "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e"
    },
    "metadata": {
      "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/a1234bcd-5678-9012-efa3-4b5cd678ef9a"
    },
    "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeToken",
    "resourceName": "locations/global/workforcePools/oidc-pool/providers/oidc-provider",
    "serviceName": "sts.googleapis.com",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeTokenRequest",
      "audience": "//iam.googleapis.com/locations/global/workforcePools/oidc-pool/providers/oidc-provider",
      "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
      "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
      "subjectTokenType": "urn:ietf:params:oauth:token-type:id_token"
    }
  },
  "resource": {
    "type": "audited_resource"
  }
}

签名和加密 SAML 断言的日志

本部分介绍 Security Token Service 在尝试验证签名的 SAML 断言或解密从 IdP 发送的加密断言时创建的 Cloud Audit Logs 日志条目。

对于员工身份联合,相关日志条目类似于以下内容:

"keyInfo": [
  {
    "use": "verify"
    "fingerprint": "3C:B2:47:F8:A5:9A:8A:52:BD:1C:BC:96:B5:45:C1:8D:A7:F1:73:2D"
  },
  {
    "use": "decrypt"
    "resourceName": "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_NAME/providers/PROVIDER_NAME/keys/KEY_NAME"
  }
]

此输出包括以下值:

  • fingerprint:用于验证 SAML 凭据上的签名的 X.509 证书的 SHA-256 哈希的十六进制表示形式。X.509 证书是从附加到员工身份池提供方的 SAML XML 元数据中提取的。
  • resourceName:用于解密加密 SAML 断言的员工身份池提供方密钥的资源名称。仅当身份联合收到来自 IdP 的加密 SAML 响应时,此字段才会显示。

用于使用联合令牌调用 Google Cloud API 的日志

将 IdP 的令牌交换为联合令牌后,您可以使用联合令牌来调用 Google Cloud API。您调用的某些方法可能会生成审核日志。

以下示例展示了使用联合令牌请求列出项目中的 Cloud Storage 存储桶时生成的审核日志条目。

{
  "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/012345678901"
    },
    "methodName": "storage.buckets.list",
    "serviceName": "storage.googleapis.com",
  },
  "resource": {
    "type": "gcs_bucket"
  }
}

用于 Google Cloud 控制台(联合)登录的日志

设置员工身份池及其 IdP 后,用户可以使用控制台(联合)登录 Google Cloud。

用于成功登录的日志

本部分提供了因登录成功而记录的示例 Cloud Audit Logs 条目。在此示例中,用户 user@example.com 使用提供方 locations/global/workforcePools/my-pool/providers/my-provider 登录。在这种情况下,系统会生成以下 Cloud Audit Logs 条目:

{
  "logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "user@example.com",
    },
    "serviceName": "sts.googleapis.com",
    "methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
    "resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
      "provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
      "continueUrl": "https://console.cloud.google",
      "host": "http://auth.cloud.google",
    },
    "metadata": {
       "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "sts.googleapis.com",
      "method": "google.identity.sts.SecurityTokenService.WebSignIn",
    }
  },
}

此外,SAML 提供方的 Cloud Audit Logs 条目还可以包含元数据字段中的签名密钥信息。

{
  "metadata": {
    "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    "keyInfo": [
      {
        "use": "verify",
        "fingerprint": "AE:CK:LM:EF:LK:OG:EH:IJ:KN:AL:OM:AD:NO",
      }
    ],
  }
}

用于失败登录的日志

本部分提供了因登录失败而记录的示例 Cloud Audit Logs 条目。在此示例中,用户 user@example.com 会尝试使用提供商 locations/global/workforcePools/my-pool/providers/my-provider 登录,但由于不满足特性条件,访问遭拒。在这种情况下,系统会生成以下 Cloud Audit Logs 条目:

{
  "logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "user@example.com",
    },
    "status": {
      "code": 3,
      "message": "The given credential is rejected by the attribute condition.",
    },
    "serviceName": "sts.googleapis.com",
    "methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
    "resourceName": "locations/global/workforcePools/my-pool/subject/user@example.com",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
      "provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
      "host": "http://auth.cloud.google",
    },
    "metadata": {
      "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "sts.googleapis.com",
      "method": "google.identity.sts.SecurityTokenService.WebSignIn",
    }
  },
}

用于退出登录的日志

本部分提供了因退出登录事件而记录的示例 Cloud Audit Logs 条目。在此示例中,使用提供方 locations/global/workforcePools/my-pool/providers/my-provider 登录的用户 user@example.com 发起退出登录操作。在这种情况下,系统会生成以下 Cloud Audit Logs 条目:

{
  "logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "user@example.com",
    },
    "serviceName": "sts.googleapis.com",
    "methodName": "google.identity.sts.SecurityTokenService.WebSignOut",
    "resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignOutRequest",
      "provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
      "host": "http://auth.cloud.google"
    },
    "metadata": {
      "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "sts.googleapis.com",
      "method": "google.identity.sts.SecurityTokenService.WebSignOut"
    }
  },
}

使用 OAuth 流程登录的日志

设置员工身份池和员工身份池提供方后,您可以使用 OAuth 流程使用 Google Cloud 资源。

为数据访问审核日志活动启用 Cloud Audit Logs 后,IAM 会在主账号每次使用 OAuth 流程登录时生成一个审核日志条目。该日志条目包含以下字段:

  • protoPayload.authenticationInfo.principalSubject:IdP 令牌的主题。
    • 对于 OIDC IdP,此字段包含 OIDC 令牌中的 sub 值或主题声明。
    • 对于 SAML IdP,此字段包含 SAML 断言中 Subject 属性的 NameID 子属性值。
  • protoPayload.metadata.mapped_principal:令牌的主题,使用 IAM 语法来标识主账号:

    principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
    
  • protoPayload.resourceName:与令牌关联的员工池提供方。

以下示例展示了用于交换令牌的请求的审核日志条目。在此示例中,主账号是通过 OIDC 提供程序进行联合身份验证的:

{
  "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e"
    },
    "metadata": {
      "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER"
    },
    "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeOauthToken",
    "resourceName": "locations/global/workforcePools/POOL_ID/providers/WORKFORCE_PROVIDER_ID",
    "serviceName": "sts.googleapis.com",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeOauthTokenRequest",
      "grantType": "authorization_code",
    }
  },
  "resource": {
    "type": "audited_resource"
  }
}

后续步骤