本页面介绍使用员工身份联合生成的审核日志示例。借助员工身份联合,您可以允许第三方身份访问 Google Cloud 资源,而无需使用服务帐号密钥。
如需详细了解如何启用和查看审核日志,请参阅 IAM 审核日志记录。
当您创建和管理员工池时,IAM 可以生成审核日志。如需在管理员工池时启用审核日志,您必须为以下 API 启用数据访问活动审核日志:
- Identity and Access Management (IAM) API(启用日志类型“管理员读取”)
如需进一步为令牌交换过程或 Google Cloud 控制台(联合)登录配置审核日志,您还必须为以下 API 启用数据访问活动审核日志:
- Security Token Service API(启用日志类型“管理员读取”)
用于创建员工池的日志
以下示例展示了用于创建员工池的日志条目。在此示例中,用户 sam@example.com
在该组织(ID 为 123456789012
)下创建了一个 ID 为 my-pool
的员工池。
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "sam@example.com", }, "methodName": "google.iam.admin.v1.WorkforcePools.CreateWorkforcePool", "resourceName": "locations/global/workforcePools/my-pool", "serviceName": "iam.googleapis.com", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateWorkforcePoolRequest", "workforcePool": { "parent": "organizations/123456789012" }, "workforcePoolId": "my-pool" } }, "resource": { "type": "audited_resource" } }
用于为联合令牌交换身份提供商令牌的日志
设置员工池和身份提供方后,您可以为身份提供方创建令牌,并将其交换为联合令牌。
为数据访问活动启用 Cloud Audit Logs 后,IAM 会在主帐号每次交换令牌时生成一个审核日志条目。该日志条目包含以下字段:
protoPayload.authenticationInfo.principalSubject
:身份提供商令牌的主题。- 对于 OIDC 身份提供方,此字段包含 OIDC 令牌中的
sub
值或主题声明。 - 对于 SAML 身份提供方,此字段包含 SAML 断言中
Subject
属性的NameID
子属性值。
- 对于 OIDC 身份提供方,此字段包含 OIDC 令牌中的
protoPayload.metadata.mapped_principal
:令牌的主题,使用 IAM 语法来标识主帐号:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
protoPayload.resourceName
:与令牌关联的员工池提供方。
以下示例展示了用于交换令牌的请求的审核日志条目。在此示例中,OIDC 令牌被交换为联合令牌:
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e" }, "metadata": { "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/a1234bcd-5678-9012-efa3-4b5cd678ef9a" }, "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeToken", "resourceName": "locations/global/workforcePools/oidc-pool/providers/oidc-provider", "serviceName": "sts.googleapis.com", "request": { "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeTokenRequest", "audience": "//iam.googleapis.com/locations/global/workforcePools/oidc-pool/providers/oidc-provider", "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "subjectTokenType": "urn:ietf:params:oauth:token-type:id_token" } }, "resource": { "type": "audited_resource" } }
用于使用联合令牌调用 Google Cloud API 的日志
将身份提供方的令牌交换为联合令牌后,您可以使用联合令牌来调用 Google Cloud API。您调用的某些方法可能会生成审核日志。
以下示例展示了使用联合令牌请求列出项目中的 Cloud Storage 存储桶时生成的审核日志条目。
{ "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/012345678901" }, "methodName": "storage.buckets.list", "serviceName": "storage.googleapis.com", }, "resource": { "type": "gcs_bucket" } }
用于 Google Cloud 控制台(联合)登录的日志
设置员工身份池及其身份提供方后,用户可以使用单点登录登录 Google Cloud。
用于成功登录的日志
本部分提供了因登录成功而记录的示例 Cloud Audit Logs 条目。在此示例中,用户 user@example.com
使用提供方 locations/global/workforcePools/my-pool/providers/my-provider
登录。在这种情况下,系统会生成以下 Cloud Audit Logs 条目:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"continueUrl": "https://console.cloud.google",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}
此外,SAML 提供方的 Cloud Audit Logs 条目还可以包含元数据字段中的签名密钥信息。
{
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
"keyInfo": [
{
"use": "verify",
"fingerprint": "AE:CK:LM:EF:LK:OG:EH:IJ:KN:AL:OM:AD:NO",
}
],
}
}
用于失败登录的日志
本部分提供了因登录失败而记录的示例 Cloud Audit Logs 条目。在此示例中,用户 user@example.com
会尝试使用提供商 locations/global/workforcePools/my-pool/providers/my-provider
登录,但由于不满足特性条件,访问遭拒。在这种情况下,系统会生成以下 Cloud Audit Logs 条目:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"status": {
"code": 3,
"message": "The given credential is rejected by the attribute condition.",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/subject/user@example.com",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}
用于退出登录的日志
本部分提供了因退出登录事件而记录的示例 Cloud Audit Logs 条目。在此示例中,使用提供方 locations/global/workforcePools/my-pool/providers/my-provider
登录的用户 user@example.com
发起退出登录操作。在这种情况下,系统会生成以下 Cloud Audit Logs 条目:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignOut",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignOutRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google"
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignOut"
}
},
}
后续步骤
- 为 IAM 配置和查看审核日志。
- 详细了解 Cloud Audit Logs。
- 使用员工身份池设置身份联合。