Activity logging
This document describes how to use Cloud Logging for activity logging with Identity Platform.
Enabling activity logging
Activity logging is disabled by default. You can enable activity logging using the REST API:
curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \ -H 'Authorization: Bearer auth-token' \ -X PATCH -H 'Content-Type: application/json' \ https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/config?updateMask=monitoring.requestLogging.enabled
Enabling activity logging can affect your billing. See Google Cloud's operations suite pricing to learn more.
Enabling activity logging for tenant projects
Activity logging for tenant projects is disabled by default. You can enable activity logging for tenant projects, using the REST API, by executing the following command:
curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \ -H 'Authorization: Bearer auth-token' \ -X PATCH -H 'Content-Type: application/json' \ https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/tenants/tenant-id?updateMask=monitoring.requestLogging.enabled
Enabling activity logging can affect your billing. See Pricing for Google Cloud's operations suite to learn more.
Viewing activity logs
When Logging is enabled, a log entry is generated for each user request. Each log entry includes the following fields:
Field | Description |
---|---|
logName |
projects/project-id/logs/identitytoolkit.googleapis.com/requests |
resource |
identitytoolkit_project or identitytoolkit_tenant |
serviceName |
identitytoolkit.googleapis.com |
protoPayload |
The logged request or response. |
You can see your project or tenant's activity logs using the Logs Explorer. To view logs:
In the console, go to the Logs Explorer page.
Select Identity Toolkit Project or Identity Toolkit Tenant from the resources dropdown. If you're using multi-tenancy, you can show all tenants, or filter to a specific one.
Logged operations
The follow table lists the API operations that can produce activity logs:
Service | Method |
---|---|
google.cloud.identitytoolkit.v1.AccountManagementService | DeleteAccount |
GetAccountInfo | |
GetOobCode | |
ResetPassword | |
SetAccountInfo | |
google.cloud.identitytoolkit.v1.AuthenticationService | CreateAuthUri |
GetRecaptchaParam | |
SendVerificationCode | |
SignInWithCustomToken | |
SignInWithEmailLink | |
SignInWithGameCenter | |
SignInWithIdp | |
SignInWithPassword | |
SignInWithPhoneNumber | |
SignUp | |
VerifyIosClient | |
google.cloud.identitytoolkit.v1.ProjectConfigService | GetProjectConfig |
Excluding operations
Logging gives you tools to disable log ingestion or exclude log entries you don't want. For more information about how to exclude certain logs, see Logs Exclusions.
The following example shows how to exclude logs for the read-only
GetAccountInfo()
and GetProjectConfig()
methods:
resource.type="identitytoolkit_project"
(
jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo"
OR
jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig"
)