This document describes how to use Cloud Logging for activity logging with Identity Platform.
Enabling activity logging
Activity logging is disabled by default. You can enable activity logging using the REST API:
curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \ -H 'Authorization: Bearer auth-token' \ -X PATCH -H 'Content-Type: application/json' \ https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/config?updateMask=monitoring.requestLogging.enabled
Enabling activity logging may affect your billing. See Pricing for Google Cloud's operations suite to learn more.
Viewing activity logs
When Logging is enabled, a log entry is generated for each user request. Each log entry includes the following fields:
Field | Description |
---|---|
logName |
projects/project-id/logs/identitytoolkit.googleapis.com/requests |
resource |
identitytoolkit_project |
serviceName |
identitytoolkit.googleapis.com |
protoPayload |
The logged request or response. |
You can see your project or tenant's activity logs using the Logs Viewer. To view logs:
In the Cloud Console, go to the Logs Viewer page.
Select Identity Toolkit Project or Identity Toolkit Tenant from the resources dropdown. If you're using multi-tenancy, you can show all tenants, or filter to a specific one.
Logged operations
The follow table lists the API operations that can produce activity logs:
Service | Method |
---|---|
google.cloud.identitytoolkit.v1.AccountManagementService | DeleteAccount |
GetAccountInfo | |
GetOobCode | |
ResetPassword | |
SetAccountInfo | |
google.cloud.identitytoolkit.v1.AuthenticationService | CreateAuthUri |
GetRecaptchaParam | |
SendVerificationCode | |
SignInWithCustomToken | |
SignInWithEmailLink | |
SignInWithGameCenter | |
SignInWithIdp | |
SignInWithPassword | |
SignInWithPhoneNumber | |
SignUp | |
VerifyIosClient | |
google.cloud.identitytoolkit.v1.ProjectConfigService | GetProjectConfig |
Excluding operations
Logging gives you tools to disable log ingestion or exclude log entries you don't want. For more information about how to exclude certain logs, see Logs Exclusions.
The following example shows how to exclude logs for the read-only
GetAccountInfo()
and GetProjectConfig()
methods:
resource.type="identitytoolkit_project"
(
jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo"
OR
jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig"
)