Activity logging
This document describes how to use Cloud Logging for activity logging with Identity Platform.
Enabling activity logging
Activity logging is disabled by default. You can enable activity logging through the Google Cloud console or by using the REST API:
Console
Go to the Settings page in the Google Cloud console.
Go to SettingsUnder User activity logging, select Enable.
Click Save.
REST
curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -X PATCH -H 'Content-Type: application/json' \ https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=monitoring.requestLogging.enabled
Replace PROJECT_ID with the project ID.
Enabling activity logging can affect your billing. See Google Cloud Observability pricing to learn more.
Enabling activity logging for tenant projects
Activity logging for tenant projects is disabled by default. You can enable activity logging for tenant projects, using the REST API, by executing the following command:
curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -X PATCH -H 'Content-Type: application/json' \ https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/tenants/TENANT_ID?updateMask=monitoring.requestLogging.enabled
Replace the following:
PROJECT_ID: the project ID.TENANT_ID: the tenant ID.
Enabling activity logging can affect your billing. See Pricing for Google Cloud Observability to learn more.
Viewing activity logs
When Logging is enabled, a log entry is generated for each user request. Each log entry includes the following fields:
| Field | Description |
|---|---|
logName |
projects/PROJECT_ID/logs/identitytoolkit.googleapis.com/requests |
resource |
identitytoolkit_project or identitytoolkit_tenant |
serviceName |
identitytoolkit.googleapis.com |
protoPayload |
The logged request or response. |
You can see your project or tenant's activity logs using the Logs Explorer. To view logs:
In the Google Cloud console, go to the Logs Explorer page.
Select Identity Toolkit Project or Identity Toolkit Tenant from the resources dropdown. If you're using multi-tenancy, you can show all tenants, or filter to a specific one.
Logged operations
The follow table lists the API operations that can produce activity logs:
| Service | Method |
|---|---|
| google.cloud.identitytoolkit.v1.AccountManagementService | DeleteAccount |
| GetAccountInfo | |
| GetOobCode | |
| ResetPassword | |
| SetAccountInfo | |
| google.cloud.identitytoolkit.v1.AuthenticationService | CreateAuthUri |
| GetRecaptchaParam | |
| SendVerificationCode | |
| SignInWithCustomToken | |
| SignInWithEmailLink | |
| SignInWithGameCenter | |
| SignInWithIdp | |
| SignInWithPassword | |
| SignInWithPhoneNumber | |
| SignUp | |
| VerifyIosClient | |
| google.cloud.identitytoolkit.v1.ProjectConfigService | GetProjectConfig |
Excluding operations
Logging gives you tools to disable log ingestion or exclude log entries you don't want. For more information about how to exclude certain logs, see Logs Exclusions.
The following example shows how to exclude logs for the read-only
GetAccountInfo() and GetProjectConfig() methods:
resource.type="identitytoolkit_project"
(
jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo"
OR
jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig"
)