AuditLog

Common audit log format for Google Cloud Platform API operations.

JSON representation
{
  "serviceName": string,
  "methodName": string,
  "resourceName": string,
  "numResponseItems": string,
  "status": {
    object(Status)
  },
  "authenticationInfo": {
    object(AuthenticationInfo)
  },
  "authorizationInfo": [
    {
      object(AuthorizationInfo)
    }
  ],
  "requestMetadata": {
    object(RequestMetadata)
  },
  "request": {
    object
  },
  "response": {
    object
  },
  "metadata": [
    {
      object
    }
  ],
  "serviceData": {
    "@type": string,
    field1: ...,
    ...
  },
}
Fields
serviceName

string

The name of the API service performing the operation. For example, "datastore.googleapis.com".

methodName

string

The name of the service method or operation. For API calls, this should be the name of the API method. For example,

"google.datastore.v1.Datastore.RunQuery"
"google.logging.v1.LoggingService.DeleteLog"

resourceName

string

The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example:

"shelves/SHELF_ID/books"
"shelves/SHELF_ID/books/BOOK_ID"

numResponseItems

string (int64 format)

The number of items returned from a List or Query API method, if applicable.

status

object(Status)

The status of the overall operation.

authenticationInfo

object(AuthenticationInfo)

Authentication information.

authorizationInfo[]

object(AuthorizationInfo)

Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.

requestMetadata

object(RequestMetadata)

Metadata about the operation.

request

object (Struct format)

The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

response

object (Struct format)

The operation response. This may not include all response elements, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

metadata[]

object (Struct format)

Other service-specific data about the request, response, and other information associated with the current audited event.

serviceData

object

Deprecated, use metadata field instead. Other service-specific data about the request, response, and other activities.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

AuthenticationInfo

Authentication information for the operation.

JSON representation
{
  "principalEmail": string,
  "authoritySelector": string,
  "thirdPartyPrincipal": {
    object
  },
}
Fields
principalEmail

string

The email address of the authenticated user (or service account on behalf of third party principal) making the request. For privacy reasons, the principal email address is redacted for all read-only operations that fail with a "permission denied" error.

authoritySelector

string

The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.

thirdPartyPrincipal

object (Struct format)

The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

AuthorizationInfo

Authorization information for the operation.

JSON representation
{
  "resource": string,
  "permission": string,
  "granted": boolean,
}
Fields
resource

string

The resource being accessed, as a REST-style string. For example:

bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID

permission

string

The required IAM permission.

granted

boolean

Whether or not authorization for resource and permission was granted.

RequestMetadata

Metadata about the request.

JSON representation
{
  "callerIp": string,
  "callerSuppliedUserAgent": string,
}
Fields
callerIp

string

The IP address of the caller. For caller from internet, this will be public IPv4 or IPv6 address. For caller from a Compute Engine VM with external IP address, this will be the VM's external IP address. For caller from a Compute Engine VM without external IP address, if the VM is in the same organization (or project) as the accessed resource, callerIp will be the VM's internal IPv4 address, otherwise the callerIp will be redacted to "gce-internal-ip". See https://cloud.google.com/compute/docs/vpc/ for more information.

callerSuppliedUserAgent

string

The user agent of the caller. This information is not authenticated and should be treated accordingly. For example:

  • google-api-python-client/1.4.0: The request was made by the Google API client for Python.
  • Cloud SDK Command Line Tool apitools-client/1.0 gcloud/0.9.62: The request was made by the Google Cloud SDK CLI (gcloud).
  • AppEngine-Google; (+http://code.google.com/appengine; appid: s~my-project: The request was made from the my-project App Engine app. NOLINT

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.