Activity logging

This page describes Identity Platform activity logging. For information about audit logging, see Identity Platform audit logging.

Identity Platform integrates with Google Cloud's operations suite to enable project owners to monitor their users' activity. When enabled, Identity Platform generates a log entry for each end-user request received by the API. Log entries include what operation was performed, when it was performed, and all loggable request and response information supplied in the request. Activity logging is disabled by default and can be configured using the Identity Platform APIs. For details, see the Enable Activity Logging section.

Activity logging can affect your logs pricing in Google Cloud's operations suite, as described in the Pricing section on this page.

Activity logging-enabled operations

The follow table summarizes the API operations that can produce activity logs:

Service Method
google.cloud.identitytoolkit.v1.AccountManagementService DeleteAccount
GetAccountInfo
GetOobCode
ResetPassword
SetAccountInfo
google.cloud.identitytoolkit.v1.AuthenticationService CreateAuthUri
GetRecaptchaParam
SendVerificationCode
SignInWithCustomToken
SignInWithEmailLink
SignInWithGameCenter
SignInWithIdp
SignInWithPassword
SignInWithPhoneNumber
SignUp
VerifyIosClient
google.cloud.identitytoolkit.v1.ProjectConfigService GetProjectConfig

Activity log format

Activity log entries can be viewed in Cloud Logging using the Logs Viewer or Cloud SDK. Logs include the following objects:

  • logName always contains Identity Platform activity logs in the following format: projects/[PROJECT_ID]/logs/identitytoolkit.googleapis.com%2Frequests
  • resource always contains the identitytoolkit_project resource type.
  • serviceName always contains the service name in the following format: identitytoolkit.googleapis.com.
  • protoPayload contains the loggable request and/or response information.

Enabling activity logging

Activity logging is disabled by default. You can configure activity logging by using the Identity Platform REST API:

curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" -H 'Authorization: Bearer [AUTH_TOKEN]' -X PATCH -H 'Content-Type: application/json' https://identitytoolkit.googleapis.com/admin/v2/projects/[PROJECT_ID]/config?updateMask=monitoring.requestLogging.enabled

Pricing

Activity logging can affect your logs pricing in Google Cloud's operations suite. For information on log pricing, see Stackdriver pricing.

Logs Exclusions

Google Cloud's operations suite gives you tools to disable all logs ingestion or exclude (discard) log entries you don't want, so that you can minimize any charges for logs over your monthly allotment. For more information about how to exclude certain logs, see Logs Exlcusions.

Sample exclusion filter

The following is an example exlcusion filter that excludes all logs for the read-only methods GetAccountInfo and GetProjectConfig:

  • Name CICP.excludeReadOnlyActivity
  • Description Excludes all CICP activity logs for GetAccountInfo and GetProjectConfig endpoints
  • Percent to Exclude 100
resource.type="identitytoolkit_project"
(
 jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo"
 OR
 jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig"
)