This page provides examples of the audit logs that are generated when you use Workforce Identity Federation OAuth application integration. With Workforce Identity Federation OAuth application integration, you can allow third-party applications to integrate with Google Cloud through OAuth and use external identities to access Google Cloud resources.
Each of the following examples shows only the most relevant fields in the log entries.
For more information about enabling and viewing audit logs, see Identity and Access Management audit logging.
Required roles
IAM can generate audit logs when you create and manage OAuth clients. To enable audit logs when managing OAuth clients, you must enable audit logs for Data Access activity for the following API:
- Identity and Access Management API (enable log type "ADMIN_READ")
Logs for creating an OAuth client
The log entry is similar to the following:
{ "logName": "projects/PROJECT_NUMBER/logs/cloudaudit.googleapis.com%2Factivity", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": PRINCIPAL_EMAIL, }, "methodName": "google.iam.admin.v1.OauthClients.CreateOauthClient", "resourceName": "projects/PROJECT_NUMBER/locations/global", "serviceName": "iam.googleapis.com", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateOauthClientRequest", "oauthClient": {}, "oauthClientId": OAUTH_CLIENT_ID, "parent": "projects/PROJECT_NUMBER/locations/global" } }, "resource": { "type": "audited_resource" } }
This log entry includes the following values, which you can use to filter logs:
PROJECT_NUMBER: the project number of the project that contains the OAuth application integration.
PRINCIPAL_EMAIL: the email address of the principal that owns the OAuth client.
OAUTH_CLIENT_ID: the identity of the OAuth client
Logs for creating an OAuth client credential
The log entry is similar to the following:
{ "logName": "projects/PROJECT_NUMBER/logs/cloudaudit.googleapis.com%2Factivity", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": PRINCIPAL_EMAIL, }, "methodName": "google.iam.admin.v1.OauthClients.CreateOauthClientCredential", "resourceName": "projects/PROJECT_NUMBER/locations/global/oauthClients/OAUTH_CLIENT_ID", "serviceName": "iam.googleapis.com", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateOauthClientCredentialRequest", "oauthClientCredential": {}, "oauthClientCredentialId": OAUTH_CLIENT_CREDENTIAL_ID, "parent": "projects/PROJECT_NUMBER/locations/global/oauthClients/OAUTH_CLIENT_ID" } }, "resource": { "type": "audited_resource" } }
This log entry includes the following values, which you can use to filter logs:
PROJECT_NUMBER: the project number of the project that contains the OAuth application integration.
PRINCIPAL_EMAIL: the email address of the principal that (owns|accessed) the OAuth client.
OAUTH_CLIENT_ID: the identity of the OAuth client
OAUTH_CLIENT_CREDENTIAL_ID: the identity of the OAuth client credential
What's next
- Configure and view the audit logs for IAM.
- Get more information about Cloud Audit Logs.
- Set up Workforce OAuth application integration using OAuth clients.